Hi, i have exported windows Sysmon event logs as XML (as attached) having problems with parsing the part, the Xpath query depends on the number, well, not all logs have the same Data Names with the same order… Is there a way to have a proper parsing with proper field names in single quotes?
/Events/dns:Event/dns:EventData/dns:Data/@Name
/Events/dns:Event/dns:EventData/dns:Data[2]/@Name
sample sysmon.xml (3.3 KB)
Hi @hakandurgut
What is your expected output in this case? The Xpath queries you refer to relates to these fields, but I take it you want to find those based on their name (RuleName/ UtcTime)?
What do you mean with single quotes? Something like [@name=‘RuleName’] to search for the attribute name rather that based on it’s position in the xml?
Your description is not very comprehendible.
oh apologies for my poor expressions
what I am saying is,
if I want to parse xpath under /Events/dns:Event/dns:System without any problem, xpath has its field name
in this example it captures its own field name as EventRecordId
but within the /Events/dns:Event/dns:EventData,
Xpath can only be like
/Events/dns:Event/dns:EventData/dns:Data[6]/@Name
/Events/dns:Event/dns:EventData/dns:Data[7]/@Name
/Events/dns:Event/dns:EventData/dns:Data[9]/@Name
I want to parse them by Data Name values
e.g. if I want to parse
MIRA\hakan
the Xpath will look like
/Events/dns:Event/dns:EventData/dns:Data[13]/@Name
in an other event the 13th. Xpath may be a different field
I am sorry I dont know the right XML terminology to express my question 
Sysmon Event Logs XML.knwf (15.7 KB)
I see @hakandurgut. You are looking for:
/Events/dns:Event/dns:EventData/dns:Data[@Name="User"]
That will extract all information where Data Name="User" within each EventData section.
You can use a similar approach for equivelant fields.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
