Fixed RemoteIP field parsing in FailedLogonAttempts_UnknownUser.yaml

Since few events were missing, fixed the RemoteIP field extraction by using `extract` function.

Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml

@@ -26,7 +26,7 @@ query: |
   Syslog
   | where Facility =~ "authpriv"
   | where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
-  | parse SyslogMessage with * "rhost=" RemoteIP
+  | extend RemoteIP = extract(@".*?rhost=([\d.]+).*?", 1,SyslogMessage)
   | project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
   | join kind=innerunique (
       // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon.