Forum Discussion
Creating Entity Mappings from TargetResources sub fields
I am creating a rule using the KQL query: AuditLogs |where OperationName contains "Update group" and TargetResources contains "-x" I get results back and they have the information in I am lo...
There are lots of examples in the Github, mv-expand is one way
https://github.com/Azure/Azure-Sentinel/search?q=targetresources
or this specific one:
https://github.com/Azure/Azure-Sentinel/blob/1d9071669b145ee85f54b8f5a2094d561f562738/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml
https://github.com/Azure/Azure-Sentinel/search?q=targetresources
or this specific one:
https://github.com/Azure/Azure-Sentinel/blob/1d9071669b145ee85f54b8f5a2094d561f562738/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml