SOLVED

How to extract a field without the +- buttons

Deleted
Not applicable

Hello, I'm new to this.

 

I was trying the following line as part of my query:

   | project TargetUsername = parse_json(TargetResources).["userPrincipalName"]

without success, I also noticed that unlike other attributes, i don't have the +- in this one.

How can i extract the attribute in the userPrincipalName? (Its an Azure AD-Add user event)

 

log.png

 

Thank you.

2 Replies
best response
Solution

@Deleted 

 

Hi,

 

This example might help you. 

AuditLogs
| where SourceSystem == "Azure AD" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend myUser = PropertiesJSON[0].userPrincipalName
| where isnotempty(myUser)
| project myUser


 

 

if the data was a level lower the technique is:

AzureActivity
| where ResourceId has "virtualmachines"
| where Properties has "policyAssignmentSku" 
| extend PropertiesJSON = parse_json(Properties)
| extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) 
| extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier
| extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name
| project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson 
Excellent, Thank You !
1 best response

Accepted Solutions
best response
Solution

@Deleted 

 

Hi,

 

This example might help you. 

AuditLogs
| where SourceSystem == "Azure AD" 
| extend PropertiesJSON = parse_json(TargetResources)
| extend myUser = PropertiesJSON[0].userPrincipalName
| where isnotempty(myUser)
| project myUser


 

 

if the data was a level lower the technique is:

AzureActivity
| where ResourceId has "virtualmachines"
| where Properties has "policyAssignmentSku" 
| extend PropertiesJSON = parse_json(Properties)
| extend PoliciesJson = parse_json(tostring(PropertiesJSON.policies)) 
| extend PolicyAssignmentSkuTier = PoliciesJson[0].policyAssignmentSku.tier
| extend PolicyAssignmentSkuName = PoliciesJson[0].policyAssignmentSku.name
| project PolicyAssignmentSkuTier, PolicyAssignmentSkuName, PoliciesJson 

View solution in original post