Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Kusto question

Brass Contributor

Importing event logs into workspace that have a property like the following:

 

<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>

 

We are interested in the second parameter.  Is there a query that can distill this down into one property?

3 Replies
best response confirmed by andrew_bryant (Brass Contributor)
Solution

Hi @andrew_bryant 

 

Are you asking about parsing?  Example:

 

print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*

 

Go to Log Analytics and Run Query

txt p2
12345

Param

 

@andrew_bryant The Sentinel blog had a post a while ago about working with JSON that may help.

 

https://techcommunity.microsoft.com/t5/Azure-Sentinel/Tip-Easily-use-JSON-fields-in-Sentinel/ba-p/76...

@CliveWatson 

 

This was what I was looking for.  Here is the query I ended up using:

 
Event
| parse ParameterXml with * "<Param>" SChannel "</Param><Param>" Username "</Param><Param>" domain "</Param><Param>" Workstation "</Param><Param>" channeltype


The event log source was NTLM operational log from DCs auditing NTLM requests.
1 best response

Accepted Solutions
best response confirmed by andrew_bryant (Brass Contributor)
Solution

Hi @andrew_bryant 

 

Are you asking about parsing?  Example:

 

print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*

 

Go to Log Analytics and Run Query

txt p2
12345

Param

 

View solution in original post