SOLVED
Home

Kusto question

%3CLINGO-SUB%20id%3D%22lingo-sub-813729%22%20slang%3D%22en-US%22%3EKusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-813729%22%20slang%3D%22en-US%22%3E%3CP%3EImporting%20event%20logs%20into%20workspace%20that%20have%20a%20property%20like%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CDIV%3E%3COBJECT%3E%3CPARAM%20%2F%3E1%3CPARAM%20%2F%3E2%3CPARAM%20%2F%3E3%3CPARAM%20%2F%3E4%3CPARAM%20%2F%3E5%3C%2FOBJECT%3E%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20interested%20in%20the%20second%20parameter.%26nbsp%3B%20Is%20there%20a%20query%20that%20can%20distill%20this%20down%20into%20one%20property%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-813878%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-813878%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20asking%20about%20parsing%3F%26nbsp%3B%20Example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eprint%20txt%20%3D%20%22%3C%2FCODE%3E%3COBJECT%3E%3CCODE%3E1%3CPARAM%20%2F%3E2%3CPARAM%20%2F%3E3%3CPARAM%20%2F%3E4%3CPARAM%20%2F%3E5%22%0A%7C%20parse%20txt%20with%20*%22%3CPARAM%20%2F%3E2%3CPARAM%20%2F%3E3%22*%3C%2FCODE%3E%3C%2FOBJECT%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2FDemo%3Fq%3DH4sIAAAAAAAAAysoyswrUSipKFGwVVCyCUgsSsy1M7TRhzCgfCM0vjEa3wSNbwrjK%252FFy1SgUJBYVp4JtKM8syVDQUkKYqqRQYKSgBDdWSYuXCwAjZzRakAAAAA%253D%253D%26amp%3Btimespan%3DP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20Run%20Query%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3Etxt%3C%2FTH%3E%0A%3CTH%3Ep2%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E12345%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3EParam%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-814797%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-814797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3BThe%20Sentinel%20blog%20had%20a%20post%20a%20while%20ago%20about%20working%20with%20JSON%20that%20may%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FTip-Easily-use-JSON-fields-in-Sentinel%2Fba-p%2F768747%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FTip-Easily-use-JSON-fields-in-Sentinel%2Fba-p%2F768747%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-817090%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-817090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20was%20what%20I%20was%20looking%20for.%26nbsp%3B%20Here%20is%20the%20query%20I%20ended%20up%20using%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EEvent%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eparse%3C%2FSPAN%3E%3CSPAN%3EParameterXml%20with%20*%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3ESChannel%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3EUsername%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3Edomain%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3EWorkstation%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3Echanneltype%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FDIV%3E%3CDIV%3EThe%20event%20log%20source%20was%20NTLM%20operational%20log%20from%20DCs%20auditing%20NTLM%20requests.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
andrew_bryant
Contributor

Importing event logs into workspace that have a property like the following:

 

<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>

 

We are interested in the second parameter.  Is there a query that can distill this down into one property?

3 Replies
Highlighted
Solution

Hi @andrew_bryant 

 

Are you asking about parsing?  Example:

 

print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*

 

Go to Log Analytics and Run Query

txt p2
12345

Param

 

@andrew_bryant The Sentinel blog had a post a while ago about working with JSON that may help.

 

https://techcommunity.microsoft.com/t5/Azure-Sentinel/Tip-Easily-use-JSON-fields-in-Sentinel/ba-p/76...

@Clive Watson 

 

This was what I was looking for.  Here is the query I ended up using:

 
Event
| parse ParameterXml with * "<Param>" SChannel "</Param><Param>" Username "</Param><Param>" domain "</Param><Param>" Workstation "</Param><Param>" channeltype


The event log source was NTLM operational log from DCs auditing NTLM requests.
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Discussion - Updating our interface with Fluent touches
Elliot Kirk in Discussions on
102 Replies