Grafana Loki Query for Windows Event Logs

[hack3rcon]

Hello,
I am sending Windows Event Logs to Grafana Loki server via Grafana Alloy. Windows logs are probably in XML format. Something like below:

{
  "source": "Microsoft-Windows-Security-Auditing",
  "channel": "Security",
  "computer": "DESKTOP-1PNH21K",
  "event_id": 4663,
  "version": 1,
  "task": 12800,
  "levelText": "Information",
  "taskText": "File System",
  "opCodeText": "Info",
  "keywords": "Audit Success",
  "timeCreated": "2025-02-16T06:03:34.1553431Z",
  "eventRecordID": 139427,
  "execution": {
    "processId": 4,
    "threadId": 312,
    "processName": "System"
  },
  "event_data": "<Data Name='SubjectUserSid'>S-1-5-21-2104788189-4142446361-3889847816-1001</Data><Data Name='SubjectUserName'>Grafana</Data><Data Name='SubjectDomainName'>DESKTOP-1PNH21K</Data><Data Name='SubjectLogonId'>0x36891</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\\Users\\Grafana\\Desktop\\Test</Data><Data Name='HandleId'>0x2378</Data><Data Name='AccessList'>%%4423</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\\Windows\\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>",
  "message": "An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x36891\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\r\n\tHandle ID:\t\t0x2378\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x1218\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80"
}

I want to extract the hostname, username, file or folder name, and date and time information from IDs 4660 and 4663. I wrote a query like the following:

{job="windows-security"} 
| json 
| event_id =~ "4660|4663" 
| line_format "{{.computer}} | {{.SubjectUserName}} | {{.timeCreated}} | {{.ObjectName}} | {{.ObjectType}} | {{.message}}"

The output is as follows:
2025-02-16 13:14:39.127 DESKTOP-1PNH21K | | 2025-02-16T09:44:39.1272425Z | | | An attempt was made to access an object
As you can see, it is not possible to extract information from the event_data section.

How to solve it?

Thank you.

[hack3rcon]

I wrote the following query:

{job="windows-security"} | json | event_id=4660 or event_id=4663 | line_format "{{ .computer }} | {{ .timeCreated }} | {{ regexReplaceAll `(?i).*<Data Name='SubjectUserName'>([^<]+)</Data>.*` .event_data `$1` }} |  {{ regexReplaceAll `(?i).*<Data Name='ObjectName'>([^<]+)</Data>.*` .event_data `$1` }} | {{ regexReplaceAll `(?i).*<Data Name='ObjectType'>([^<]+)</Data>.*` .event_data `$1` }}"

and output is:

DESKTOP-1PNH21K | 2025-02-16T11:46:24.6644245Z | Grafana
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data> |  C:\Users\Grafana\Desktop\Test
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data> | File
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>

How can I remove extra information like </Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>?