Apr 24 2019
01:29 PM
- last edited on
Apr 07 2022
05:45 PM
by
TechCommunityAP
Apr 24 2019
01:29 PM
- last edited on
Apr 07 2022
05:45 PM
by
TechCommunityAP
Hello, I'm new to this.
I was trying the following line as part of my query:
| project TargetUsername = parse_json(TargetResources).["userPrincipalName"]
without success, I also noticed that unlike other attributes, i don't have the +- in this one.
How can i extract the attribute in the userPrincipalName? (Its an Azure AD-Add user event)
Thank you.
Apr 25 2019 12:26 AM
Solution@Deleted
Hi,
This example might help you.
AuditLogs | where SourceSystem == "Azure AD" | extend PropertiesJSON = parse_json(TargetResources) | extend myUser = PropertiesJSON[0].userPrincipalName | where isnotempty(myUser) | project myUser
if the data was a level lower the technique is:
AzureActivity | where ResourceId has "virtualmachines" | where Properties has "policyAssignmentSku" | extend PropertiesJSON = parse_json(Properties) | extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) | extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier | extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name | project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson
Apr 25 2019 04:07 AM
Apr 25 2019 12:26 AM
Solution@Deleted
Hi,
This example might help you.
AuditLogs | where SourceSystem == "Azure AD" | extend PropertiesJSON = parse_json(TargetResources) | extend myUser = PropertiesJSON[0].userPrincipalName | where isnotempty(myUser) | project myUser
if the data was a level lower the technique is:
AzureActivity | where ResourceId has "virtualmachines" | where Properties has "policyAssignmentSku" | extend PropertiesJSON = parse_json(Properties) | extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) | extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier | extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name | project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson