Hi all,

I have an issue with the extend command in a custom workboook.

The following KQL query parses Palo Alto Logs and to extract specific field (like PanOSSourceUserName, etc) and creating new column (same name).

CommonSecurityLog
| where DeviceProduct == “PAN-OS”
| where DeviceEventClassID == “GLOBALPROTECT”
| extend PanOSSourceUserName=extract(“PanOSSourceUserName=([A-Z,a-z.]+@+[A-Z,a-z.]+)”,0,AdditionalExtensions)
| extend PanOSSourceRegion=extract(“PanOSSourceRegion=([A-Z,a-z.]+)”,0,AdditionalExtensions)
| extend PanOSPublicIPv4=extract(“PanOSPublicIPv4=([0-9.]+)”,0,AdditionalExtensions)
| project-away ExtID, LogSeverity, Activity

When I run this KQL query again the log (Sentinel Dashboard-> General -> Logs), I got the expected result.

If I edit a Workbook (then Add query), and run the same KQL query, the new column  (like PanOSSourceUserName, etc) are not created !

Is it normal ??

Any idea ?

Regards,

HA

​Hi all, I have an issue with the extend command in a custom workboook.The following KQL query parses Palo Alto Logs and to extract specific field (like PanOSSourceUserName, etc) and creating new column (same name).CommonSecurityLog| where DeviceProduct == “PAN-OS”| where DeviceEventClassID == “GLOBALPROTECT”| extend PanOSSourceUserName=extract(“PanOSSourceUserName=([A-Z,a-z.]+@+[A-Z,a-z.]+)”,0,AdditionalExtensions)| extend PanOSSourceRegion=extract(“PanOSSourceRegion=([A-Z,a-z.]+)”,0,AdditionalExtensions)| extend PanOSPublicIPv4=extract(“PanOSPublicIPv4=([0-9.]+)”,0,AdditionalExtensions)| project-away ExtID, LogSeverity, Activity When I run this KQL query again the log (Sentinel Dashboard-> General -> Logs), I got the expected result.If I edit a Workbook (then Add query), and run the same KQL query, the new column  (like PanOSSourceUserName, etc) are not created ! Is it normal ??Any idea ? Regards, HA    Read More

​