Sep 01 2023 09:22 AM
For some reason the Zsclaer data connector does not have a destination IP column in the logs. The destination IP is buried in the "AdditionalExtensions" column and this is causing an issue.
Is it possible to somehow parse the data in the "AdditionalExtensions" field and populate a column named "DestinationIP" with the IP in there?
Sep 02 2023 06:44 AM
You can use Parse or Extend for this, one example:
CommonSecurityLog
| project AdditionalExtensions
| parse AdditionalExtensions with *'=' DestinationIP ';'*
However the built-in Parsers (ASIM) also do this, depending on the product you have.
Sep 05 2023 08:11 AM