// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions Syslog | where ProcessName == "box_Firewall_Activity" | extend Type = extract("type=([\\w\\s]+)",1,SyslogMessage) , L4Protocol = extract("proto=([\\w\\s]+)",1,SyslogMessage) , SourceInterface = extract("srcIF=([\\w\\s]+)",1,SyslogMessage) , SourceIP = extract("srcIP=([\\d\\.]+)",1,SyslogMessage) , SourcePort = extract("srcPort=([\\d\\s]+)",1,SyslogMessage) , SourceMAC = extract("srcMAC=([\\w\\d:]+)",1,SyslogMessage) , DestinationIP = extract("dstIP=([\\d\\.]+)",1,SyslogMessage) , DestinationPort = extract("dstPort=([\\w\\s]+)",1,SyslogMessage) , DestinationService = extract("dstService=([\\w\\s]+)",1,SyslogMessage) , DestinationInterface = extract("dstIF=([\\w\\s]+)",1,SyslogMessage) , FirewallRule = extract("rule=([\\w\\s\\-]+)",1,SyslogMessage) , Info = extract("info=([\\w\\s]+)",1,SyslogMessage) , SourceNAT = extract("srcNAT=([\\d\\.]+)",1,SyslogMessage) , DestinationNAT = extract("dstNAT=([\\d\\.]+)",1,SyslogMessage) , Duration = extract("duration=([\\d]+)",1,SyslogMessage) , Count = extract("count=([\\d]+)",1,SyslogMessage) , ReceivedBytes = extract("receivedBytes=([\\d]+)",1,SyslogMessage) , SentBytes = extract("sentBytes=([\\d]+)",1,SyslogMessage) , ReceivedPackets = extract("receivedPackets=([\\d]+)",1,SyslogMessage) , SentPackets = extract("sentPackets=([\\d]+)",1,SyslogMessage) , User = extract("user=([\\w\\s]+)",1,SyslogMessage) , L7Protocol = extract("protocol=([\\w\\s]+)",1,SyslogMessage) , Application = extract("application=([\\w\\s]+)",1,SyslogMessage) , Target = extract("target=([\\w\\s]+)",1,SyslogMessage) , Content = extract("content=([\\w\\s]+)",1,SyslogMessage) , URLCategory = extract("urlcat=([\\w\\s]+)",1,SyslogMessage)