SOLVED

Parsing XML in Azure Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1440424%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440424%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EThe%20raw%20string%20looks%20like%20this%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E05%3A19.0Z%20Some-Server-Name%20Events%20-%20EventFwd%20%5BagentInfo%403401%20tenantId%3D%220%22%20bpsId%3D%220%22%20tenantGUID%3D%22%7B00000000-0000-0000-0000-000000000000%7D%22%20tenantNodePath%3D%221%5C2%22%5D%20%3CUPDATEEVENTS%3E%3CMACHINEINFO%3E%3CAGENTGUID%3E%7B00000000-0000-0000-0000-000000000000%7D%3C%2FAGENTGUID%3E%3CMACHINENAME%3ESome-Machine%3C%2FMACHINENAME%3E%3CRAWMACADDRESS%3E112233445566%3C%2FRAWMACADDRESS%3E%3CIPADDRESS%3E1.1.2.3%3C%2FIPADDRESS%3E%3CAGENTVERSION%3E1.2.3.123%3C%2FAGENTVERSION%3E%3COSNAME%3EWindows%2041%3C%2FOSNAME%3E%3CTIMEZONEBIAS%3E-10%3C%2FTIMEZONEBIAS%3E%3CUSERNAME%3EmyName%3C%2FUSERNAME%3E%3C%2FMACHINEINFO%3E%3CBRANDCOMMONUPDATER%20productname%3D%22%26quot%3BBrand%22%20agent%3D%22%22%3E%3CUPDATEEVENT%3E%3CEVENTID%3E1234%3C%2FEVENTID%3E%3CSEVERITY%3E0%3C%2FSEVERITY%3E%3CGMTTIME%3E2020-00-00T06%3A41%3A02%3C%2FGMTTIME%3E%3CPRODUCTID%3ESomeName1999%3C%2FPRODUCTID%3E%3CLOCALE%3E0001%3C%2FLOCALE%3E%3CERROR%3E0%3C%2FERROR%3E%3CTYPE%3ESomeCore%3C%2FTYPE%3E%3CVERSION%3E1234.0%3C%2FVERSION%3E%3CINITIATORID%3ESOMEAGENT3000%3C%2FINITIATORID%3E%3CINITIATORTYPE%3EOnDemand%3C%2FINITIATORTYPE%3E%3CSITENAME%3ESome-Server-Name%3C%2FSITENAME%3E%3CDESCRIPTION%3EN%2FA%3C%2FDESCRIPTION%3E%3C%2FUPDATEEVENT%3E%3C%2FBRANDCOMMONUPDATER%3E%3C%2FUPDATEEVENTS%3E%20%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EI%20have%20this%20KQL%20so%20far%20to%20at%20leastquery%20the%20computer%20and%20create%20a%20data%20table%20of%20just%20the%20Syslog%20message%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3ESyslog%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22Some-Server-Name%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eproject%3C%2FSPAN%3E%3CSPAN%3E%20SyslogMessage%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Eextend%3C%2FSPAN%3E%3CSPAN%3E%20NewField%3Dparse_xml%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3ESyslogMessage%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440229%22%20slang%3D%22en-US%22%3EParsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440229%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3BI%20wonder%20if%20you%20can%20give%20me%20some%20pointers%20for%20how%20to%20parse%20XML%20syslog%20information%20in%20Azure%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20an%20sample%20of%20the%20redacted%20syslog%20message%20formatted%20into%20XML%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E05%3A19.0Z%26nbsp%3BSome-Server-Name%26nbsp%3BEvents%26nbsp%3B-%26nbsp%3BEventFwd%26nbsp%3B%5BagentInfo%403401%26nbsp%3BtenantId%3D%220%22%26nbsp%3BbpsId%3D%220%22%26nbsp%3BtenantGUID%3D%22%7B00000000-0000-0000-0000-000000000000%7D%22%26nbsp%3BtenantNodePath%3D%221%5C2%22%5D%26nbsp%3B%EF%BF%BD%3C%2FSPAN%3E%3CSPAN%3E%3C%2FSPAN%3E%3CSPAN%3Exml%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bversion%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%221.0%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bencoding%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22utf-8%22%3C%2FSPAN%3E%3CSPAN%3E%3F%26gt%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EUpdateEvents%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EMachineInfo%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EAgentGUID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E%7B00000000-0000-0000-0000-000000000000%7D%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EAgentGUID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EMachineName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3ESome-Machine%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EMachineName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3ERawMACAddress%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E112233445566%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3ERawMACAddress%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EIPAddress%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E1.1.2.3%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EIPAddress%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EAgentVersion%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E1.2.3.123%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EAgentVersion%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EOSName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3EWindows%26nbsp%3B41%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