Using KQL queries to dive into dynamic arrays Azure Log Analytics

Copper Contributor

I'm running this command to break out the dynamic arrays

 

IntuneAuditLogs
| where TimeGenerated > ago(7d)
| extend propertiesJson = todynamic(Properties)
| extend propertiesTargets = todynamic(propertiesJson.Targets)

 

But I have these arrays that appear to have these index numbers and data within them is different between each data type:

 

array.png

 

How would I go about referencing each of these and their subsequent values?

4 Replies

@Chris Blackburn 

 

If you know the Index number and field, then you can modify a query like this one to suit?

SecurityAlert 
//| where DisplayName == "Detected suspicious DNS resolution" 
| extend entities = todynamic(Entities) 
| project AlertName ,
          TimeGenerated,
          Description = parse_json(entities[0].HostName) ,
          osFamily =parse_json(entities[1].OSFamily)

@CliveWatson extending the commands to expand out index 0

 

IntuneAuditLogs
| where TimeGenerated > ago(7d)
| extend propertiesJson = todynamic(Properties)
| extend propertiesTargets = todynamic(propertiesJson.Targets)
| extend mydisc = todynamic(propertiesTargets[0].ModifiedProperties)

 

What I've seen is as I continue to dig deeper into the properties, the ModifiedProperties field varies based on the specific operation, which makes it painful to determine the values I can consistently pull

 

array2.png

Hi @Chris Blackburn 

 

I'm not familiar with the Intune data, this maybe a question for the Intune team - in case they have some plans for standardizing this data/fields, or so they get visibility?  https://techcommunity.microsoft.com/t5/Microsoft-Intune/bd-p/Microsoft-Intune   

@CliveWatson, What if I have a scenario where multiple IPs and users are under entities field?

harishbenne_0-1622476418329.png

What I am trying to do is get the IP addresses under one single variable and the list of user IDs under another one!