Good afternoon. I was working with our SIEM today and was attempting to export results for failed login attempts against an AD behind an externally facing Netscaler gateway.

My original query was as follows (omitting client data of course):

from logs | where winlog.system.EventID=="4625" | where host.hostname=="DOMAIN-CONTROLLER"

Exporting this query does not export any nested data within the log entries, it only exports the current table view in the Web UI. This did, however, compile successfully into a csv.

I edited my query to this:

from logs | where winlog.system.EventID=="4625" | where host.hostname=="DOMAIN-CONTROLLER" | keep winlog.event_data.TargetUserName

After exporting this query, the zip file contained individual files for every log entry pulled.

Filename was each column separated by commas, and the filetype was part of the username.

Although I was able to accomplish my goal today with the export in it's current state, I do realize that this is likely not the intended result for the export feature and the KEEP switch.

Ideally, I would like to see relevant nested data to be lifted to the table on the webUI from the initial query without the KEEP switch altogether. If i'm querying for failed windows login event IDs, I would expect to also see username and target host come up to the table.

That's my two bits!! Hope this helps!