I'm working on extracting an email address from the additionalextensions column in Sentinel. I've found a regex that works perfectly in a calculator, extracting everything after a colon (:) up to a semicolon followed by the latter s (;s). However, it does not work in Kusto I suspect because its using a lookback?
Below is the regex that worked in the calculator:
(?<=:).*(?=;s)
This is data from one of the logs:
cat=EXFILTRATION;account=O365:email.address@test.org.uk;start=1659975196000;end=165997519600
When using the calculator, it returns the below:
email.address@test.org.uk
However, when trying to use this in Kusto, it returns the original data. Is anyone able to come up with a way I can achieve this in KQL?
extracting everything after a colon (:) up to a semicolon followed by the latter s (;s).
you don't have to use a regular expression.
for instance, using the parse operator:
print input = 'cat=EXFILTRATION;account=O365:email.address@test.org.uk;start=1659975196000;end=165997519600'
| parse input with * ":" email_address ";s" *
| input | email_address |
|---|---|
| cat=EXFILTRATION;account=O365:email.address@test.org.uk;start=1659975196000;end=165997519600 | email.address@test.org.uk |