cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

New to Sentinel and KQL, looking to parse SyslogMessage String data

Reedk
Copper Contributor

‎Jul 09 2020 12:23 PM - last edited on ‎Apr 08 2022 10:32 AM by

‎Jul 09 2020 12:23 PM - last edited on ‎Apr 08 2022 10:32 AM by

New to Sentinel and KQL, looking to parse SyslogMessage String data

I have some windows events being forwarded as syslog and the data is coming in to Sentinel as one long string with ascii codes.

 

I'm trying to find a way to parse this data or break it up into additional tables. So that it can be searched and action items can be created specifically for the event ID.

 

String Data in the SyslogMessage field:

17:39 2020#0114634#011Microsoft-Windows-Security-Auditing#011#011N/A#011Audit Success#011(FQDN Hostname)#01112545#011An account was logged off.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-3268862665-1393187318-1665994716-32848#015#012#011Account Name:#011#011(SAMAccountName)#015#012#011Account Domain:#011#011(Domain)#015#012#011Logon ID:#011#0110x13A10172#015#012#015#012Logon Type:#011#011#0113#015#012#015#012This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

 

This data is coming from Solarwinds and being forwarded to Sentinel via CEF forwarder. There is currently no connector for this.

 

 

3,959 Views
0 Likes
1 Reply
Reply
1 Reply
Noa Kuperberg

‎Jul 10 2020 06:34 AM

‎Jul 10 2020 06:34 AM

Re: New to Sentinel and KQL, looking to parse SyslogMessage String data

Hi @Reedk,

You can generally use the parse operator to break a text into different fields, and then continue analyzing it as you want. In this case, your string is a bit confusing with many #011 #012 #015 delimiters, so first you should think how you want to parse it so it would make sense.

I took a shot at it:

let TestStr = datatable(EventText:string)
["17:39 2020#0114634#011Microsoft-Windows-Security-Auditing#011#011N/A#011Audit Success#011(FQDN Hostname)#01112545#011An account was logged off.#015#012#015#012Subject:#015#012#011Security ID:#011#011S-1-5-21-3268862665-1393187318-1665994716-32848#015#012#011Account Name:#011#011(SAMAccountName)#015#012#011Account Domain:#011#011(Domain)#015#012#011Logon ID:#011#0110x13A10172#015#012#015#012Logon Type:#011#011#0113#015#012#015#012This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."];
TestStr
| parse kind=relaxed EventText with EventTime "#011" SomeID1 "#011" EventCategory "#011" SomeField1 "#011" SomeField2 "#011" EventResult "#011" SomeField3 "#011" SomeID2 "#011" EventDescription "#015#012#015#012" MoreDetails

 The result was:

parse.png

You can use regex as well, check out the documentation in the above link.

 

HTH

0 Likes
Reply