KQL - what does @ stand for in regex extraction

Georgi Palazov 286 Reputation points
2022-06-27T12:49:31.223+00:00

Hello,

I want to extract some data from a SyslogMessage and i'm doing fine with the following

Syslog
| where SyslogMessage contains '<EPOevent>'
or ProcessName contains 'EPOEvents'
| extend EPO_Thread_ID = extract(@"\S<ThreatEventID>(.?)<", 1, SyslogMessage)
| extend EPO_Target_Process = extract (@"\S<TargetProcessName>(.
?)<",1,SyslogMessage)
| extend EPO_Threat_Severity = extract (@"\S\SThreatSeverity>(.?)<\S",1,SyslogMessage)
| extend EPO_Analyzer_Rule_Name = extract (@"<AnalyzerRuleName>(.
?)<\SAnalyzerRuleName>",1,SyslogMessage)

However I'm wondering what is the purpose of @ ?
Without inputting @ the query gives an error:
215395-image.png

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,796 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
974 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michael Taylor 47,806 Reputation points
    2022-06-27T15:02:48.26+00:00

    It's a verbatim string indicator. Refer to the cheatsheet here. When dealing with a string that needs slashes (which are normally the start of an escape sequence) it can be hard to understand the string. \\MyPath\\Test.txt is harder to read than \MyPath\Test.tx. But since slash starts an escape sequence the parser sees \M specially and doesn't know how to handle it. So for this kind of string preceding it with @ tells the parser to ignore escape sequences. Hence @"\MyPath\Test.txt translates to \MyPath\Test.txt.

    Use verbatim strings for string literals containing slashes that are not escape sequences.

    2 people found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful