cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to find the old and new values of the proxyAddresses property change.

AndrewX
Iron Contributor

‎Mar 15 2020 09:24 PM - last edited on ‎Apr 08 2022 10:20 AM by

‎Mar 15 2020 09:24 PM - last edited on ‎Apr 08 2022 10:20 AM by

How to find the old and new values of the proxyAddresses property change.

How does one pull out the oldValue and newValue of a specific index from the AuditLog, TargetResources[0]['modifiedProperties'] object, when multiple attributes have been changed and you don't know the index number of the property you are specifically looking for?

 

If the property always had a 0 index, that would be easy, but sometimes it's index 0, sometimes index 3, sometimes index 4 etc.

 

I am trying to find the old and new values from the proxyAddresses property change.

 
I would like to do something like;
 

 

AuditLogs
| extend proxyAddresses = parse_json(TargetResources[0]['modifiedProperties'] | where "displayName" == "proxyAddresses")
| extend newValue = proxyAddresses.newValue
| extend oldValue = proxyAddresses.oldValue

 

Thanks.
1,504 Views
0 Likes
2 Replies
Reply
2 Replies
CliveWatson

‎Mar 16 2020 07:51 AM

‎Mar 16 2020 07:51 AM

Re: How to find the old and new values of the proxyAddresses property change.

@AndrewX 

 

This should turn all matches to index 0 (note: I only did a quick test in this method!!!!!)

 

let srch = "proxyAddresses";        // search for 
search in (AuditLogs) srch          // Table to search in
| evaluate narrow()
| where Value has srch              // also try "has" for better efficiency rather than "contains"
| extend newValue = tostring(parse_json(tostring(parse_json(tostring(parse_json(Value)[0].modifiedProperties))[0].newValue))[0]) 
| extend oldValue = tostring(parse_json(tostring(parse_json(tostring(parse_json(Value)[0].modifiedProperties))[0].oldValue))[0]) 
| summarize count() by Column, txtFound = srch , oldValue, newValue

The hard works is done in lines 1-4, you may want to just run those lines first.  I use this a lot (lines 1-4) to find in which columns I get a data match 

 

e.g.

 

let srch = "proxyAddresses";        // search for 
search in (AuditLogs) srch          // Table to search in
| evaluate narrow()
| where Value has srch              // also try "has" for better efficiency rather than "contains"

 

Shows that TargetResources has "proxyAddresses" in it

 

Row Column Value
0 TargetResources [{"displayName":null,"modifiedProperties":[{"displayName":"AccountEnabled","oldValue":"[]","newValue":"[true]"},{"displayName":"CreationType","oldValue":"[]","newValue":"
....
data omitted 

 

Thanks Clive  

0 Likes
Reply
best response confirmed by AndrewX (Iron Contributor)
AndrewX

‎Mar 16 2020 10:09 PM

‎Mar 16 2020 10:09 PM

Solution

Re: How to find the old and new values of the proxyAddresses property change.

Thank you @CliveWatson 

 

Running the query as is, got me close i think, really appreciate it :)

 

Andrew

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by AndrewX (Iron Contributor)
AndrewX

‎Mar 16 2020 10:09 PM

‎Mar 16 2020 10:09 PM

Solution

Re: How to find the old and new values of the proxyAddresses property change.

Thank you @CliveWatson 

 

Running the query as is, got me close i think, really appreciate it :)

 

Andrew

View solution in original post

0 Likes
Reply