May 19 2021 03:35 AM - edited May 19 2021 03:35 AM
Very new to KQL - so apologies is this if "obvious"!
I am creating alerts from Log analytics data to create emails on changes to Network Security Groups.
So far so good, I get a nicely formatted table in the alert email - except for the destination port from the LA entry.
I can get the value out of the Json with
extend destPorts = parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationPortRanges
which generates
destPorts ["80","443","7547","7647"]
how do I now get that into the output as a simply text string - looking exactly like above
["80","443","7547","7647"]
The full query is this - illegal at the moment as it says
"Path expression destPorts source must be scalar of type 'dynamic'. Received a source of type string instead"
AzureActivity
| where _ResourceId has "-subnet-nsg" and Properties has "requestbody"
| extend Time = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss')
| extend Admin = tostring(parse_json(Properties).caller)
| extend resourceGroup_ = tostring(parse_json(Properties).resourceGroup)
| extend hierarchy_ = split(tostring(parse_json(Properties).hierarchy), "/")
| extend sourcePort = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).sourcePortRange)
| extend sourceAdd = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).sourceAddressPrefix)
| extend proto = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).protocol)
| extend priority_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).priority)
| extend dir = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).direction)
| extend destPort = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationPortRange)
| extend destinationApplicationSecurityGroups_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationApplicationSecurityGroups)))
| extend destAdd = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationAddressPrefix)
| extend description_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).description)
| extend Outcome = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).access)
| mv-expand subid=hierarchy_[0], lz=hierarchy_[1], sub=hierarchy_[2]
//| project-away hierarchy_
| extend nsgN2 = split(tostring(parse_json(Properties).entity),"/")
| extend nsgName = strcat(nsgN2[8],"/",nsgN2[10],"/",nsgN2[10])
| extend destPorts = parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).properties)).destinationPortRanges
| project Time, Admin, lz, sub, resourceGroup_, nsgName, sourceAdd, sourcePort, destAdd, destPort. destPorts, dir, priority_, description_, proto, Outcome
output today looks like: (without destPorts)
Insights
Top 10 result(s)
Time 2021-05-19 09:31:56
Admin xxx.xxx@xxx.com
lz xxxx
sub Landing-Zones
resourceGroup_ xxxx-EUTS-PRD-RG-01
nsgName xxx-euts-prd-connectivity-subnet-nsg/Allow-Outbound-xxxx/Allow-Outbound-xxx
sourceAdd xx.xxx.x.xx/28
sourcePort *
destAdd yy.yyy.yy.yyy
dir Outbound
priority_ 3000
proto TCP
Outcome Allow
this is only an issue when the dest port entry is multi-valued.