Forum Discussion

AndrewX's avatar
AndrewX
Iron Contributor
Jan 22, 2019
Solved

Help with table join in Log Analytics

Hello, can i please have some help to get this join to work?   From the OfficeActivity table, if there is a result i want to check if there is also a row in the SecurityAlert table and join, probab...
azure monitor
Query Language
  • Stanislav_Zhelyazkov's avatar
    Stanislav_Zhelyazkov
    Jan 24, 2019

    Hi,

    I think you mainly figured it out:

    OfficeActivity
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd hh:mm')
| extend dtAU = format_datetime(TimeGenerated +10h,'yyyy-MM-dd hh:mm')
| extend Folder = parse_json(Folder).Path
| extend DestFolder = parse_json(DestFolder).Path
| extend MessageID = parse_json(AffectedItems)[0].InternetMessageId
| extend Subject = parse_json(AffectedItems)[0].Subject
| where Subject == "New sign-on notification"
| project TimeGenerated,dtUTC,dtAU,UserId,Operation,ResultStatus,Client_IPAddress,ClientInfoString,ClientProcessName,ClientVersion,Subject,Folder,DestFolder,MessageID,OfficeObjectId
| join kind= inner
(SecurityAlert
| extend UserId = json_parse(ExtendedProperties)['User Account']
) on UserId

    I do not have environment to check if fully work but it should be from query perspective. Let me know if this helps.

Stanislav_Zhelyazkov's avatar
Stanislav_Zhelyazkov
MVP
Jan 24, 2019

Hi,

I think you mainly figured it out:

OfficeActivity
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd hh:mm')
| extend dtAU = format_datetime(TimeGenerated +10h,'yyyy-MM-dd hh:mm')
| extend Folder = parse_json(Folder).Path
| extend DestFolder = parse_json(DestFolder).Path
| extend MessageID = parse_json(AffectedItems)[0].InternetMessageId
| extend Subject = parse_json(AffectedItems)[0].Subject
| where Subject == "New sign-on notification"
| project TimeGenerated,dtUTC,dtAU,UserId,Operation,ResultStatus,Client_IPAddress,ClientInfoString,ClientProcessName,ClientVersion,Subject,Folder,DestFolder,MessageID,OfficeObjectId
| join kind= inner
(SecurityAlert
| extend UserId = json_parse(ExtendedProperties)['User Account']
) on UserId

I do not have environment to check if fully work but it should be from query perspective. Let me know if this helps.

AndrewX's avatar
AndrewX
Iron Contributor
Jan 26, 2019
Hmm thank you for this, with this slight mod, namely casting it tostring() - it is now working.

| join kind= inner
(SecurityAlert
| extend UserId = tostring(parse_json(ExtendedProperties)['User Account'])
) on UserId

Resources