EOSName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3ETimeZoneBias%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E-10%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3ETimeZoneBias%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EUserName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3EmyName%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EUserName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EMachineInfo%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EBrandCommonUpdater%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EProductName%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22Brand%26nbsp%3BAgent%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EProductVersion%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%221.0.0%22%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EProductFamily%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%22AVP%22%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EUpdateEvent%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EEventID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E1234%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EEventID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3ESeverity%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3ESeverity%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EGMTTime%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E2020-00-00T06%3A41%3A02%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EGMTTime%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EProductID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3ESomeName1999%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EProductID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3ELocale%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E0001%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3ELocale%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EError%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EError%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EType%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3ESomeCore%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EType%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EVersion%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E1234.0%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EVersion%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EInitiatorID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3ESOMEAGENT3000%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EInitiatorID%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EInitiatorType%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3EOnDemand%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EInitiatorType%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3ESiteName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3ESome-Server-Name%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3ESiteName%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26lt%3B%3C%2FSPAN%3E%3CSPAN%3EDescription%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3EN%2FA%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EDescription%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EUpdateEvent%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CSPAN%3EBrandCommonUpdater%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%3CSPAN%3EUpdateEvents%3C%2FSPAN%3E%3CSPAN%3E%26gt%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3EMany%20thanks%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1440229%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Esyslog%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1440691%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1440691%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3BTake%20a%20look%20at%20the%20parse_xml()%20command.%26nbsp%3B%20Sorry%20I%20don't%20have%20an%20example%20to%20give%20you.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fparse-xmlfunction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdata-explorer%2Fkusto%2Fquery%2Fparse-xmlfunction%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442241%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442241%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3ESecurityEvent%0A%7C%20project%20EventData%0A%7C%20extend%20NewField%3Dparse_xml(EventData)%0A%7C%20extend%20value%3DNewField.UserData%0A%7C%20where%20isnotempty(value)%0A%7C%20project%20value.RuleAndFileData.FilePath%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20don't%20have%20a%20Syslog%20example%2C%20but%20this%20works%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