Hello folks,
I'm trying to write a drill-down search for a correlation search in Enterprise Security, and I'm having trouble extracting/accessing a field in my event. Each event has a collection of conditional access policies stored in an array, with each value in the array being a collection of key-value pairs. With syntax highlighted, it looks like this (with some policies not expanded):
Here's what it looks like in the raw text:
"appliedConditionalAccessPolicies": [{"id": "xxx", "displayName": "xxx", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "notEnabled"}, {"id": "xxx", "displayName": "xxx", "enforcedGrantControls": ["Mfa"], "enforcedSessionControls": ["CloudAppSecurity"], "result": "notApplied"}, {"id": "xxx", "displayName": "xxx", "enforcedGrantControls": ["RequireApprovedApp"], "enforcedSessionControls": [], "result": "notApplied"}, ...]
We've extracted the fields:
- appliedConditionalAccessPolicies{}.displayName
- appliedConditionalAccessPolicies{}.enforcedGrantControls
- appliedConditionalAccessPolicies{}.enforcedSessionControls
- appliedConditionalAccessPolicies{}.id
- appliedConditionalAccessPolicies{}.result
However, because we have 13 different policies in the appliedConditionalAccessPolicies array, every event contains every possible value of each of these fields. We don't have a way to associate values from the same index of the array together. Many of these policies are tests, which I don't care about. I really only care about two of them, and I would like to find a way to access at least the displayName and result of only those two policies. It would also be nice to access the enforcedGrantControls and enforcedSessionControls of the policies, but those are less critical to my search.
Is there a way I can index into this array in my search to pull two specific displayName and result values out and use them, for example with a stats command?
Thanks in advance for your help!
