Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Internal fields have multiple values in Parsers

Copper Contributor

Hi,

 

We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on parsers, and we are trying to replicate the data fields as in Splunk. In Splunk, the inner fields of a List of Dictionaries can be individually represented. say for eg. a is a list of dictionaries

a = [

{b: null, c: "string1"},

{b: "string2", c: "string3"}

]

In Splunk we can represent a{}.b = null, a{}.b="string2"

But we are trying to do the same in Azure, and we actually are not able to do it, we can give column a{}.b only one value, from the list of values, say a{}.b=null or string2

Can someone please help me determine how to access inner of fields of a multi valued fields, or how to represent the multiple values under one name field, say a{}.b?

3 Replies

@Ronak_Shah 

 

You can write parser similar to this, 

e.g.

SigninLogs {Table Name}
AuthenticationDetails {Field Name}
[0:authenticationMethod
0: authenticationStepRequirement]
[1: authenticationStepRequirement]
[2: authenticationMethod]

 

Parser:

SigninLogs
| extend  AuthenticationMethod = tostring(parse_json(AuthenticationDetails)[0].authenticationMethod)
| extend authenticationStepRequirement = tostring(parse_json(AuthenticationDetails)[0].authenticationStepRequirement)
| extend authenticationStepRequirement1 = tostring (parse_json(AuthenticationDetails)[1].authenticationStepRequirement)
| extend authenticationMethod = tostring(parse_json(AuthenticationDetails)[2].authenticationMethod)
| project AuthenticationMethod, authenticationStepRequirement,authenticationStepRequirement1,authenticationMethod

 

Or you can share sample logs for better help.  

@deshantshukla 

 

Hi, Thanks for your response

Actually in the above method suggested, it will be only possible if we know the length of the list, or we know how many dictionary items are present in the list.
If in the example I provided

a = [

{b: null, c: "string1"},

{b: "string2", c: "string3"}

.....
{b: "string3", c: "null"}]
we don't know the length, then how should I implement the logic.

Hi @Ronak_Shah,

 

Try this code,

SigninLogs
| project DeviceDetail
| evaluate bag_unpack(DeviceDetail)

 

 

bag_unpack will Parse all the values inside it .

 

Check this Blog: https://www.cloudsma.com/2020/01/extracting-nested-fields-kusto/