Azure Azure Log Analytics

Azure Log Analytics – Get Windows Event Description

Posted on Author stefanroth Comment(0)

Bildergebnis für extract icon

There are cases where Microsoft tries to make our live a bit harder than it needs to be. One thing I always struggled with in the old SCOM days and also in the present Azure Log Analytics (ALA) days are Windows event descriptions.

I just had a need to get the event description for a specific Windows event in Azure Log Analytics. In my case it was Event ID 1116 in the Microsoft-Windows-Windows Defender/Operational log. Something like this…

image

Usually we would expect to get some column in ALA which we just could project the data and used it in your query. Well this is just not the case, if I run a query to fetch the data it look like this…

image

…some usable data can be found in RenderedDescription, EventData or in ParameterXml column.

If we just have a close look, RenderedDescription has some wired characters and no real delimiter to distinguish the data. ParameterXML column doesn’t work, because we cannot figure out what data belongs to what field. Everything seems to be <Param>Some funny data</Param>. The only chance we have to parse the data, is to use the EventData column. It seems to be real XML data. If we try to explore it, using an online viewer, we will get the result…

image

…this means we need to play with the built-in ALA XML functions.

To make things short, I played around and a reasonable solution was to parse the XML using the parse_xml() function, then we just convert it into a string, because the next function needs a string as input. In my case I wanted to extract data and decided to extract data from an JSON object. Luckily there is a function called extractjson() which allows us to extract JSON data easily.

So my final solution looks like this to extract the following event description data:

  • ThreatName
  • DetectionTime
  • Severity
  • ErrorDescription
  • DetectionUser
  • Action

The final query looks like this…

image

Event

| where EventID == 1116

| where Source == "Microsoft-Windows-Windows Defender"

| extend eventData = tostring(parse_xml(EventData))

| project eventData

| extend ThreatName = extractjson("$['DataItem']['EventData']['Data'][7]['#text']", eventData )

| extend DetectionTime = extractjson("$['DataItem']['EventData']['Data'][3]['#text']", eventData )

| extend Severity = extractjson("$['DataItem']['EventData']['Data'][9]['#text']", eventData )

| extend ErrorDescription = extractjson("$['DataItem']['EventData']['Data'][33]['#text']", eventData )

| extend DetectionUser = extractjson("$['DataItem']['EventData']['Data'][19]['#text']", eventData )

| extend Action = extractjson("$['DataItem']['EventData']['Data'][37]['#text']", eventData )

| project ThreatName, DetectionTime, Severity, ErrorDescription,DetectionUser,Action

The problem is, that the JSON object has no named properties, there are just #text and @Name as you can see here…

image

…this makes life really hard to extract data. But using the above query, I think it is a reasonable way to get your specific fields.

I hope I could help you and you enjoyed this post. If you think you have a much better / easier way let me know and leave a comment. I am very interested in your solution!

stefanroth
http://www.stefanroth.net

Related Articles
Application Insights Azure Azure Monitor

Azure Monitor – Application Insights Status Monitor v2 (Part 1)

Posted on Author stefanroth

Do you have a .NET application running somewhere in your datacenter or in the cloud and you have the need to monitor it properly? Maybe you need some APM tool or you just want to diagnose, if there are any failure or issues and what it might be causing these problems? In addition, you might […]
ARM Azure Configuration Development OMS Troubleshooting

ARM Template – Deployment Error “[Subscription().SubscriptionId]” The request is invalid…

Posted on Author stefanroth

Recently I authored some ARM stuff in Visual Studio and I had a need for getting the current subscription ID the template is being deployed to.  So there is a helper function you can call like this… “subscriptionId”: “[subscription().subscriptionId]” I used it in the template like this… …but as soon I tried to deploy the […]
Azure Azure Stack Testing

Azure Stack – Deploy Latest Azure Stack Development Kit 1.1809.0.90 on Azure VM

Posted on Author stefanr5

A couple of weeks ago I wrote a blog post how to install Azure Stack Development Kit (ASDK) 1.1018.0.97 on an Azure VM. If we want to test the latest release of Azure Stack (DK) we need to redeploy the entire VM, because there is no supported update nor upgrade process for the ASDK. So […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.