Forum Discussion
Solved
Querying AAD Audit Logs
Hello all, I am piping my AAD audit logs to Log Analytics through the Diagnostic Logs, and then I want to set up some alerts if users are added to certain administrator roles.. I have got thi...
Hi dave8thomas
You could just use ' ' around the string as there are "quotes" in the returned data
E.g.AuditLogs | where Category == "RoleManagement" | extend PropertiesJSON = parse_json(TargetResources) | extend role = PropertiesJSON[0].modifiedProperties[1]['newValue'] | where role == '"Company Administrator"'or cleanup the returned data
AuditLogs | where Category == "RoleManagement" | extend PropertiesJSON = parse_json(TargetResources) | extend role = trim(@"[^\w]+", tostring(PropertiesJSON[0].modifiedProperties[1]['newValue']) ) | where role == "Company Administrator" // trims all non-word characters from start and end of the string // https://docs.microsoft.com/en-us/azure/kusto/query/trimfunction
CliveWatson
Microsoft
MicrosoftHi dave8thomas
You could just use ' ' around the string as there are "quotes" in the returned data
E.g.
AuditLogs
| where Category == "RoleManagement"
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = PropertiesJSON[0].modifiedProperties[1]['newValue']
| where role == '"Company Administrator"'
or cleanup the returned data
AuditLogs
| where Category == "RoleManagement"
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = trim(@"[^\w]+", tostring(PropertiesJSON[0].modifiedProperties[1]['newValue']) )
| where role == "Company Administrator"
// trims all non-word characters from start and end of the string
// https://docs.microsoft.com/en-us/azure/kusto/query/trimfunction
- Awesome, thanks Clive!! It's the simple things in life .. like quotes! 🙂
