REST API - Search targetResources from Azure Audit...

swaprks · ‎04-19-2024

I am trying to query audit logs from Splunk. The logs are for azure but when I hit the below query, it only returns the text fields and not the object or array fields like initiatedBy and targetResources. Do I need to query this data in a different manner?

index="directoryaudit" | fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime

tscroggins · ‎04-21-2024

Hi @swaprks,

If you're relying on automatic field-extraction, i.e. KV_MODE = auto and AUTO_KV_JSON = true or KV_MODE = json or INDEXED_EXTRACTIONS = JSON, only the nested fields are extracted, e.g.:

initiatedBy.user.id
targetResources{}.id

Arrays are extracted as multi-valued fields, e.g.:

targetResources{}.modifiedProperties{}.displayName
:=
AccountEnabled
StsRefreshTokensValidFrom
UserPrincipalName
UserType
Included Updated Properties

Automatic extraction of arrays of objects with array fields can also be confusing.

To return the native JSON directly, extract the fields as part of your search:

index=directoryaudit
| eval json=json(_raw), initiatedBy=json_extract(json, "initiatedBy"), targetResources=json_extract(json, "targetResources")
| fields id activityDisplayName result operationType correlationId initiatedBy resultReason targetResources category loggedByService activityDateTime

REST API - Search targetResources from Azure Audit via Java SDK

data

HTTP Event Collector

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Mile High Learning with Splunk University, Denver, Colorado

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Join the Conversation