FAQ: How do I extract an IP Address from the CommandLine field?

To gather a more comprehensive data profile and identify possible threats, it may be necessary to extract an IP address from the CommandLine field. To do so, you'll need to use the regex() function:

| regex("(?<ip>[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})\\:(?<port>\\d{2,5})", field=CommandLine)

For a detailed description of the query, see Extract IP Address and Port From Command Line.