SOLVED

How to find the old and new values of the proxyAddresses property change.

Frequent Contributor

How does one pull out the oldValue and newValue of a specific index from the AuditLog, TargetResources[0]['modifiedProperties'] object, when multiple attributes have been changed and you don't know the index number of the property you are specifically looking for?

 

If the property always had a 0 index, that would be easy, but sometimes it's index 0, sometimes index 3, sometimes index 4 etc.

 

I am trying to find the old and new values from the proxyAddresses property change.

 
I would like to do something like;
 

 

AuditLogs
| extend proxyAddresses = parse_json(TargetResources[0]['modifiedProperties'] | where "displayName" == "proxyAddresses")
| extend newValue = proxyAddresses.newValue
| extend oldValue = proxyAddresses.oldValue

 

Thanks.
2 Replies

@Andrew Huddleston 

 

This should turn all matches to index 0 (note: I only did a quick test in this method!!!!!)

 

let srch = "proxyAddresses";        // search for 
search in (AuditLogs) srch          // Table to search in
| evaluate narrow()
| where Value has srch              // also try "has" for better efficiency rather than "contains"
| extend newValue = tostring(parse_json(tostring(parse_json(tostring(parse_json(Value)[0].modifiedProperties))[0].newValue))[0]) 
| extend oldValue = tostring(parse_json(tostring(parse_json(tostring(parse_json(Value)[0].modifiedProperties))[0].oldValue))[0]) 
| summarize count() by Column, txtFound = srch , oldValue, newValue

The hard works is done in lines 1-4, you may want to just run those lines first.  I use this a lot (lines 1-4) to find in which columns I get a data match 

 

e.g.

 

let srch = "proxyAddresses";        // search for 
search in (AuditLogs) srch          // Table to search in
| evaluate narrow()
| where Value has srch              // also try "has" for better efficiency rather than "contains"

 

Shows that TargetResources has "proxyAddresses" in it

 

Row Column Value
0 TargetResources [{"displayName":null,"modifiedProperties":[{"displayName":"AccountEnabled","oldValue":"[]","newValue":"[true]"},{"displayName":"CreationType","oldValue":"[]","newValue":"
....
data omitted 

 

Thanks Clive  

best response confirmed by Andrew Huddleston (Frequent Contributor)
Solution

Thank you @CliveWatson 

 

Running the query as is, got me close i think, really appreciate it :)

 

Andrew