cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Querying AAD Audit Logs

dave8thomas
Copper Contributor

‎Sep 24 2019 08:27 AM - last edited on ‎Apr 08 2022 10:07 AM by

‎Sep 24 2019 08:27 AM - last edited on ‎Apr 08 2022 10:07 AM by

Querying AAD Audit Logs

Hello all,

 

I am piping my AAD audit logs to Log Analytics through the Diagnostic Logs, and then I want to set up some alerts if users are added to certain administrator roles..

 

I have got this far, but this returns nothing:

 

 

 

AuditLogs
| where Category == "RoleManagement" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = PropertiesJSON[0].modifiedProperties[1]['newValue']
| where role == 'SharePoint Service Administrator'
| project role

 

 

I think because the value I am searching for appears to be an Array of characters, rather than a string..  (same code, just taking out the filter)

 

 

AuditLogs
| where Category == "RoleManagement" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = PropertiesJSON[0].modifiedProperties[1]['newValue']
| project role

 

 

 

 

Screen Shot 2019-09-24 at 4.23.45 PM.png

 


Any ideas how I can search for a term that is stored in the data like this?

 

Thanks!

 
6,135 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by dave8thomas (Copper Contributor)
CliveWatson

‎Sep 24 2019 11:35 AM

‎Sep 24 2019 11:35 AM

Solution

Re: Querying AAD Audit Logs

Hi @dave8thomas 

 

You could just use  '   ' around the string as there are "quotes" in the returned data

 

E.g.

 

AuditLogs
| where Category == "RoleManagement" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = PropertiesJSON[0].modifiedProperties[1]['newValue'] 
| where role == '"Company Administrator"'

 

or cleanup the returned data 

 

AuditLogs
| where Category == "RoleManagement" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = trim(@"[^\w]+", tostring(PropertiesJSON[0].modifiedProperties[1]['newValue']) )
| where role == "Company Administrator"

// trims all non-word characters from start and end of the string
// https://docs.microsoft.com/en-us/azure/kusto/query/trimfunction

 

2 Likes
Reply
dave8thomas

‎Sep 25 2019 10:46 AM

‎Sep 25 2019 10:46 AM

Re: Querying AAD Audit Logs

Awesome, thanks Clive!! It's the simple things in life .. like quotes! :)
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by dave8thomas (Copper Contributor)
CliveWatson

‎Sep 24 2019 11:35 AM

‎Sep 24 2019 11:35 AM

Solution

Re: Querying AAD Audit Logs

Hi @dave8thomas 

 

You could just use  '   ' around the string as there are "quotes" in the returned data

 

E.g.

 

AuditLogs
| where Category == "RoleManagement" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = PropertiesJSON[0].modifiedProperties[1]['newValue'] 
| where role == '"Company Administrator"'

 

or cleanup the returned data 

 

AuditLogs
| where Category == "RoleManagement" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend role = trim(@"[^\w]+", tostring(PropertiesJSON[0].modifiedProperties[1]['newValue']) )
| where role == "Company Administrator"

// trims all non-word characters from start and end of the string
// https://docs.microsoft.com/en-us/azure/kusto/query/trimfunction

 

View solution in original post

2 Likes
Reply