442458%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442458%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20you%20be%20able%20to%20assist%20how%20I%20might%20format%20your%20example%20for%20SecurityEvent%20into%20Syslog%20using%20the%20message%20example%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20looked%20at%20this%20documentation%2C%20although%20I%20dont%20fully%20understand%20the%20examples%20provided%20%3A%7C%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20looked%20at%20this%20post%20%3CA%20href%3D%22https%3A%2F%2Fwww.systemcenterautomation.com%2F2020%2F01%2Fextracting-nested-fields-kusto%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.systemcenterautomation.com%2F2020%2F01%2Fextracting-nested-fields-kusto%2F%3C%2FA%3E%20but%20i%20haven't%20been%20able%20to%20replicate%20the%20output%20with%20the%20data%20I%20have%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1442929%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1442929%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOne%20way%20maybe%2C%20if%20you%20just%20need%20a%20few%20fields%20would%20be%20to%20parse%20i.e.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3Eprint%20syslogmsg%20%3D%20'05%3A19.0Z%20Some-Server-Name%20Events%20-%20EventFwd%20%5BagentInfo%403401%20tenantId%3D%220%22%20bpsId%3D%220%22%20tenantGUID%3D%22%7B00000000-0000-0000-0000-000000000000%7D%22%20tenantNodePath%3D%221%5C2%22%5D%20%3CUPDATEEVENTS%3E%3CMACHINEINFO%3E%3CAGENTGUID%3E%7B00000000-0000-0000-0000-000000000000%7D%3C%2FAGENTGUID%3E%3CMACHINENAME%3ESome-Machine%3C%2FMACHINENAME%3E%3CRAWMACADDRESS%3E112233445566%3C%2FRAWMACADDRESS%3E%3CIPADDRESS%3E1.1.2.3%3C%2FIPADDRESS%3E%3CAGENTVERSION%3E1.2.3.123%3C%2FAGENTVERSION%3E%3COSNAME%3EWindows%2041%3C%2FOSNAME%3E%3CTIMEZONEBIAS%3E-10%3C%2FTIMEZONEBIAS%3E%3CUSERNAME%3EmyName%3C%2FUSERNAME%3E%3C%2FMACHINEINFO%3E%3CBRANDCOMMONUPDATER%20productname%3D%22Brand%20Agent%22%20productversion%3D%221.0.0%22%20productfamily%3D%22AVP%22%3E%3CUPDATEEVENT%3E%3CEVENTID%3E1234%3C%2FEVENTID%3E%3CSEVERITY%3E0%3C%2FSEVERITY%3E%3CGMTTIME%3E2020-00-00T06%3A41%3A02%3C%2FGMTTIME%3E%3CPRODUCTID%3ESomeName1999%3C%2FPRODUCTID%3E%3CLOCALE%3E0001%3C%2FLOCALE%3E%3CERROR%3E0%3C%2FERROR%3E%3CTYPE%3ESomeCore%3C%2FTYPE%3E%3CVERSION%3E1234.0%3C%2FVERSION%3E%3CINITIATORID%3ESOMEAGENT3000%3C%2FINITIATORID%3E%3CINITIATORTYPE%3EOnDemand%3C%2FINITIATORTYPE%3E%3CSITENAME%3ESome-Server-Name%3C%2FSITENAME%3E%3CDESCRIPTION%3EN%2FA%3C%2FDESCRIPTION%3E%3C%2FUPDATEEVENT%3E%3C%2FBRANDCOMMONUPDATER%3E%3C%2FUPDATEEVENTS%3E'%0A%7C%20parse%20syslogmsg%20with%20*%22%20EventFwd%20%5B%22%20str%20%22%20tenantId%3D%22*%0A%7C%20project%20str%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fms.portal.azure.com%23%4072f988bf-86f1-41af-91ab-2d7cd011db47%2Fblade%2FMicrosoft_Azure_Monitoring_Logs%2FDemoLogsBlade%2FresourceId%2F%252FDemo%2Fsource%2FLogsBlade.AnalyticsShareLinkToQuery%2Fq%2FH4sIAAAAAAAAA41UXWvbMBR9L%25252Bw%25252FCL0UCrFsJw1LuVbntmkJNB8saQfd9qDZaqoRS0FSm4Vt%25252F32Sv%25252BKwPcwY6%25252BrcK92jc2xvtZAWmb3ZqHVh1ihBp%25252BH5RTQKwie0VAXvLbl%25252B47o3YwVH4zcurUG9Krjd5egzW7toIp%25252FVh%25252F4gjJDlkrl5nuAQo29bU0cVfPcwuUnwz7C%25252Bev94NNfvZs1M5XzB7EuCoy8x%25252Forg8kexQY6REUo6MHC7c5mpXMh1gl%25252Ftc%25252B89vqTwsM2Z5RVfClOWvQjJPU0KqWfsqdD%25252FYwLksKLZyatBS3lqAEg3Ax%25252FZbppep3muuTE0iuK43x8Mzs%25252BHQyDHOZgs2rIgCuKgD%25252BQAVWQfq9PSMh1Ecb%25252Bm1OAwX5ZtPwmZq51BgwhIDcFKFPxJSX4lmKG9KARyhMCD4bqsLPZ%25252BANIC7ZEq2a40k%25252Fm1KgolK3E1WmiVv2bWVye4zKOSF24yjx2bvFE1fMsKsdknOH1c4COrKJSDE9odcgCkmcGSO8eF3VPHv43hbrryh6FxGHvP3L0KhxeD6CKMgTRJqJu6bbxhnmw0Go2AHHC4VxnbcOrcdsrVExhrrbRvWAWw2m8rz6%25252BVdjqVU2itcXwDV9taMpHCCmaV9n3n03F6N56t%25252Bq6Ds7eTOtSV%25252B83lDS%25252Bcjp2iqs9S2M5L1%25252FkmnR5NCm64ybTYWk9gRlIgXcA52xWa%25252FO3ncYmhp%25252B9OfqEt04Z3%25252Fg87YV%25252FQGe78ATAyViPc%25252BfTPyoVafeeZ9cmTPzA3oiZlBAAA%2Ftimespan%2FP1D%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EGo%20to%20Log%20Analytics%20and%20run%20query%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20cellspacing%3D%221%22%20cellpadding%3D%225%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTH%3Estr%3C%2FTH%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3EagentInfo%403401%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20that%20whole%20string%20%3CEM%3Esyslogmessge%3C%2FEM%3E%20like%20in%20the%20above%20Print%20statement%3F%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1443126%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1443126%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EYes%20that%20is%20whole%20string%20%3CEM%3Esyslogmessge%3C%2FEM%3E%20like%20in%20the%20Print%20statement..