cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Extract json from windows event log (SecurityEvent)

Ciyaresh
Brass Contributor

‎Feb 01 2023 09:30 AM

‎Feb 01 2023 09:30 AM

Extract json from windows event log (SecurityEvent)

Hello everyone,

 

We are currently trying to parse logs that are being ingested into SecurityEvent table with following information all being in a single field called "EventData". We have tried using parse_json and extractjson but not sure how to construct the right query.

 

<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <Data>{"logLevel":"INFO","timeStamp":"2023-01-31T16:49:21.5973429Z","trackingId":"value","requestId":"value","threadId":34,"hostName":"value","processIdentity":"domain\\user","endpoint":"url","referrer":"ip","operation":"operationName","AccountId":38127231211,"identity.loginName":"domain\\user","identity.authenticationType":"domain.domain","identity.uniqueId":"randomid","identity.accountName":"user name","logger":"SecurityLogger"} </Data>
</EventData>

 

Labels:
2,868 Views
0 Likes
3 Replies
Reply
3 Replies
mikhailf

‎Feb 01 2023 10:58 AM

‎Feb 01 2023 10:58 AM

Re: Extract json from windows event log (SecurityEvent)

Hello @Ciyaresh,

 

Could you please send a screenshot from LAW to see what it looks like?

0 Likes
Reply
Ciyaresh

‎Feb 01 2023 02:33 PM

‎Feb 01 2023 02:33 PM

Re: Extract json from windows event log (SecurityEvent)

@mikhailf see below on how it looks like in LAW

 

 

Capture.PNG

0 Likes
Reply
best response confirmed by Ciyaresh (Brass Contributor)
mikhailf

‎Feb 02 2023 04:05 AM - edited ‎Feb 02 2023 04:16 AM

‎Feb 02 2023 04:05 AM - edited ‎Feb 02 2023 04:16 AM

Solution

Re: Extract json from windows event log (SecurityEvent)

Hello @Ciyaresh,

 

Have you tried to use parse_xml()?

parse_xml() - Azure Data Explorer | Microsoft Learn 

For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.

YourTableName
| extend Data=parse_xml(EventData)
| project Data

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Ciyaresh (Brass Contributor)
mikhailf

‎Feb 02 2023 04:05 AM - edited ‎Feb 02 2023 04:16 AM

‎Feb 02 2023 04:05 AM - edited ‎Feb 02 2023 04:16 AM

Solution

Re: Extract json from windows event log (SecurityEvent)

Hello @Ciyaresh,

 

Have you tried to use parse_xml()?

parse_xml() - Azure Data Explorer | Microsoft Learn 

For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.

YourTableName
| extend Data=parse_xml(EventData)
| project Data

 

View solution in original post

0 Likes
Reply