Forum Discussion
Sentinnel Entity Mapping Issue
- Yep you will need to use the parse operator to take the field you want out of your EventData
Not exactly sure what EventID you are after (feel free to post an example of the EventData), but an example of parsing EventData is as follows
SecurityEvent
| parse EventData with * '<Data Name="SubjectUserName">' User '</Data>' *
Add that to your query and it will create you a new column called 'User' from everything between <Data Name="SubjectUserName"> and '</Data>' and you can then map it to an entity in your analytic rule.
I did a little guide to using parse and split on my GitHub if you are interested - https://github.com/reprise99/Sentinel-Queries#parse-and-split-basics
Had a follow up question. Would parse would work on a particular part of an Eventdata field?. For instance in Event data for the query Im writing one of the categories is TaskContent . There is alot of info there but i only want this piece "<Exec> <Command>"C:\Program Files (x86)\Internet Explorer\iexplore.exe" How would set it to only pull this from the TaskContent field and nothing else? I have attached the screenshot of the eventdata.
| parse EventData with * 'Command>"' CommandRun '</Command>' *
That will create you new column called CommandRun with everything between Command> and </Command>
I see. I tried this and later realized the XML in Event Viewer that I attached earlier and the XML in The Sentinel logs are slightly different. as opposed to "<Exec> <Command>"C:\Program Files (x86)\Internet Explorer\iexplore.exe" shown in event viewer the same info within the TaskContent field in sentinel is <Command>"C:\Program Files (x86)\Internet Explorer\iexplore.exe" </Command>
Per your logic i tried the following (see attached picture).Is there something i'm missing?
