Forum Discussion
Using KQL queries to dive into dynamic arrays Azure Log Analytics
I'm running this command to break out the dynamic arrays IntuneAuditLogs | where TimeGenerated > ago(7d) | extend propertiesJson = todynamic(Properties) | extend propertiesTargets = todynamic(...
CliveWatson extending the commands to expand out index 0
IntuneAuditLogs
| where TimeGenerated > ago(7d)
| extend propertiesJson = todynamic(Properties)
| extend propertiesTargets = todynamic(propertiesJson.Targets)
| extend mydisc = todynamic(propertiesTargets[0].ModifiedProperties)
What I've seen is as I continue to dig deeper into the properties, the ModifiedProperties field varies based on the specific operation, which makes it painful to determine the values I can consistently pull
I'm not familiar with the Intune data, this maybe a question for the Intune team - in case they have some plans for standardizing this data/fields, or so they get visibility? https://techcommunity.microsoft.com/t5/Microsoft-Intune/bd-p/Microsoft-Intune