Forum Discussion

LodewykV's avatar
LodewykV
Copper Contributor
Oct 21, 2020

Parsing EventData from SecurityEvents

Hi All, I've parsed EvenData as well as Fortinet logs via syslog and more in Azure Sentinel, but I can't help but think that my method is ineffective, basically all I'm doing is

 

SecurityEvent

| parse EventData with * 'ProcessID">' ProcessID '</Data>' *

 

for every use case.

 

Is there a way to do something more like this

 

SecurityEvent

| parse EvenData with * tablename = 'Datatype >' * '</Data>' *

 

So that in one line it takes the value infront of the ">" assigns it as a table name and fills in the data related to it at "*"

 

What I'm thinking is that there's something in the line of a for loop that adds data to a bin.

Resources