From 708f9d28310f5598eb04161df0b38ce21261367e Mon Sep 17 00:00:00 2001
From: 0ccupi3R <47894266+0ccupi3R@users.noreply.github.com>
Date: Tue, 12 Sep 2023 21:06:15 +0530
Subject: [PATCH] Fixed RemoteIP field parsing in
 FailedLogonAttempts_UnknownUser.yaml

Since few events were missing, fixed the RemoteIP field extraction by using `extract` function.
---
 .../Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml b/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
index 9fcc336511d..138cbb61799 100644
--- a/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml	
+++ b/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml	
@@ -26,7 +26,7 @@ query: |
   Syslog
   | where Facility =~ "authpriv"
   | where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
-  | parse SyslogMessage with * "rhost=" RemoteIP
+  | extend RemoteIP = extract(@".*?rhost=([\d.]+).*?", 1,SyslogMessage)
   | project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
   | join kind=innerunique (
       // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon.