cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Parsing XML in Azure Sentinel

TS-noodlemctwoodle
Brass Contributor

‎Jun 04 2020 06:05 AM - last edited on ‎Dec 23 2021 04:50 AM by

‎Jun 04 2020 06:05 AM - last edited on ‎Dec 23 2021 04:50 AM by

Parsing XML in Azure Sentinel

@CliveWatson I wonder if you can give me some pointers for how to parse XML syslog information in Azure Sentinel?

 

Here is an sample of the redacted syslog message formatted into XML

 

05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] �<?xml version="1.0" encoding="utf-8"?>
<UpdateEvents>
    <MachineInfo>
        <AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID>
        <MachineName>Some-Machine</MachineName>
        <RawMACAddress>112233445566</RawMACAddress>
        <IPAddress>1.1.2.3</IPAddress>
        <AgentVersion>1.2.3.123</AgentVersion>
        <OSName>Windows 41</OSName>
        <TimeZoneBias>-10</TimeZoneBias>
        <UserName>myName</UserName>
    </MachineInfo>
    <BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP">
        <UpdateEvent>
            <EventID>1234</EventID>
            <Severity>0</Severity>
            <GMTTime>2020-00-00T06:41:02</GMTTime>
            <ProductID>SomeName1999</ProductID>
            <Locale>0001</Locale>
            <Error>0</Error>
            <Type>SomeCore</Type>
            <Version>1234.0</Version>
            <InitiatorID>SOMEAGENT3000</InitiatorID>
            <InitiatorType>OnDemand</InitiatorType>
            <SiteName>Some-Server-Name</SiteName>
            <Description>N/A</Description>
        </UpdateEvent>
    </BrandCommonUpdater>
</UpdateEvents> 

Many thanks
Labels:
7,991 Views
1 Like
8 Replies
Reply
8 Replies
TS-noodlemctwoodle

‎Jun 04 2020 07:15 AM

‎Jun 04 2020 07:15 AM

Re: Parsing XML in Azure Sentinel

The raw string looks like this:
 
05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>
 
I have this KQL so far to at leastquery the computer and create a data table of just the Syslog message
 
Syslog
| where Computer contains "Some-Server-Name"
| project SyslogMessage
| extend NewField=parse_xml(SyslogMessage)
 
0 Likes
Reply
Gary Bushey

‎Jun 04 2020 08:30 AM

‎Jun 04 2020 08:30 AM

Re: Parsing XML in Azure Sentinel

@TS-noodlemctwoodle Take a look at the parse_xml() command.  Sorry I don't have an example to give you.

 

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parse-xmlfunction

0 Likes
Reply
CliveWatson

‎Jun 05 2020 12:41 AM

‎Jun 05 2020 12:41 AM

Re: Parsing XML in Azure Sentinel

@TS-noodlemctwoodle 

 

SecurityEvent
| project EventData
| extend NewField=parse_xml(EventData)
| extend value=NewField.UserData
| where isnotempty(value)
| project value.RuleAndFileData.FilePath

 

I don't have a Syslog example, but this works  

1 Like
Reply
TS-noodlemctwoodle

‎Jun 05 2020 02:33 AM

‎Jun 05 2020 02:33 AM

Re: Parsing XML in Azure Sentinel

@CliveWatson 

 

Would you be able to assist how I might format your example for SecurityEvent into Syslog using the message example?

 

@Gary Bushey 

I looked at this documentation, although I dont fully understand the examples provided :|

 

I also looked at this post https://www.systemcenterautomation.com/2020/01/extracting-nested-fields-kusto/ but i haven't been able to replicate the output with the data I have

0 Likes
Reply
CliveWatson

‎Jun 05 2020 06:35 AM

‎Jun 05 2020 06:35 AM

Re: Parsing XML in Azure Sentinel

@TS-noodlemctwoodle 

 

One way maybe, if you just need a few fields would be to parse i.e.

