Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

KQL Syntax Parsing dynamic list of json tuples

Copper Contributor

Any guidance on how I would go about parsing a dynamic list of tuples within a single event?

 

The example I have attached is a AWS CloudTrail log event with a dynamic list of Security Group policies. I need to parse the toPort, fromPort, and cidr from each entry. Each log event will have a dynamic number of policies.

 

The goal was to break these tuplets out into their own rows and a join (inner) to the parent log.

 

Thank you in advance.

2 Replies
Hi

Have you checked out MVExpand?
That might be what you are looking for: https://docs.microsoft.com/en-us/azure/kusto/query/mvexpandoperator

@Thijs Lecomte 

 

That worked! Thank you!

 

AWSCloudTrail

| extend Policies = parse_json(RequestParameters).ipPermissions.items
| mvexpand Policies