Azure Sentinel Parse Windows System Logs

In this article I’m showing how to connect Windows servers to Azure Sentinel, how to parse System events and what to do with it.

The MMA can be installed using the wizard or command line.

Configure System log collection

We need to tell Log analytics workspace to collect the system logs as seen below:

Parse events

You can find the query that you need to parse the Windows System logs in the below link:

You can save the query as a function to use it in your use cases and for future work:

what to do with it?

Analytics and visualization

The system logs is very important, so we can monitor the system using many use cases like the system restart or shut down as shown below:

Event
| where EventLog == "System"
| extend RenderedDescription = tostring(split(RenderedDescription, ":")[0]) // Keep the first part of RenderedDescription before the ":"
| extend EventDataXml = parse_xml(EventData).DataItem.EventData.Data // Parse EventData as XML for further processing
| mv-expand bagexpansion=array EventDataXml // Expand arrays into rows
| evaluate bag_unpack(EventDataXml) // Convert XML structure to key-value pairs
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "") // Extract attribute names and values
| evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, EventID, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)


        

Recommendation: Don't use the function in the scheduled query rules, we will update the article once the bug fixed