Oct 31 2022 03:14 AM
Hi Guys,
I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is going to overlap. thats why i have to run query with "OR" operator so Threat "cat" field will not overlap with System "cat" field. Please help me.
.
CommonSecurityLog
| where Activity in ("TRAFFIC", "THREAT")
| extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions)
| extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
| extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions)
combined with "OR" condition
| where Activity == "SYSTEM"
| extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
Oct 31 2022 06:35 AM
Oct 31 2022 06:53 AM
@akshay250692 in what way, please explain?
Oct 31 2022 07:03 AM
Oct 31 2022 07:04 AM
works for me, unless akshay was expecting another result.
(I don't have system logs coming in so an empty column is expected)
Oct 31 2022 07:10 AM
Oct 31 2022 07:30 AM