Skip to content

Commit bf180ae

Browse files
yelevinyelevin
committed
Changed code sample to screenshot
1 parent 2f0fea6 commit bf180ae

File tree

2 files changed

+2
-41
lines changed

2 files changed

+2
-41
lines changed

articles/sentinel/media/unified-connector-custom-device/kusto-query-screenshot.png

172 KB
Loading

articles/sentinel/unified-connector-custom-device.md

Lines changed: 2 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -260,48 +260,9 @@ Follow these steps to ingest log messages from JuniperIDP:
260260
source | parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata | extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata) | extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata) | extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata) | extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata) | extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata) | extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata) | extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata) | extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata) | extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata) | extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata) | extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata) | extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata) | extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata) | extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata) | extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata) | extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata) | extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata) | extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata) | extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata) | extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata) | extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata) | extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata) | extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata) | extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata) | extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata) | extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata) | extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata) | extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata) | extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata) | extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata) | extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata) | extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata) | extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata) | extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata) | extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata) | project-away RawData
261261
```
262262
263-
The following screenshot shows the complete query in a more readable format:
263+
The following screenshot shows the complete query in the preceding example in a more readable format:
264264
265-
```kusto
266-
source
267-
| parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata
268-
| extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata)
269-
| extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata)
270-
| extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata)
271-
| extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata)
272-
| extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata)
273-
| extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata)
274-
| extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata)
275-
| extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata)
276-
| extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata)
277-
| extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata)
278-
| extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata)
279-
| extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata)
280-
| extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata)
281-
| extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata)
282-
| extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata)
283-
| extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata)
284-
| extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata)
285-
| extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata)
286-
| extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata)
287-
| extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata)
288-
| extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata)
289-
| extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata)
290-
| extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata)
291-
| extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata)
292-
| extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata)
293-
| extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata)
294-
| extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata)
295-
| extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata)
296-
| extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata)
297-
| extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata)
298-
| extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata)
299-
| extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata)
300-
| extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata)
301-
| extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata)
302-
| extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata)
303-
| project-away RawData
304-
```
265+
:::image type="content" source="media/unified-connector-custom-device/kusto-query-screenshot.png" alt-text="Screenshot showing expanded Kusto query with line breaks for readability.":::
305266
306267
See more information on the following items used in the preceding examples, in the Kusto documentation:
307268
- [***parse*** operator](/kusto/query/parse-operator?view=microsoft-sentinel&preserve-view=true)

0 commit comments

Comments
 (0)