Forum Discussion
Using KQL queries to dive into dynamic arrays Azure Log Analytics
I'm running this command to break out the dynamic arrays
IntuneAuditLogs
| where TimeGenerated > ago(7d)
| extend propertiesJson = todynamic(Properties)
| extend propertiesTargets = todynamic(propertiesJson.Targets)
But I have these arrays that appear to have these index numbers and data within them is different between each data type:
How would I go about referencing each of these and their subsequent values?
4 Replies
If you know the Index number and field, then you can modify a query like this one to suit?
SecurityAlert //| where DisplayName == "Detected suspicious DNS resolution" | extend entities = todynamic(Entities) | project AlertName , TimeGenerated, Description = parse_json(entities[0].HostName) , osFamily =parse_json(entities[1].OSFamily)CliveWatson, What if I have a scenario where multiple IPs and users are under entities field?
What I am trying to do is get the IP addresses under one single variable and the list of user IDs under another one!
CliveWatson extending the commands to expand out index 0
IntuneAuditLogs
| where TimeGenerated > ago(7d)
| extend propertiesJson = todynamic(Properties)
| extend propertiesTargets = todynamic(propertiesJson.Targets)
| extend mydisc = todynamic(propertiesTargets[0].ModifiedProperties)What I've seen is as I continue to dig deeper into the properties, the ModifiedProperties field varies based on the specific operation, which makes it painful to determine the values I can consistently pull
I'm not familiar with the Intune data, this maybe a question for the Intune team - in case they have some plans for standardizing this data/fields, or so they get visibility? https://techcommunity.microsoft.com/t5/Microsoft-Intune/bd-p/Microsoft-Intune
