Forum Discussion
Extract json from windows event log (SecurityEvent)
Hello everyone,
We are currently trying to parse logs that are being ingested into SecurityEvent table with following information all being in a single field called "EventData". We have tried using parse_json and extractjson but not sure how to construct the right query.
<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<Data>{"logLevel":"INFO","timeStamp":"2023-01-31T16:49:21.5973429Z","trackingId":"value","requestId":"value","threadId":34,"hostName":"value","processIdentity":"domain\\user","endpoint":"url","referrer":"ip","operation":"operationName","AccountId":38127231211,"identity.loginName":"domain\\user","identity.authenticationType":"domain.domain","identity.uniqueId":"randomid","identity.accountName":"user name","logger":"SecurityLogger"} </Data>
</EventData>
Hello Ciyaresh,
Have you tried to use parse_xml()?
parse_xml() - Azure Data Explorer | Microsoft Learn
For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.
YourTableName | extend Data=parse_xml(EventData) | project Data
Hello Ciyaresh,
Have you tried to use parse_xml()?
parse_xml() - Azure Data Explorer | Microsoft Learn
For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.
YourTableName | extend Data=parse_xml(EventData) | project Data
