Forum Discussion
How to extract a field without the +- buttons
Hello, I'm new to this.
I was trying the following line as part of my query:
| project TargetUsername = parse_json(TargetResources).["userPrincipalName"]
without success, I also noticed that unlike other attributes, i don't have the +- in this one.
How can i extract the attribute in the userPrincipalName? (Its an Azure AD-Add user event)
Thank you.
Deleted
Hi,
This example might help you.
AuditLogs | where SourceSystem == "Azure AD" | extend PropertiesJSON = parse_json(TargetResources) | extend myUser = PropertiesJSON[0].userPrincipalName | where isnotempty(myUser) | project myUser
if the data was a level lower the technique is:
AzureActivity | where ResourceId has "virtualmachines" | where Properties has "policyAssignmentSku" | extend PropertiesJSON = parse_json(Properties) | extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) | extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier | extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name | project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson
2 Replies
Deleted
Hi,
This example might help you.
AuditLogs | where SourceSystem == "Azure AD" | extend PropertiesJSON = parse_json(TargetResources) | extend myUser = PropertiesJSON[0].userPrincipalName | where isnotempty(myUser) | project myUser
if the data was a level lower the technique is:
AzureActivity | where ResourceId has "virtualmachines" | where Properties has "policyAssignmentSku" | extend PropertiesJSON = parse_json(Properties) | extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) | extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier | extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name | project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson