Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Need Help With Sentinel Regex

Copper Contributor

Hi Team,

 

I am trying to capture this following text & when I write this query in Regex101 it does capture but in Sentinel it is not capturing. I know we need to use "extend" command as well but just wondering how I can use REGEX command in Sentinel or if there is any resource I can follow going forward for Sentinel Regex as I do need to extract multiple data sources. Any help would be appreciated.

 

ACTUAL TEXT: ACTUAL TEXT: [ TIME_GENERATED = 1634230921 ] [ RECORD_NUMBER = 1957461798 ] [ EVENT_TYPE = 8 ] [ EVENT_TYPE_TEXT = Success ] [ DOMAIN = HOUDOM ]

 

Query I wrote in REGEX101: \D\sRECORD_NUMBER\s\W\s(\d)+\s\D

1 Reply

@msef280 

 

If you want to extract multiple columns out from a single string (which I think is what you want to do), you could use the parse command

 

| parse ACTUALTEXT with * "TIME_GENERATED =" Time "]" *

| parse ACTUALTEXT with * "RECORD_NUMBER =" RecordNumber "]" *

| parse ACTUALTEXT with * "EVENT_TYPE =" EventType "]" *

 

Should return you three new columns called Time, RecordNumber, EventType