SOLVED

How to extract a field without the +- buttons

%3CLINGO-SUB%20id%3D%22lingo-sub-482278%22%20slang%3D%22en-US%22%3EHow%20to%20extract%20a%20field%20without%20the%20%2B-%20buttons%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482278%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20I'm%20new%20to%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20trying%20the%20following%20line%20as%20part%20of%20my%20query%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%20%7C%20project%20TargetUsername%20%3D%20parse_json(TargetResources).%5B%22userPrincipalName%22%5D%3C%2FP%3E%3CP%3Ewithout%20success%2C%20I%20also%20noticed%20that%20unlike%20other%20attributes%2C%20i%20don't%20have%20the%20%2B-%20in%20this%20one.%3C%2FP%3E%3CP%3EHow%20can%20i%20extract%20the%20attribute%20in%20the%20userPrincipalName%3F%20(Its%20an%20Azure%20AD-Add%20user%20event)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20454px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F110198i25598DE542F2EEAE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22log.png%22%20title%3D%22log.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-482278%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%20Language%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482577%22%20slang%3D%22en-US%22%3ERE%3A%20How%20to%20extract%20a%20field%20without%20the%20%2B-%20buttons%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482577%22%20slang%3D%22en-US%22%3EExcellent%2C%20Thank%20You%20!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-482473%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20extract%20a%20field%20without%20the%20%2B-%20buttons%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-482473%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F326650%22%20target%3D%22_blank%22%3E%40CloudTesting%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20example%20might%20help%20you.%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EAuditLogs%0A%7C%20where%20SourceSystem%20%3D%3D%20%22Azure%20AD%22%20%0A%7C%20extend%20PropertiesJSON%20%3D%20parse_json(TargetResources)%0A%7C%20extend%20myUser%20%3D%20PropertiesJSON%5B0%5D.userPrincipalName%0A%7C%20where%20isnotempty(myUser)%0A%7C%20project%20myUser%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20the%20data%20was%20a%20level%20lower%20the%20technique%20is%3A%3C%2FP%3E%0A%3CPRE%3EAzureActivity%0A%7C%20where%20ResourceId%20has%20%22virtualmachines%22%0A%7C%20where%20Properties%20has%20%22policyAssignmentSku%22%20%0A%7C%20extend%20PropertiesJSON%20%3D%20parse_json(Properties)%0A%7C%20extend%20PoliciesJson%20%3D%20parse_json(tostring(PropertiesJSON.policies))%20%0A%7C%20extend%20PolicyAssignmentSkuTier%20%3D%20PoliciesJson%5B0%5D.policyAssignmentSku.tier%0A%7C%20extend%20PolicyAssignmentSkuName%20%3D%20PoliciesJson%5B0%5D.policyAssignmentSku.name%0A%7C%20project%20PolicyAssignmentSkuTier%2C%20PolicyAssignmentSkuName%2C%20PoliciesJson%20%0A%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hello, I'm new to this.

 

I was trying the following line as part of my query:

   | project TargetUsername = parse_json(TargetResources).["userPrincipalName"]

without success, I also noticed that unlike other attributes, i don't have the +- in this one.

How can i extract the attribute in the userPrincipalName? (Its an Azure AD-Add user event)

 

log.png

 

Thank you.

2 Replies
Best Response
Solution

@Deleted 

 

Hi,

 

This example might help you. 

AuditLogs
| where SourceSystem == "Azure AD" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend myUser = PropertiesJSON[0].userPrincipalName
| where isnotempty(myUser)
| project myUser


 

 

if the data was a level lower the technique is:

AzureActivity
| where ResourceId has "virtualmachines"
| where Properties has "policyAssignmentSku" 
| extend PropertiesJSON = parse_json(Properties)
| extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) 
| extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier
| extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name
| project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson 
Excellent, Thank You !