KQL - breaking up a CN

Copper Contributor

Hi all,


Today's challenge:

The SecurityEvents table logs users being added to groups. The way this one is configured, the person or principal who is being granted access is in the field MemberName - which is a full CN listing, in the form CN=paddingtonbear,OU=Marmalade Factory,DC=darkestperu,DC=org


Now I can easily use split to remove everything after the CN field. But if I use project User = split(MemberName,",",0) the user field comes up as ["CN=paddingtonbear"]. I'd like to just have it display paddingtonbear, so I guess there ought to be a way of doing something like this:


project User = trim(@"CN=",tostring(split(MemberName,",",0)) - in other words, User should be the CN value with CN= trimmed off the front)


Needless to say, this does not work. Trim objects that its second argument should be a string... so any better answers would be gratefully received!


Cheers, James


0 Replies