SOLVED

Split userPrincipalName in Azure Sentinel Playbook

%3CLINGO-SUB%20id%3D%22lingo-sub-2562965%22%20slang%3D%22en-US%22%3ESplit%20userPrincipalName%20in%20Azure%20Sentinel%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2562965%22%20slang%3D%22en-US%22%3E%3CP%20data-unlink%3D%22true%22%3EPlease%20could%20someone%20give%20me%20some%20pointers%20on%20how%20I%20can%20split%20a%26nbsp%3BuserPrincipalName%20from%20%3CA%20href%3D%22mailto%3Auser.name%40doamin.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Euser.name%40doamin.com%3C%2FA%3E%26nbsp%3Bto%20user.name%3F%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EEssentially%20I%20want%20to%20extract%20everything%20before%20the%20'%40'%20symbol.%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3EI%20attempted%20using%20this%20syntax%20however%20it%20is%20not%20working%2C%20so%20any%20pointers%20would%20be%20greatly%20appreciated.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-regex%22%3E%3CCODE%3Esplit(triggerBody()%3F%5B'object'%5D%3F%5B'properties'%5D%3F%5B'owner'%5D%3F%5B'userPrincipalName'%5D%2C%26nbsp%3B'%40')%26nbsp%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20leaves%20me%20with%20%5B%22user.name%22%2C%20%22domain.com%22%5D%2C%20how%20can%20I%20escape%20the%20%22domain.com%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2563261%22%20slang%3D%22en-US%22%3ERe%3A%20Split%20userPrincipalName%20in%20Azure%20Sentinel%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2563261%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F652259%22%20target%3D%22_blank%22%3E%40TS-noodlemctwoodle%3C%2FA%3E%26nbsp%3BI%20think%20if%20you%20append%20%22%5B0%5D%22%20to%20end%20of%20your%20split%20you%20will%20only%20get%20the%20username.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2564876%22%20slang%3D%22en-US%22%3ERe%3A%20Split%20userPrincipalName%20in%20Azure%20Sentinel%20Playbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2564876%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20template%20language%20expression%20'split(triggerBody()%3F%5B'object'%5D%3F%5B'properties'%5D%3F%5B'owner'%5D%3F%5B'userPrincipalName'%5D%2C%20'%40')%5B'0'%5D'%20cannot%20be%20evaluated%20because%20property%20'0'%20cannot%20be%20selected.%20Array%20elements%20can%20only%20be%20selected%20using%20an%20integer%20index.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20isnt%20possible%2C%20I%20have%20tried%20many%20variations%20of%20the%20same%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esplit(triggerBody()%3F%5B'object'%5D%3F%5B'properties'%5D%3F%5B'owner'%5D%3F%5B'userPrincipalName'%5D%2C%20'%40')%2C%5B'0'%5D'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3Esplit(triggerBody()%3F%5B'object'%5D%3F%5B'properties'%5D%3F%5B'owner'%5D%3F%5B'userPrincipalName'%5D%2C%20'%40')(%5B'0'%5D')%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Please could someone give me some pointers on how I can split a userPrincipalName from user.name@doamin.com to user.name?

 

Essentially I want to extract everything before the '@' symbol.

 

I attempted using this syntax however it is not working, so any pointers would be greatly appreciated. 

 

 

split(triggerBody()?['object']?['properties']?['owner']?['userPrincipalName'], '@') 

 

 

This leaves me with ["user.name", "domain.com"], how can I escape the "domain.com"

 

3 Replies

@TS-noodlemctwoodle I think if you append "[0]" to end of your split you will only get the username.

@Gary Bushey 

 

The template language expression 'split(triggerBody()?['object']?['properties']?['owner']?['userPrincipalName'], '@')['0']' cannot be evaluated because property '0' cannot be selected. Array elements can only be selected using an integer index. 

 

This isnt possible, I have tried many variations of the same

split(triggerBody()?['object']?['properties']?['owner']?['userPrincipalName'], '@'),['0']'

split(triggerBody()?['object']?['properties']?['owner']?['userPrincipalName'], '@')(['0']')

best response confirmed by TS-noodlemctwoodle (Occasional Contributor)
Solution

@Gary Bushey 

 

Thanks for the pointers, this is the working Expression.

 

split(triggerBody()?['object']?['properties']?['owner']?['userPrincipalName'], '@domain.com')[0]