I'm running this command to break out the dynamic arrays
IntuneAuditLogs| where TimeGenerated > ago(7d)| extend propertiesJson = todynamic(Properties)| extend propertiesTargets = todynamic(propertiesJson.Targets)
But I have these arrays that appear to have these index numbers and data within them is different between each data type:
How would I go about referencing each of these and their subsequent values?
If you know the Index number and field, then you can modify a query like this one to suit?
//| where DisplayName == "Detected suspicious DNS resolution"
| extend entities = todynamic(Entities)
| project AlertName ,
Description = parse_json(entities.HostName) ,
@Clive Watson extending the commands to expand out index 0
IntuneAuditLogs| where TimeGenerated > ago(7d)| extend propertiesJson = todynamic(Properties)| extend propertiesTargets = todynamic(propertiesJson.Targets)| extend mydisc = todynamic(propertiesTargets.ModifiedProperties)
What I've seen is as I continue to dig deeper into the properties, the ModifiedProperties field varies based on the specific operation, which makes it painful to determine the values I can consistently pull
Hi @Chris Blackburn
I'm not familiar with the Intune data, this maybe a question for the Intune team - in case they have some plans for standardizing this data/fields, or so they get visibility? https://techcommunity.microsoft.com/t5/Microsoft-Intune/bd-p/Microsoft-Intune