Kusto - How to identify content from array of regex

Occasional Contributor



I want to create an alert, that given an input, will validate the input content match at least one of the regex from a given structure (array/list/etc'...)

How can I do that? Example will help...



4 Replies

Hi, no...

Since here you check if there is a match to 1 regex.

I want to validate match against list of regexes.



This example one will match multiple regex against a column (it's using "not", so asking for where they don't match but you can edit)


You can see a short version here, which will match either regex to the column:

Go to Log Analytics and run query

where EventID==4688
where NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\DismHost\.exe" or //you can use "and" instead of "or"
        NewProcessName matches regex @"\\Windows\\Temp\\[0-9A-Za-z-]*\\MpSigStub\.exe"
summarize count() by NewProcessName
NewProcessName count_
C:\Windows\Temp\3EB27418-1D7E-487F-87C2-5FA574848368\DismHost.exe 1
C:\Windows\Temp\B5572FE3-E791-4968-8F3E-EF77ED75459E\DismHost.exe 1
C:\Windows\Temp\FFBB967A-F90C-4950-88EF-1386D25C7EBC\DismHost.exe 1



The "or" option definitely gives the solution.
In my head I thought of more classic solution using loop/while instead of multiple "or".
It does the job, thanks!