Solved: Re: Reporting on Azure Security Group Membership A...

WumboJumbo675 · ‎03-14-2024

Hello -

Trying to create a query that will output additions to Azure security groups memberships. I am able to successfully output the information I need, but in the newValue field, it contains multiple different values. How do I omit the 'null' value and the security group IDs. I only want it to show that actual name of the security group. The way the logs are currently parsed, all of those values are in the same field - "properties.targetResources{}.modifiedProperties{}.newValue"

Query:

index="azure-activity" | search operationName="Add member to group" | stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.modifiedProperties{}.newValue", operationName, _time

Output:

marnall · ‎03-17-2024

One way you could do this is by spath-ing until you get a multivalue field containing each of the modifiedProperties json objects, then use mvfilter to filter that field to only the "Group.DisplayName" json object, then spath again to get the newValue:

| spath input=_raw path=properties.targetResources{}.modifiedProperties{} output=hold
| eval hold = mvfilter(like(hold,"%Group.DisplayName%"))
| spath input=hold path=newValue output=NewGroupName

View solution in original post

marnall · ‎03-17-2024

One way you could do this is by spath-ing until you get a multivalue field containing each of the modifiedProperties json objects, then use mvfilter to filter that field to only the "Group.DisplayName" json object, then spath again to get the newValue:

| spath input=_raw path=properties.targetResources{}.modifiedProperties{} output=hold
| eval hold = mvfilter(like(hold,"%Group.DisplayName%"))
| spath input=hold path=newValue output=NewGroupName

WumboJumbo675 · ‎03-19-2024

Awesome that seemed to do it, thank you so much.

index="azure-activity" | spath input=_raw path=properties.targetResources{}.modifiedProperties{} output=hold
| eval hold = mvfilter(like(hold,"%Group.DisplayName%"))
| spath input=hold path=newValue output=NewGroupName
| search operationName="Add member to group" | stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", NewGroupName, operationName, _time

h20 · ‎06-15-2024

this removes null and uid from the target group.

| search operationName="Add member to group"
| stats count by "properties.initiatedBy.user.userPrincipalName", "properties.targetResources{}.userPrincipalName", "properties.targetResources{}.modifiedProperties{}.newValue", operationName, _time
``` removes uid ```
| regex properties.targetResources{}.modifiedProperties{}.newValue!=".{8}-.{4}-.{4}-.{4}-.{12}"
``` removes null value ```
| search NOT properties.targetResources{}.modifiedProperties{}.newValue="null"
| rename "properties.initiatedBy.user.userPrincipalName" as initiated_user, "properties.targetResources{}.userPrincipalName" as target_user, "properties.targetResources{}.modifiedProperties{}.newValue" as group_name
| eval group = replace(group_name, "\"", "")
| eval initiated_user = lower(initiated_user), target_user = lower(target_user)

Reporting on Azure Security Group Membership Additions

configuration

dashboard

search

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation