Forum Discussion

Brass Contributor

Feb 01, 2023

Extract json from windows event log (SecurityEvent)

Hello everyone, We are currently trying to parse logs that are being ingested into SecurityEvent table with following information all being in a single field called "EventData". We have tried usi...

KQL

kusto

mikhailf
Feb 02, 2023
Hello Ciyaresh,

Have you tried to use parse_xml()?
parse_xml() - Azure Data Explorer | Microsoft Learn
For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.
YourTableName | extend Data=parse_xml(EventData) | project Data

mikhailf

Steel Contributor

Feb 01, 2023

Hello Ciyaresh,

Could you please send a screenshot from LAW to see what it looks like?

Ciyaresh
Brass Contributor
Feb 01, 2023
mikhailf see below on how it looks like in LAW
- mikhailf
  Steel Contributor
  Feb 02, 2023
  Hello Ciyaresh,
  
  Have you tried to use parse_xml()?
  parse_xml() - Azure Data Explorer | Microsoft Learn
  For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.
  YourTableName | extend Data=parse_xml(EventData) | project Data

Forum Discussion

Extract json from windows event log (SecurityEvent)

Share

Resources