Sysmon and log Parse using KQL on Azure Sentinel

M'hirsi Hamza
3 min readJan 8, 2022

Hi Medium! Here we are again with a new article.

In this article, we will go through different tools and techniques that should be known to retrieve information from a target system and review its log on the Sentinel Azure platform.


  1. What is Sysmon
  2. Setup the environment
  3. Sysmon installation script
  4. Parse Events
  5. Conclusion

What is Sysmon?

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. — Source

However, Sysmon can be collected from any machine even from Linux, to have more details you can check Mando_elnino article Sysmon for log collection and analysis in elastic SIEM

Setup the environment

To set the environment for the log collection on Sentinel you can check this article Set a Sentinel environment and start collecting Windows logs on Azure

Sysmon installation script

For an automated install script, you can check this link on Github, that will walk you through the installation.

Powershell script of Sysmon installation

Parse Events

As we saw in the previous Article, the output of logs is not specific and not useful as most of the important information that we can collect in each log line.

To parse an event, we will need to run a script that will order the data by column, so we need to run a script called an ‘event parser’ that we can find on GitHub, here is a link:

In my case, I used the following code:

Using that function we will be able to retrieve a clearer log:

We can also store the function for later use if none of us want to rewrite it each time, and we can use it in other KQL scripts:


In this article, we checked how we can parse logs using KQL and how we can have a better view of logs.
In the next articles, we will talk more about more features on Sentinel, stay connected ;)

Hey, I hope that you enjoyed my article, if you have something to add or to correct please don’t hesitate to write a comment, see you soon ^^!



M'hirsi Hamza

Cyber Security Architect at Rakuten Symphony Deutschland, talks about #innovation, #technology, #cyberattack, #cyberdefense, and #cybersecurity