regextract - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language regextract() function that uses regular expressions to assemble an array of matching substrings from a string.

Syntax
regextract (<string_value>, <pattern>)
Description

The regextract() function accepts a string and a regular expression, and it returns an array containing substrings that match the expression.

XQL uses RE2 for its regular expression implementation. Capturing multiple groups is unsupported. When using the (?i) syntax for case-insensitive mode in your query, this syntax should be added only once at the  beginning of the inline regular expression.

Note

Capturing multiple groups is supported in Parsing Rules when using the regexcapture function.

Examples

Extract the Account Name from the action_evtlog_message. Use the arrayindex and split functions to extract the actual account name from the array created by regextract.

dataset = xdr_data 
| fields action_evtlog_message as aem 
| filter aem != null 
| alter account_name = 
    arrayindex(
        split(
            arrayindex(
                regextract(aem, "Account Name:\t\t.*\r\n")
            ,0)
        , ":")
    ,1) 
| filter account_name != null 
| limit 10