2

I'm working on extracting an email address from the additionalextensions column in Sentinel. I've found a regex that works perfectly in a calculator, extracting everything after a colon (:) up to a semicolon followed by the latter s (;s). However, it does not work in Kusto I suspect because its using a lookback?

Below is the regex that worked in the calculator:

(?<=:).*(?=;s)

This is data from one of the logs:

cat=EXFILTRATION;account=O365:email.address@test.org.uk;start=1659975196000;end=165997519600

When using the calculator, it returns the below:

email.address@test.org.uk

However, when trying to use this in Kusto, it returns the original data. Is anyone able to come up with a way I can achieve this in KQL?

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
Con
  • 23
  • 3

1 Answers1

2

extracting everything after a colon (:) up to a semicolon followed by the latter s (;s).

you don't have to use a regular expression.

for instance, using the parse operator:

print input = 'cat=EXFILTRATION;account=O365:email.address@test.org.uk;start=1659975196000;end=165997519600'
| parse input with * ":" email_address ";s" *
input email_address
cat=EXFILTRATION;account=O365:email.address@test.org.uk;start=1659975196000;end=165997519600 email.address@test.org.uk
Yoni L.
  • 22,627
  • 2
  • 29
  • 48