Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Extract from syslog

Copper Contributor

Hello can someone please help me with extract regex expression?

I have syslog message that have this structure

1692086254.870677475 XXXXXX flows src=XXXX dst=XXXXX protocol=tcp sport=58296 dport=445 pattern: allow all


1692086279.965148294 XXXXflows src=XXXXX dst=XXXXX mac=00:XXXXX:XX protocol=udp sport=56182 dport=53 pattern: allow (dst && (src


1692087314.799126634 XXXXflows src=XXX dst=XXX protocol=tcp sport=443 dport=65472 pattern: deny all



i would need to extract the pattern value allow or deny only. I was thinking somethink like


|extend pattern = extract(@'pattern: \"[A-Za-z]+ \"', 1, SyslogMessage),


but not works as expected. Can you please help me. Basically it will always be prefixed with pattern: and then allow or deny and space

3 Replies



| where has("pattern") and (tostring(dynamic(["allow", "deny"]) in tostring(pattern)))
| project Timestamp, src, dst, protocol, sport, dport, pattern



Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.


unfortunately it does not work for me:

Query could not be parsed at 'has' on line [2,8] Token: has Line: 2 Position: 8 Request id: 2e66e81d-d5e5-412c-9130-6d27512cd854


best response confirmed by Marek Stelcik (Copper Contributor)
This works
pattern = extract(@'pattern: \"?(\w+)\"?', 1, SyslogMessage),