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20it%20be%20possible%20for%20you%20to%20show%20me%20how%20to%20extract%20the%20data%20values%20after%20this%20value%3C%2FP%3E%3CP%3E%3CSTRONG%3E05%3A19.0Z%20Some-Server-Name%20Events%20-%20EventFwd%20%5BagentInfo%403401%20tenantId%3D%220%22%20bpsId%3D%220%22%20tenantGUID%3D%22%7B00000000-0000-0000-0000-000000000000%7D%22%20tenantNodePath%3D%221%5C2%22%5D%20%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20guessing%20I%20would%20need%20to%20RegEx%20out%20the%20above%20header%20to%20get%20to%20the%20data%20values%20below.%20Although%20I%20am%20not%20sure%20how%20to%20proceed%20with%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CMACHINENAME%3ESome-Machine%3C%2FMACHINENAME%3E%3CBR%20%2F%3E%3CRAWMACADDRESS%3E112233445566%3C%2FRAWMACADDRESS%3E%3CBR%20%2F%3E%3CIPADDRESS%3E1.1.2.3%3C%2FIPADDRESS%3E%3CBR%20%2F%3E%3CAGENTVERSION%3E1.2.3.123%3C%2FAGENTVERSION%3E%3CBR%20%2F%3E%3COSNAME%3EWindows%2041%3C%2FOSNAME%3E%3CBR%20%2F%3E%3CTIMEZONEBIAS%3E-10%3C%2FTIMEZONEBIAS%3E%3CBR%20%2F%3E%3CUSERNAME%3EmyName%3C%2FUSERNAME%3E%3CBR%20%2F%3E%3CEVENTID%3E1234%3C%2FEVENTID%3E%3CBR%20%2F%3E%3CSEVERITY%3E0%3C%2FSEVERITY%3E%3CBR%20%2F%3E%3CGMTTIME%3E2020-00-00T06%3A41%3A02%3C%2FGMTTIME%3E%3CBR%20%2F%3E%3CPRODUCTID%3ESomeName1999%3C%2FPRODUCTID%3E%3CBR%20%2F%3E%3CLOCALE%3E0001%3C%2FLOCALE%3E%3CBR%20%2F%3E%3CERROR%3E0%3C%2FERROR%3E%3CBR%20%2F%3E%3CTYPE%3ESomeCore%3C%2FTYPE%3E%3CBR%20%2F%3E%3CVERSION%3E1234.0%3C%2FVERSION%3E%3CBR%20%2F%3E%3CINITIATORID%3ESOMEAGENT3000%3C%2FINITIATORID%3E%3CBR%20%2F%3E%3CINITIATORTYPE%3EOnDemand%3C%2FINITIATORTYPE%3E%3CBR%20%2F%3E%3CSITENAME%3ESome-Server-Name%3C%2FSITENAME%3E%3CBR%20%2F%3E%3CDESCRIPTION%3EN%2FA%3C%2FDESCRIPTION%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20Thanks%20for%20your%20help%20so%20far%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1448866%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1448866%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGlad%20to%20help%2C%20and%20thanks%20also%20to%20Ofer%26nbsp%3Bfor%20the%20cool%20use%20of%20parse%20in%20the%20example.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1447955%22%20slang%3D%22en-US%22%3ERe%3A%20Parsing%20XML%20in%20Azure%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447955%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3EThank%20you%20very%20much%20with%20your%20help%20on%20this%2C%20your%20a%20legend.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20the%20working%20solution%20based%20upon%20your%20suggestion%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Eprint%20syslogmsg%20%3D%20'05%3A19.0Z%20Some-Server-Name%20Events%20-%20EventFwd%20%5BagentInfo%403401%20tenantId%3D%220%22%20bpsId%3D%220%22%20tenantGUID%3D%22%7B00000000-0000-0000-0000-000000000000%7D%22%20tenantNodePath%3D%221%5C2%22%5D%20%3CUPDATEEVENTS%3E%3CMACHINEINFO%3E%3CAGENTGUID%3E%7B00000000-0000-0000-0000-000000000000%7D%3C%2FAGENTGUID%3E%3CMACHINENAME%3ESome-Machine%3C%2FMACHINENAME%3E%3CRAWMACADDRESS%3E112233445566%3C%2FRAWMACADDRESS%3E%3CIPADDRESS%3E1.1.2.3%3C%2FIPADDRESS%3E%3CAGENTVERSION%3E1.2.3.123%3C%2FAGENTVERSION%3E%3COSNAME%3EWindows%2041%3C%2FOSNAME%3E%3CTIMEZONEBIAS%3E-10%3C%2FTIMEZONEBIAS%3E%3CUSERNAME%3EmyName%3C%2FUSERNAME%3E%3C%2FMACHINEINFO%3E%3CBRANDCOMMONUPDATER%20productname%3D%22Brand%20Agent%22%20productversion%3D%221.0.0%22%20productfamily%3D%22AVP%22%3E%3CUPDATEEVENT%3E%3CEVENTID%3E1234%3C%2FEVENTID%3E%3CSEVERITY%3E0%3C%2FSEVERITY%3E%3CGMTTIME%3E2020-00-00T06%3A41%3A02%3C%2FGMTTIME%3E%3CPRODUCTID%3ESomeName1999%3C%2FPRODUCTID%3E%3CLOCALE%3E0001%3C%2FLOCALE%3E%3CERROR%3E0%3C%2FERROR%3E%3CTYPE%3ESomeCore%3C%2FTYPE%3E%3CVERSION%3E1234.0%3C%2FVERSION%3E%3CINITIATORID%3ESOMEAGENT3000%3C%2FINITIATORID%3E%3CINITIATORTYPE%3EOnDemand%3C%2FINITIATORTYPE%3E%3CSITENAME%3ESome-Server-Name%3C%2FSITENAME%3E%3CDESCRIPTION%3EN%2FA%3C%2FDESCRIPTION%3E%3C%2FUPDATEEVENT%3E%3C%2FBRANDCOMMONUPDATER%3E%3C%2FUPDATEEVENTS%3E'%0A%7C%20parse%20syslogmsg%20with%20*%20%22%20tenantNodePath%22%20*%20%22%20%22%20xml%20%0A%7C%20extend%20xml%3Dparse_xml(xml)%0A%7C%20extend%20MachineName%20%3D%20%20xml.UpdateEvents.MachineInfo.MachineName%0A%7C%20extend%20IPAddress%20%3D%20%20xml.UpdateEvents.MachineInfo.IPAddress%0A%7C%20where%20isnotempty(MachineName)%0A%7C%20project%20%0A%20%20%20%20MachineName%2C%0A%20%20%20%20IPAddress%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%3A%20Just%20to%20clean%20up%20the%20query%20I%20have%20made%20an%20adjustment%20to%20the%20solution%20as%20suggested%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E%20and%20Ofer%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

