Hi All, I've parsed EvenData as well as Fortinet logs via syslog and more in Azure Sentinel, but I can't help but think that my method is ineffective, basically all I'm doing is

SecurityEvent

| parse EventData with * 'ProcessID">' ProcessID '</Data>' *

for every use case.

Is there a way to do something more like this

SecurityEvent

| parse EvenData with * tablename = 'Datatype >' * '</Data>' *

So that in one line it takes the value infront of the ">" assigns it as a table name and fills in the data related to it at "*"

What I'm thinking is that there's something in the line of a for loop that adds data to a bin.