Agent Foskett Academy • Lesson 23 • Extracting Evidence with parse
Extracting Evidence with parse
Sometimes the evidence is right there in the logs.
The problem is that it is buried inside a longer string.
Like a clue hiding in a sock drawer full of command lines, URLs and suspicious-looking nonsense.
A command line might contain a downloaded URL. A file path might contain the username. An email subject might contain a ticket number. A device event might contain structured details that are useful, but not yet separated into clean columns.
In this Agent Foskett Academy lesson, you will learn how defenders use the KQL parse operator to extract structured evidence from messy Microsoft Defender XDR and Microsoft Sentinel telemetry.
Lesson overview
Learn how parse helps defenders turn messy strings into clean investigation columns.
Understand parse
Extract evidence from strings
Build cleaner investigation results
Why parse matters
The parse operator helps you extract values from text fields when the data follows a recognisable structure.
This is useful when important evidence is trapped inside a command line, URL, folder path, subject line or message string.
Instead of copying values manually, parse lets the query create new columns for the parts of the string that matter.
This is useful when important evidence is trapped inside a command line, URL, folder path, subject line or message string.
Instead of copying values manually, parse lets the query create new columns for the parts of the string that matter.
Extract useful valuesPull out usernames, domains, URLs, file paths, arguments and other evidence from longer strings.
Create cleaner columnsTurn messy telemetry into readable investigation output that is easier to sort, filter and explain.
Support repeatable huntingBuild reusable queries that extract the same evidence every time the pattern appears.
Investigation scenario
An analyst is reviewing a suspicious PowerShell execution after a phishing investigation.
The command line contains a URL, a downloaded script name and several arguments. The evidence is visible, but it is all sitting inside one long command-line field.
The analyst uses parse to extract the important values into separate columns so the investigation becomes easier to read.
The command line contains a URL, a downloaded script name and several arguments. The evidence is visible, but it is all sitting inside one long command-line field.
The analyst uses parse to extract the important values into separate columns so the investigation becomes easier to read.
Step 1 — Extract a URL from a command line
Use parse when the command line has a predictable pattern and you want to extract the value between two pieces of text.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "http" | parse ProcessCommandLine with * "http" ExtractedUrl " " * | project Timestamp, DeviceName, AccountName, FileName, ExtractedUrl, ProcessCommandLine | sort by Timestamp desc
Step 2 — Extract a username from a folder path
Folder paths often contain useful context, such as the local user profile involved in the activity.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceFileEvents | where Timestamp > ago(14d) | where FolderPath has @"C:\Users" | parse FolderPath with @"C:\Users" LocalUser @"" * | project Timestamp, DeviceName, LocalUser, FileName, FolderPath, ActionType | sort by Timestamp desc
Step 3 — Extract a domain from an email address
parse can split values such as email addresses when the structure is consistent.
- 1
- 2
- 3
- 4
- 5
- 6
EmailEvents | where Timestamp > ago(30d) | parse SenderFromAddress with SenderName "@" SenderDomain | project Timestamp, SenderFromAddress, SenderDomain, RecipientEmailAddress, Subject, DeliveryAction | sort by Timestamp desc
What parse does
The parse operator reads a text field and extracts values based on a pattern you describe.
The fixed text parts act like anchors. The names you provide become new columns.
In simple terms, you are telling KQL: find this structure, then place the important pieces into these new fields.
The fixed text parts act like anchors. The names you provide become new columns.
In simple terms, you are telling KQL: find this structure, then place the important pieces into these new fields.
Source fieldThe original field you are parsing, such as ProcessCommandLine, FolderPath or SenderFromAddress.
PatternThe fixed text and placeholders that describe where the evidence appears.
New columnsThe extracted values that appear as new fields in your query results.
Step 4 — Extract a ticket number from an email subject
When subject lines follow a repeated format, parse can extract the part you care about.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
EmailEvents | where Timestamp > ago(30d) | where Subject startswith "Ticket " | parse Subject with "Ticket " TicketNumber ":" TicketSummary | project Timestamp, SenderFromAddress, RecipientEmailAddress, TicketNumber, TicketSummary, Subject | sort by Timestamp desc
Step 5 — Extract command arguments
parse can help separate a command, option or suspicious argument from the rest of the command line.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any ("-enc", "-EncodedCommand", "-File") | parse ProcessCommandLine with Command " " FirstArgument " " RemainingArguments | project Timestamp, DeviceName, AccountName, Command, FirstArgument, RemainingArguments, ProcessCommandLine | sort by Timestamp desc
Step 6 — Use parse with parameters
You can combine parse with let statements to make investigations easier to reuse.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
let Lookback = 7d; let SuspiciousTerm = "http"; DeviceProcessEvents | where Timestamp > ago(Lookback) | where ProcessCommandLine has SuspiciousTerm | parse ProcessCommandLine with * "http" ExtractedUrl " " * | project Timestamp, DeviceName, AccountName, ExtractedUrl, ProcessCommandLine | sort by Timestamp desc
Investigator notes
Use parse when the field has a predictable structure and you want to extract part of it into a new column.
If the structure changes too much, parse may miss results. In that case, start broader with contains, has_any or matches regex, then parse the results once you understand the pattern.
If the structure changes too much, parse may miss results. In that case, start broader with contains, has_any or matches regex, then parse the results once you understand the pattern.
Look for structureparse works best when values follow a repeated format or contain reliable separators.
Validate the outputCheck extracted columns before relying on them in filters, joins or reports.
Use it after huntingFind the suspicious activity first, then parse the fields to make the evidence clearer.
What you learned
In this lesson, you learned how to use the KQL parse operator to extract structured evidence from text fields.
Using parseExtract useful values from command lines, file paths, email addresses and subject lines.
Creating evidence columnsTurn hidden values into clear fields that are easier to sort, filter and explain.
Knowing when to use itUse parse when the source field has a recognisable structure or repeated pattern.
Continue your investigation
The next step is learning how to use extract() when you need regex-powered extraction from more flexible patterns.
Agent Foskett Academy
Return to the full Academy learning path and review earlier KQL foundation lessons.
Using matches regex for Pattern Matching
Review how defenders use regex matching to find structured suspicious patterns.
Continue learning with Using startswith and endswith, Using has_any, KQL Threat Hunting Guide and Microsoft Security.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD