Forum Discussion

Bas van der Kruijssen - Live ID's avatar
Bas van der Kruijssen - Live ID
Copper Contributor
Dec 08, 2017

Log Analytics Query - Azure Active Directory ExtendedProperties

Hello,   I'm currently working on a query in Log Analytics which requires me to filter on properties which are in the ExtendedProperties field. See below example, I would like to use the Extended...
azure monitor
Query Language
Dan Hadari's avatar
Dan Hadari
Icon for Microsoft rankMicrosoft
Dec 09, 2017
Hi, You should be able to do | extend properties = parse_json(tostring(ExtendedProperties) ) | where tostring(properties.Name) == "XYZ" You might not be required to cast Name into string but it doesn't matter. Dan
  • Bas van der Kruijssen - Live ID's avatar
    Bas van der Kruijssen - Live ID
    Copper Contributor
    Dec 11, 2017

    First of all, thanks for the response :-) Unfortunately this doesn't do the trick.

     

    The total query I'm using now is as follows:

    OfficeActivity | where RecordType == "AzureActiveDirectory" and Operation !contains "device"
| extend properties = parse_json(tostring(ExtendedProperties))
| where tostring(properties.Value) == "Privileged Role Administrator"

    This query results in the following output

    0 records matched for the selected time range

    The ExtendedProperties field is actually an array of values (see below picture)

     I'm trying to filter on the "Value" field in the 2nd entry of the array, but no luck so far.

Resources