@CliveWatson I wonder if you can give me some pointers for how to parse XML syslog information in Azure Sentinel?

 

Here is an sample of the redacted syslog message formatted into XML

 

05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] �<?xml version="1.0" encoding="utf-8"?>
<UpdateEvents>
    <MachineInfo>
        <AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID>
        <MachineName>Some-Machine</MachineName>
        <RawMACAddress>112233445566</RawMACAddress>
        <IPAddress>1.1.2.3</IPAddress>
        <AgentVersion>1.2.3.123</AgentVersion>
        <OSName>Windows 41</OSName>
        <TimeZoneBias>-10</TimeZoneBias>
        <UserName>myName</UserName>
    </MachineInfo>
    <BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP">
        <UpdateEvent>
            <EventID>1234</EventID>
            <Severity>0</Severity>
            <GMTTime>2020-00-00T06:41:02</GMTTime>
            <ProductID>SomeName1999</ProductID>
            <Locale>0001</Locale>
            <Error>0</Error>
            <Type>SomeCore</Type>
            <Version>1234.0</Version>
            <InitiatorID>SOMEAGENT3000</InitiatorID>
            <InitiatorType>OnDemand</InitiatorType>
            <SiteName>Some-Server-Name</SiteName>
            <Description>N/A</Description>
        </UpdateEvent>
    </BrandCommonUpdater>
</UpdateEvents> 

Many thanks
8 Replies
The raw string looks like this:
 
05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>
 
I have this KQL so far to at leastquery the computer and create a data table of just the Syslog message
 
Syslog
| where Computer contains "Some-Server-Name"
| project SyslogMessage
| extend NewField=parse_xml(SyslogMessage)
 

@TS-noodlemctwoodle Take a look at the parse_xml() command.  Sorry I don't have an example to give you.

