SOLVED
Home

Kusto question

%3CLINGO-SUB%20id%3D%22lingo-sub-813729%22%20slang%3D%22en-US%22%3EKusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-813729%22%20slang%3D%22en-US%22%3E%3CP%3EImporting%20event%20logs%20into%20workspace%20that%20have%20a%20property%20like%20the%20following%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CDIV%3E%3COBJECT%3E%3CPARAM%20%2F%3E1%3CPARAM%20%2F%3E2%3CPARAM%20%2F%3E3%3CPARAM%20%2F%3E4%3CPARAM%20%2F%3E5%3C%2FOBJECT%3E%3C%2FDIV%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20interested%20in%20the%20second%20parameter.%26nbsp%3B%20Is%20there%20a%20query%20that%20can%20distill%20this%20down%20into%20one%20property%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-813878%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-813878%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAre%20you%20asking%20about%20parsing%3F%26nbsp%3B%20Example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Eprint%20txt%20%3D%20%22%3C%2FCODE%3E%3COBJECT%3E%3CCODE%3E1%3CPARAM%20%2F%3E2%3CPARAM%20%2F%3E3%3CPARAM%20%2F%3E4%3CPARAM%20%2F%3E5%22%0A%7C%20parse%20txt%20with%20*%22%3CPARAM%20%2F%3E2%3CPARAM%20%2F%3E3%22*%3C%2FCODE%3E%3C%2FOBJECT%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.loganalytics.io%2FDemo%3Fq%3DH4sIAAAAAAAAAysoyswrUSipKFGwVVCyCUgsSsy1M7TRhzCgfCM0vjEa3wSNbwrjK%252FFy1SgUJBYVp4JtKM8syVDQUkKYqqRQYKSgBDdWSYuXCwAjZzRakAAAAA%253D%253D%26amp%3Btimespan%3DP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20Run%20Query%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3Etxt%3C%2FTH%3E%0A%3CTH%3Ep2%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E12345%3C%2FTD%3E%0A%3CTD%3E%0A%3CP%3EParam%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-814797%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-814797%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3BThe%20Sentinel%20blog%20had%20a%20post%20a%20while%20ago%20about%20working%20with%20JSON%20that%20may%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FTip-Easily-use-JSON-fields-in-Sentinel%2Fba-p%2F768747%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FTip-Easily-use-JSON-fields-in-Sentinel%2Fba-p%2F768747%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-817090%22%20slang%3D%22en-US%22%3ERe%3A%20Kusto%20question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-817090%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20was%20what%20I%20was%20looking%20for.%26nbsp%3B%20Here%20is%20the%20query%20I%20ended%20up%20using%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EEvent%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eparse%3C%2FSPAN%3E%3CSPAN%3EParameterXml%20with%20*%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3ESChannel%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3EUsername%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3Edomain%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3EWorkstation%20%3C%2FSPAN%3E%3CSPAN%3E%22%3COBJECT%3E%3CPARAM%20%2F%3E%22%3C%2FOBJECT%3E%3C%2FSPAN%3E%3CSPAN%3Echanneltype%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FDIV%3E%3CDIV%3EThe%20event%20log%20source%20was%20NTLM%20operational%20log%20from%20DCs%20auditing%20NTLM%20requests.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
andrew_bryant
Contributor

Importing event logs into workspace that have a property like the following:

 

<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>

 

We are interested in the second parameter.  Is there a query that can distill this down into one property?

3 Replies
Solution

Hi @andrew_bryant 

 

Are you asking about parsing?  Example:

 

print txt = "<Param>1</Param><Param>2</Param><Param>3</Param><Param>4</Param><Param>5</Param>"
| parse txt with *"<Param>2</" p2 "><Param>3"*

 

Go to Log Analytics and Run Query

txt p2
12345

Param

 

@andrew_bryant The Sentinel blog had a post a while ago about working with JSON that may help.

 

https://techcommunity.microsoft.com/t5/Azure-Sentinel/Tip-Easily-use-JSON-fields-in-Sentinel/ba-p/76...

@Clive Watson 

 

This was what I was looking for.  Here is the query I ended up using:

 
Event
| parse ParameterXml with * "<Param>" SChannel "</Param><Param>" Username "</Param><Param>" domain "</Param><Param>" Workstation "</Param><Param>" channeltype


The event log source was NTLM operational log from DCs auditing NTLM requests.