 

print syslogmsg = '05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>'
| parse syslogmsg with *" EventFwd [" str " tenantId="*
| project str

 

Go to Log Analytics and run query

str
agentInfo@3401

 

Is that whole string syslogmessge like in the above Print statement?

1 Like
Reply
TS-noodlemctwoodle

‎Jun 05 2020 08:06 AM

‎Jun 05 2020 08:06 AM

Re: Parsing XML in Azure Sentinel

@CliveWatsonYes that is whole string syslogmessge like in the Print statement..

 

Would it be possible for you to show me how to extract the data values after this value

05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?>

 

I'm guessing I would need to RegEx out the above header to get to the data values below. Although I am not sure how to proceed with that?

 

<MachineName>Some-Machine</MachineName>
<RawMACAddress>112233445566</RawMACAddress>
<IPAddress>1.1.2.3</IPAddress>
<AgentVersion>1.2.3.123</AgentVersion>
<OSName>Windows 41</OSName>
<TimeZoneBias>-10</TimeZoneBias>
<UserName>myName</UserName>
<EventID>1234</EventID>
<Severity>0</Severity>
<GMTTime>2020-00-00T06:41:02</GMTTime>
<ProductID>SomeName1999</ProductID>
<Locale>0001</Locale>
<Error>0</Error>
<Type>SomeCore</Type>
<Version>1234.0</Version>
<InitiatorID>SOMEAGENT3000</InitiatorID>
<InitiatorType>OnDemand</InitiatorType>
<SiteName>Some-Server-Name</SiteName>
<Description>N/A</Description>

 

 

Many Thanks for your help so far :)

 

0 Likes
Reply
best response confirmed by TS-noodlemctwoodle (Brass Contributor)
TS-noodlemctwoodle

‎Jun 08 2020 03:21 AM - edited ‎Jun 09 2020 03:20 AM

‎Jun 08 2020 03:21 AM - edited ‎Jun 09 2020 03:20 AM

Solution

Re: Parsing XML in Azure Sentinel

@CliveWatsonThank you very much with your help on this, your a legend.

 

Here is the working solution based upon your suggestion :cool:

 

 

 

 

 

print syslogmsg = '05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>'
| parse syslogmsg with * " tenantNodePath" * " " xml 
| extend xml=parse_xml(xml)
| extend MachineName =  xml.UpdateEvents.MachineInfo.MachineName
| extend IPAddress =  xml.UpdateEvents.MachineInfo.IPAddress
| where isnotempty(MachineName)
| project 
    MachineName,
    IPAddress

 

 

Edit: Just to clean up the query I have made an adjustment to the solution as suggested by @CliveWatson and Ofer :smile:

 

0 Likes
Reply
CliveWatson

‎Jun 08 2020 09:46 AM

‎Jun 08 2020 09:46 AM

Re: Parsing XML in Azure Sentinel

@TS-noodlemctwoodle 

 

Glad to help, and thanks also to Ofer for the cool use of parse in the example.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by TS-noodlemctwoodle (Brass Contributor)
TS-noodlemctwoodle

‎Jun 08 2020 03:21 AM - edited ‎Jun 09 2020 03:20 AM

‎Jun 08 2020 03:21 AM - edited ‎Jun 09 2020 03:20 AM

Solution

Re: Parsing XML in Azure Sentinel

@CliveWatsonThank you very much with your help on this, your a legend.

 

Here is the working solution based upon your suggestion :cool:

 

 

 

 

 

print syslogmsg = '05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>'
| parse syslogmsg with * " tenantNodePath" * " " xml 
| extend xml=parse_xml(xml)
| extend MachineName =  xml.UpdateEvents.MachineInfo.MachineName
| extend IPAddress =  xml.UpdateEvents.MachineInfo.IPAddress
| where isnotempty(MachineName)
| project 
    MachineName,
    IPAddress

 

 

Edit: Just to clean up the query I have made an adjustment to the solution as suggested by @CliveWatson and Ofer :smile:

 

View solution in original post

0 Likes
Reply