Nov 06 2020 05:44 AM - edited Nov 06 2020 05:45 AM
Hi everyone!
A while ago I posted about how I wrote a function for extracting fields from Cisco Meraki.
I've started sharing my work on my github, https://github.com/jkatzmandu/sentinel_tricks
The function I came up with works reasonably well, but it does not work on some event types, so I'm working to expand and fix the function. The problem, as with most logs, is that they are not consistent. With Meraki there are times when Source and destination are given with the following format:
src=10.0.0.2 dst=1.2.3.4 sport=35323 dport=443
and sometimes
src=10.0.0.2:35323 dst=1.2.3.4:443
So using some regex I have:
extend Dst_Port = extract(@'dport=\"?(\d+)\"?', 1, RawData)
[ this works on its own ]
OR
extend Dst_Port = extract(@'dst=\d+\.\d+\.\d+\.\d+\:(\d+)', 1, RawData)
[ this works on its own ]
Because the data is variable, I try to use an "iff" function:
Dst_Port = iff(isnull( extract(@'dport=\"?(\d+)\"?', 1, RawData) ), extract(@'dst=\d+\.\d+\.\d+\.\d+\:(\d+)', 1, RawData), extract(@'dport=\"?(\d+)\"?', 1, RawData) ),
My problem is that if the following extract/regex doesn't match:
extract(@'dport=\"?(\d+)\"?', 1, RawData)
the "extract" function doesn't seem to be returning a null. Per the documentation, it should!
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/extractfunction
I've run a few tests. If I run this:
Meraki_CL | where RawData contains "security_event" | extend Dst_Port = iff(isnull( extract(@'dport=\"?(\d+)\"?', 1, RawData) ), extract(@'dst=\d+\.\d+\.\d+\.\d+\:(\d+)', 1, RawData), extract(@'dport=\"?(\d+)\"?', 1, RawData) ), Dst_Test = extract(@'dst=\d+\.\d+\.\d+\.\d+\:(\d+)', 1, RawData), Null_Test = extract(@'dport=\"?(\d+)\"?', 1, RawData) | where isnull(Null_Test)
It fails. If I change the last "where" clause to read " Null_Test == "" " it works!
So is this broken?
Thanks!
Nov 09 2020 02:39 AM