KQL - what does @ stand for in regex extraction

ppal 241 Reputation points
2022-06-27T12:49:31.223+00:00

Hello,

I want to extract some data from a SyslogMessage and i'm doing fine with the following

Syslog
| where SyslogMessage contains '<EPOevent>'
or ProcessName contains 'EPOEvents'
| extend EPO_Thread_ID = extract(@"\S<ThreatEventID>(.?)<", 1, SyslogMessage)
| extend EPO_Target_Process = extract (@"\S<TargetProcessName>(.
?)<",1,SyslogMessage)
| extend EPO_Threat_Severity = extract (@"\S\SThreatSeverity>(.?)<\S",1,SyslogMessage)
| extend EPO_Analyzer_Rule_Name = extract (@"<AnalyzerRuleName>(.
?)<\SAnalyzerRuleName>",1,SyslogMessage)

However I'm wondering what is the purpose of @ ?
Without inputting @ the query gives an error:
215395-image.png

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
607 questions
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
1,829 questions
No comments
{count} votes

Accepted answer
  1. Michael Taylor 38,271 Reputation points
    2022-06-27T15:02:48.26+00:00

    It's a verbatim string indicator. Refer to the cheatsheet here. When dealing with a string that needs slashes (which are normally the start of an escape sequence) it can be hard to understand the string. \\MyPath\\Test.txt is harder to read than \MyPath\Test.tx. But since slash starts an escape sequence the parser sees \M specially and doesn't know how to handle it. So for this kind of string preceding it with @ tells the parser to ignore escape sequences. Hence @"\MyPath\Test.txt translates to \MyPath\Test.txt.

    Use verbatim strings for string literals containing slashes that are not escape sequences.

    No comments

0 additional answers

Sort by: Most helpful