Forum Discussion

James_McLaren's avatar
James_McLaren
Copper Contributor
Jul 19, 2022

KQL - breaking up a CN

Hi all,

 

Today's challenge:

The SecurityEvents table logs users being added to groups. The way this one is configured, the person or principal who is being granted access is in the field MemberName - which is a full CN listing, in the form CN=paddingtonbear,OU=Marmalade Factory,DC=darkestperu,DC=org

 

Now I can easily use split to remove everything after the CN field. But if I use project User = split(MemberName,",",0) the user field comes up as ["CN=paddingtonbear"]. I'd like to just have it display paddingtonbear, so I guess there ought to be a way of doing something like this:

 

project User = trim(@"CN=",tostring(split(MemberName,",",0)) - in other words, User should be the CN value with CN= trimmed off the front)

 

Needless to say, this does not work. Trim objects that its second argument should be a string... so any better answers would be gratefully received!

 

Cheers, James

 

No RepliesBe the first to reply

Resources