Extract json from windows event log (SecurityEvent)

Ciyaresh · ‎Feb 01 2023

Hello everyone,

We are currently trying to parse logs that are being ingested into SecurityEvent table with following information all being in a single field called "EventData". We have tried using parse_json and extractjson but not sure how to construct the right query.

<EventData xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <Data>{"logLevel":"INFO","timeStamp":"2023-01-31T16:49:21.5973429Z","trackingId":"value","requestId":"value","threadId":34,"hostName":"value","processIdentity":"domain\\user","endpoint":"url","referrer":"ip","operation":"operationName","AccountId":38127231211,"identity.loginName":"domain\\user","identity.authenticationType":"domain.domain","identity.uniqueId":"randomid","identity.accountName":"user name","logger":"SecurityLogger"} </Data>
</EventData>

mikhailf · ‎Feb 01 2023

Hello @Ciyaresh,

Could you please send a screenshot from LAW to see what it looks like?

Ciyaresh · ‎Feb 01 2023

@mikhailf see below on how it looks like in LAW

Ciyaresh · ‎Feb 02 2023

Hello @Ciyaresh,

Have you tried to use parse_xml()?

parse_xml() - Azure Data Explorer | Microsoft Learn

For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.

YourTableName
| extend Data=parse_xml(EventData)
| project Data

Extract json from windows event log (SecurityEvent)

Extract json from windows event log (SecurityEvent)

Re: Extract json from windows event log (SecurityEvent)

Re: Extract json from windows event log (SecurityEvent)

Re: Extract json from windows event log (SecurityEvent)

Products (65)

Special Topics (44)

Video Hub (444)

Most Active Hubs

Most Active Hubs

Video Hub

Extract json from windows event log (SecurityEvent)