Solved: Reporting on Azure Security Group Membership Addit...

WumboJumbo675 · ‎03-14-2024

Hello -

Trying to create a query that will output additions to Azure security groups memberships. I am able to successfully output the information I need, but in the newValue field, it contains multiple different values. How do I omit the 'null' value and the security group IDs. I only want it to show that actual name of the security group. The way the logs are currently parsed, all of those values are in the same field - "properties.targetResources{}.modifiedProperties{}.newValue"

Query:

index="azure-activity" | search operationName="Add member to group" | stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.modifiedProperties{}.newValue", operationName, _time

Output:

marnall · ‎03-17-2024

One way you could do this is by spath-ing until you get a multivalue field containing each of the modifiedProperties json objects, then use mvfilter to filter that field to only the "Group.DisplayName" json object, then spath again to get the newValue:

| spath input=_raw path=properties.targetResources{}.modifiedProperties{} output=hold
| eval hold = mvfilter(like(hold,"%Group.DisplayName%"))
| spath input=hold path=newValue output=NewGroupName

View solution in original post

marnall · ‎03-17-2024

One way you could do this is by spath-ing until you get a multivalue field containing each of the modifiedProperties json objects, then use mvfilter to filter that field to only the "Group.DisplayName" json object, then spath again to get the newValue:

| spath input=_raw path=properties.targetResources{}.modifiedProperties{} output=hold
| eval hold = mvfilter(like(hold,"%Group.DisplayName%"))
| spath input=hold path=newValue output=NewGroupName

WumboJumbo675 · ‎03-19-2024

Awesome that seemed to do it, thank you so much.

index="azure-activity" | spath input=_raw path=properties.targetResources{}.modifiedProperties{} output=hold
| eval hold = mvfilter(like(hold,"%Group.DisplayName%"))
| spath input=hold path=newValue output=NewGroupName
| search operationName="Add member to group" | stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", NewGroupName, operationName, _time

h20 · ‎06-15-2024

this removes null and uid from the target group.

| search operationName="Add member to group"
| stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.modifiedProperties{}.newValue", operationName, _time
``` removes uid ```
| regex properties.targetResources{}.modifiedProperties{}.newValue!=".{8}-.{4}-.{4}-.{4}-.{12}"
``` removes null value ```
| search NOT properties.targetResources{}.modifiedProperties{}.newValue="null"
| rename "properties.initiatedBy.user.userPrincipalName" as initiated_user, "properties.targetResources{}.userPrincipalName" as target_user, "properties.targetResources{}.modifiedProperties{}.newValue" as group_name
| eval group = replace(group_name, "\"", "")
| eval initiated_user = lower(initiated_user), target_user = lower(target_user)

Reporting on Azure Security Group Membership Additions

configuration

dashboard

search

troubleshooting

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?