Parsing EventData from SecurityEvents

Copper Contributor

Hi All, I've parsed EvenData as well as Fortinet logs via syslog and more in Azure Sentinel, but I can't help but think that my method is ineffective, basically all I'm doing is



| parse EventData with * 'ProcessID">' ProcessID '</Data>' *


for every use case.


Is there a way to do something more like this



| parse EvenData with * tablename = 'Datatype >' * '</Data>' *


So that in one line it takes the value infront of the ">" assigns it as a table name and fills in the data related to it at "*"


What I'm thinking is that there's something in the line of a for loop that adds data to a bin.

1 Reply
It looks like parse_xml() works well.