Oct 21 2020 05:44 AM
Hi All, I've parsed EvenData as well as Fortinet logs via syslog and more in Azure Sentinel, but I can't help but think that my method is ineffective, basically all I'm doing is
SecurityEvent
| parse EventData with * 'ProcessID">' ProcessID '</Data>' *
for every use case.
Is there a way to do something more like this
SecurityEvent
| parse EvenData with * tablename = 'Datatype >' * '</Data>' *
So that in one line it takes the value infront of the ">" assigns it as a table name and fills in the data related to it at "*"
What I'm thinking is that there's something in the line of a for loop that adds data to a bin.
Oct 21 2020 11:35 PM