winlogToJsonUDF
[ 1 Usage details ] [ 2 Example ]
Convert unstructured Windows logs to JSON format so values can be extracted by keys.
Usage details
LQL Command
winlogToJsonUDF(fieldname)
--fieldname: Column name of a table
Example
Input
Win32 event
instance of Win32_NTLogEvent
{
Computer = "US1-VPEXMA90.example.com";
...
Category = 12548;
CategoryString = "Special Logon";
Message = "Special privileges assigned to new logon.
Subject:
Security ID: example\SVC_SolarWMI
Account Name: SVC_SolarWMI
Account Domain:
Logon ID: 0x660870ee
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege";
InsertionStrings = {"S-1-5-21-1939467313-459414247-2469239425-51005", "SVC_SolarWMI", "example", "0x660870ee", "SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege"};
};
LQL command
select winlogToJsonUDF(_raw) as jsonField from table
Output
Resulting jsonField
column.
JSON
"Account Name" can now be extracted from jsonField
(output of a parsing to JSON format or a raw Windows log). The returned value is "SVC_SolarWMI".
"$.Subject.Account Name" is used in the LQL (exact keyword, space included) because "Account Name" is a subfield of the "Subject" field.
LQL