Forum Discussion
James_McLaren
Jul 19, 2022Copper Contributor
KQL - breaking up a CN
Hi all,
Today's challenge:
The SecurityEvents table logs users being added to groups. The way this one is configured, the person or principal who is being granted access is in the field MemberName - which is a full CN listing, in the form CN=paddingtonbear,OU=Marmalade Factory,DC=darkestperu,DC=org
Now I can easily use split to remove everything after the CN field. But if I use project User = split(MemberName,",",0) the user field comes up as ["CN=paddingtonbear"]. I'd like to just have it display paddingtonbear, so I guess there ought to be a way of doing something like this:
project User = trim(@"CN=",tostring(split(MemberName,",",0)) - in other words, User should be the CN value with CN= trimmed off the front)
Needless to say, this does not work. Trim objects that its second argument should be a string... so any better answers would be gratefully received!
Cheers, James
No RepliesBe the first to reply