Extract json from windows event log (SecurityEvent)


Hello everyone,


We are currently trying to parse logs that are being ingested into SecurityEvent table with following information all being in a single field called "EventData". We have tried using parse_json and extractjson but not sure how to construct the right query.


<EventData xmlns="">
  <Data>{"logLevel":"INFO","timeStamp":"2023-01-31T16:49:21.5973429Z","trackingId":"value","requestId":"value","threadId":34,"hostName":"value","processIdentity":"domain\\user","endpoint":"url","referrer":"ip","operation":"operationName","AccountId":38127231211,"identity.loginName":"domain\\user","identity.authenticationType":"domain.domain","identity.uniqueId":"randomid","identity.accountName":"user name","logger":"SecurityLogger"} </Data>


3 Replies

Hello @Ciyaresh,


Could you please send a screenshot from LAW to see what it looks like?

@mikhailf see below on how it looks like in LAW




best response confirmed by Ciyaresh (Contributor)

Hello @Ciyaresh,


Have you tried to use parse_xml()?

parse_xml() - Azure Data Explorer | Microsoft Learn 

For example, try to launch this query and see if it returns a parsed EventData xml. Send the result.

| extend Data=parse_xml(EventData)
| project Data