winlogToJsonUDF

Convert unstructured Windows logs to JSON format so values can be extracted by keys.

Usage Details

LQL Command

winlogToJsonUDF(fieldname)

--fieldname: Column name of a table

Example

Input

Win32 event

instance of Win32_NTLogEvent
{
      Computer = "US1-VPEXMA90.example.com";
    ...
    Category = 12548;
    CategoryString = "Special Logon";
    Message = "Special privileges assigned to new logon.

Subject:
    Security ID:        example\SVC_SolarWMI
    Account Name:       SVC_SolarWMI
    Account Domain:
    Logon ID:       0x660870ee

Privileges:     SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege";
    InsertionStrings = {"S-1-5-21-1939467313-459414247-2469239425-51005", "SVC_SolarWMI", "example", "0x660870ee", "SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege"};
};

LQL command

select winlogToJsonUDF(_raw) as jsonField from table

Output

Resulting jsonField column.

``` {json}{ "Message":"Special privileges assigned to new logon." "Subject":{ "Security ID":"example\SVC_SolarWMI", "Account Name":"SVC_SolarWMI", "Account Domain":"" "Logon ID":"0x660870ee" } "Privileges":["SeSecurityPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeTakeOwnershipPrivilege"] }

Devo latest

winlogToJsonUDF

Analytics

Usage Details

Example

Related content