Forum Discussion
Creating Entity Mappings from TargetResources sub fields
I am creating a rule using the KQL query:
AuditLogs
|where OperationName contains "Update group" and TargetResources contains "-x"
I get results back and they have the information in I am looking for but how can I then map Entities to the subfields of the TargetResources field, e.g.
3 Replies
This is how to do it with parse_json:
AuditLogs |where OperationName contains "Update group" | extend DisplayName = tostring(parse_json(TargetResources[0].modifiedProperties[0].displayName))Change the [0] to whaever other number to match the location you want to extract from. And change the displayName to the entry you want.
You can use first extract the entry you need, then filter by it in the where expression. In the example below, I am using the displayName to filter for any value:
AuditLogs | extend DisplayName = tostring(parse_json(TargetResources[0].modifiedProperties[0].displayName)) |where OperationName contains "Update group" and DisplayName contains "the value you are looking for"- There are lots of examples in the Github, mv-expand is one way
https://github.com/Azure/Azure-Sentinel/search?q=targetresources
or this specific one:
https://github.com/Azure/Azure-Sentinel/blob/1d9071669b145ee85f54b8f5a2094d561f562738/Detections/AuditLogs/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml- Doing a Bag_unpack afterwards may also be useful (each entry has its own row after you do)
AuditLogs
| mv-expand TargetResources
| evaluate bag_unpack(TargetResources)
