Jul 14 2022 07:18 AM
I am creating a rule using the KQL query:
AuditLogs
|where OperationName contains "Update group" and TargetResources contains "-x"
I get results back and they have the information in I am looking for but how can I then map Entities to the subfields of the TargetResources field, e.g.
Jul 14 2022 10:20 AM
Jul 14 2022 10:31 AM
Jul 15 2022 01:26 AM
This is how to do it with parse_json:
AuditLogs
|where OperationName contains "Update group"
| extend DisplayName = tostring(parse_json(TargetResources[0].modifiedProperties[0].displayName))
Change the [0] to whaever other number to match the location you want to extract from. And change the displayName to the entry you want.
You can use first extract the entry you need, then filter by it in the where expression. In the example below, I am using the displayName to filter for any value:
AuditLogs
| extend DisplayName = tostring(parse_json(TargetResources[0].modifiedProperties[0].displayName))
|where OperationName contains "Update group" and DisplayName contains "the value you are looking for"