Parsing EventData from SecurityEvents

%3CLINGO-SUB%20id%3D%22lingo-sub-1803370%22%20slang%3D%22en-US%22%3EParsing%20EventData%20from%20SecurityEvents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1803370%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%20I've%20parsed%20EvenData%20as%20well%20as%20Fortinet%20logs%20via%20syslog%20and%20more%20in%20Azure%20Sentinel%2C%20but%20I%20can't%20help%20but%20think%20that%20my%20method%20is%20ineffective%2C%20basically%20all%20I'm%20doing%20is%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityEvent%3C%2FP%3E%3CP%3E%7C%20parse%20EventData%20with%20*%20'ProcessID%22%26gt%3B'%20ProcessID%20'%3C%2FP%3E%3C%2FLINGO-BODY%3E'%20*%3CP%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efor%20every%20use%20case.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20do%20something%20more%20like%20this%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityEvent%3C%2FP%3E%3CP%3E%7C%20parse%20EvenData%20with%20*%20tablename%20%3D%20'Datatype%20%26gt%3B'%20*%20''%20*%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20that%20in%20one%20line%20it%20takes%20the%20value%20infront%20of%20the%20%22%26gt%3B%22%20assigns%20it%20as%20a%20table%20name%20and%20fills%20in%20the%20data%20related%20to%20it%20at%20%22*%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I'm%20thinking%20is%20that%20there's%20something%20in%20the%20line%20of%20a%20for%20loop%20that%20adds%20data%20to%20a%20bin.%3C%2FP%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1807052%22%20slang%3D%22en-US%22%3ERE%3A%20Parsing%20EventData%20from%20SecurityEvents%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1807052%22%20slang%3D%22en-US%22%3EIt%20looks%20like%20parse_xml()%20works%20well.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All, I've parsed EvenData as well as Fortinet logs via syslog and more in Azure Sentinel, but I can't help but think that my method is ineffective, basically all I'm doing is

 

SecurityEvent

| parse EventData with * 'ProcessID">' ProcessID '</Data>' *

 

for every use case.

 

Is there a way to do something more like this

 

SecurityEvent

| parse EvenData with * tablename = 'Datatype >' * '</Data>' *

 

So that in one line it takes the value infront of the ">" assigns it as a table name and fills in the data related to it at "*"

 

What I'm thinking is that there's something in the line of a for loop that adds data to a bin.

1 Reply
It looks like parse_xml() works well.