SOLVED

Extract json from windows event log (SecurityEvent)

Brass Contributor

Hello everyone,

 

We are currently trying to parse logs that are being ingested into SecurityEvent table with following information all being in a single field called "EventData". We have tried using parse_json and extractjson but not sure how to construct the right query.

 

<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <Data>{"logLevel":"INFO","timeStamp":"2023-01-31T16:49:21.5973429Z","trackingId":"value","requestId":"value","threadId":34,"hostName":"value","processIdentity":"domain\\user","endpoint":"url","referrer":"ip","operation":"operationName","AccountId":38127231211,"identity.loginName":"domain\\user","identity.authenticationType":"domain.domain","identity.uniqueId":"randomid","identity.accountName":"user name","logger":"SecurityLogger"} </Data>
</EventData>

 

3 Replies

Hello @Ciyaresh,

 

Could you please send a screenshot from LAW to see what it looks like?

@mikhailf see below on how it looks like in LAW

 

 

Capture.PNG

best response confirmed by Ciyaresh (Brass Contributor)
Solution

Hello @Ciyaresh,

 

Have you tried to use parse_xml()?

parse_xml() - Azure Data Explorer | Microsoft Learn 

For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.

YourTableName
| extend Data=parse_xml(EventData)
| project Data

 

1 best response

Accepted Solutions
best response confirmed by Ciyaresh (Brass Contributor)
Solution

Hello @Ciyaresh,

 

Have you tried to use parse_xml()?

parse_xml() - Azure Data Explorer | Microsoft Learn 

For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.

YourTableName
| extend Data=parse_xml(EventData)
| project Data

 

View solution in original post