Forum Discussion
Creating Entity Mappings from TargetResources sub fields
I am creating a rule using the KQL query: AuditLogs |where OperationName contains "Update group" and TargetResources contains "-x" I get results back and they have the information in I am lo...
This is how to do it with parse_json:
AuditLogs
|where OperationName contains "Update group"
| extend DisplayName = tostring(parse_json(TargetResources[0].modifiedProperties[0].displayName))
Change the [0] to whaever other number to match the location you want to extract from. And change the displayName to the entry you want.
You can use first extract the entry you need, then filter by it in the where expression. In the example below, I am using the displayName to filter for any value:
AuditLogs
| extend DisplayName = tostring(parse_json(TargetResources[0].modifiedProperties[0].displayName))
|where OperationName contains "Update group" and DisplayName contains "the value you are looking for"