 

https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/parse-xmlfunction

@TS-noodlemctwoodle 

 

SecurityEvent
| project EventData
| extend NewField=parse_xml(EventData)
| extend value=NewField.UserData
| where isnotempty(value)
| project value.RuleAndFileData.FilePath

 

I don't have a Syslog example, but this works  

@CliveWatson 

 

Would you be able to assist how I might format your example for SecurityEvent into Syslog using the message example?

 

@Gary Bushey 

I looked at this documentation, although I dont fully understand the examples provided :|

 

I also looked at this post https://www.systemcenterautomation.com/2020/01/extracting-nested-fields-kusto/ but i haven't been able to replicate the output with the data I have

@TS-noodlemctwoodle 

 

One way maybe, if you just need a few fields would be to parse i.e.

 

print syslogmsg = '05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>'
| parse syslogmsg with *" EventFwd [" str " tenantId="*
| project str

 

Go to Log Analytics and run query

str
agentInfo@3401

 

Is that whole string syslogmessge like in the above Print statement?

@CliveWatsonYes that is whole string syslogmessge like in the Print statement..

 

Would it be possible for you to show me how to extract the data values after this value

05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?>

 

I'm guessing I would need to RegEx out the above header to get to the data values below. Although I am not sure how to proceed with that?

 

<MachineName>Some-Machine</MachineName>
<RawMACAddress>112233445566</RawMACAddress>
<IPAddress>1.1.2.3</IPAddress>
<AgentVersion>1.2.3.123</AgentVersion>
<OSName>Windows 41</OSName>
<TimeZoneBias>-10</TimeZoneBias>
<UserName>myName</UserName>
<EventID>1234</EventID>
<Severity>0</Severity>
<GMTTime>2020-00-00T06:41:02</GMTTime>
<ProductID>SomeName1999</ProductID>
<Locale>0001</Locale>
<Error>0</Error>
<Type>SomeCore</Type>
<Version>1234.0</Version>
<InitiatorID>SOMEAGENT3000</InitiatorID>
<InitiatorType>OnDemand</InitiatorType>
<SiteName>Some-Server-Name</SiteName>
<Description>N/A</Description>

 

 

Many Thanks for your help so far :)

 

best response confirmed by TS-noodlemctwoodle (Occasional Contributor)
Solution

@CliveWatsonThank you very much with your help on this, your a legend.

 

Here is the working solution based upon your suggestion :cool:

 

 

 

 

 

print syslogmsg = '05:19.0Z Some-Server-Name Events - EventFwd [agentInfo@3401 tenantId="0" bpsId="0" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version="1.0" encoding="utf-8"?><UpdateEvents><MachineInfo><AgentGUID>{00000000-0000-0000-0000-000000000000}</AgentGUID><MachineName>Some-Machine</MachineName><RawMACAddress>112233445566</RawMACAddress><IPAddress>1.1.2.3</IPAddress><AgentVersion>1.2.3.123</AgentVersion><OSName>Windows 41</OSName><TimeZoneBias>-10</TimeZoneBias><UserName>myName</UserName></MachineInfo><BrandCommonUpdater ProductName="Brand Agent" ProductVersion="1.0.0" ProductFamily="AVP"><UpdateEvent><EventID>1234</EventID><Severity>0</Severity><GMTTime>2020-00-00T06:41:02</GMTTime><ProductID>SomeName1999</ProductID><Locale>0001</Locale><Error>0</Error><Type>SomeCore</Type><Version>1234.0</Version><InitiatorID>SOMEAGENT3000</InitiatorID><InitiatorType>OnDemand</InitiatorType><SiteName>Some-Server-Name</SiteName><Description>N/A</Description></UpdateEvent></BrandCommonUpdater></UpdateEvents>'
| parse syslogmsg with * " tenantNodePath" * " " xml 
| extend xml=parse_xml(xml)
| extend MachineName =  xml.UpdateEvents.MachineInfo.MachineName
| extend IPAddress =  xml.UpdateEvents.MachineInfo.IPAddress
| where isnotempty(MachineName)
| project 
    MachineName,
    IPAddress

 

 

Edit: Just to clean up the query I have made an adjustment to the solution as suggested by @CliveWatson and Ofer :smile:

 

@TS-noodlemctwoodle 

 

Glad to help, and thanks also to Ofer for the cool use of parse in the example.