Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About nb662x
nb662x
Observer
Member since:
04-05-2023
04-07-2023
Community Statistics
| Posts | 3 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 04-05-2023 |
Activity Feed
- Posted Re: How to extract the json based key value pair for defined match? on Splunk Search. 04-05-2023 11:31 PM
- Posted Re: How to extract the json based key value pair for defined match? on Splunk Search. 04-05-2023 11:30 PM
- Posted How to extract the json based key value pair for defined match? on Splunk Search. 04-05-2023 11:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-05-2023
11:31 PM
Please find the json- { "time": "2023-04-04T07:58:02.7508973Z", "resourceId": "/tenants/r456ach/providers/Microsoft.aadiam", "operationName": "Update authorization policy", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "r456ach", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.190.145.169", "correlationId": "16800", "Level": 4, "properties": { "id": "Directory_498", "category": "AuthorizationPolicy", "correlationId": "4985e174-", "result": "success", "resultReason": "", "activityDisplayName": "Update authorization policy", "activityDateTime": "2023-04-04T07:58:02.7508973+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": { "user": { "id": "deb6abb8", "displayName": null, "userPrincipalName": "user@test.onmicrosoft.com", "ipAddress": "20.10.10.10", "roles": [] } }, "targetResources": [ { "id": "c8458b3c", "displayName": "Authorization Policy", "type": "Other", "modifiedProperties": [ { "displayName": "PermissionGrantPolicyIdsAssignedToDefaultUserRole", "oldValue": "[\"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"]", "newValue": "[\"microsoft-user-default-legacy\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"DefaultUserRolePermissions.AllowedToCreateApp, PermissionGrantPolicyIdsAssignedToDefaultUserRole\"" }, { "displayName": "DefaultUserRolePermissions.AllowedToCreateApp", "oldValue": "true", "newValue": "false" } ], "administrativeUnits": [] } ], "additionalDetails": [ { "key": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" } ] } } I tried to create below query but not sure if it's the right way because then i need to hard code array position {2} in the query. Could you please suggest right way sourcetype=azure:logs "properties.targetResources{}.modifiedProperties{}.displayName"="DefaultUserRolePermissions.AllowedToCreateApp" "properties.activityDisplayName"="Update authorization policy" | spath path=properties.targetResources{} output=mp | spath path=properties.activityDisplayName output=activityName | spath output=UPN path=properties.initiatedBy.user.userPrincipalName | spath output=NewTenantCreationRestriction path=properties.targetResources{0}.modifiedProperties{2}.newValue | search NewTenantCreationRestriction=*false* | spath output=OldTenantCreationRestriction path=properties.targetResources{0}.modifiedProperties{2}.oldValue | search OldTenantCreationRestriction=*true* | spath output=Date path=properties.activityDateTime | spath output=tenantId path=properties.tenantId | table tenantId, Date, activityName, UPN , NewTenantCreationRestriction, OldTenantCreationRestriction
... View more
04-05-2023
11:30 PM
@kamlesh_vaghela Please find the json- { "time": "2023-04-04T07:58:02.7508973Z", "resourceId": "/tenants/r456ach/providers/Microsoft.aadiam", "operationName": "Update authorization policy", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "r456ach", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.190.145.169", "correlationId": "16800", "Level": 4, "properties": { "id": "Directory_498", "category": "AuthorizationPolicy", "correlationId": "4985e174-", "result": "success", "resultReason": "", "activityDisplayName": "Update authorization policy", "activityDateTime": "2023-04-04T07:58:02.7508973+00:00", "loggedByService": "Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": { "user": { "id": "deb6abb8", "displayName": null, "userPrincipalName": "user@test.onmicrosoft.com", "ipAddress": "20.10.10.10", "roles": [] } }, "targetResources": [ { "id": "c8458b3c", "displayName": "Authorization Policy", "type": "Other", "modifiedProperties": [ { "displayName": "PermissionGrantPolicyIdsAssignedToDefaultUserRole", "oldValue": "[\"ManagePermissionGrantsForSelf.microsoft-user-default-legacy\"]", "newValue": "[\"microsoft-user-default-legacy\"]" }, { "displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"DefaultUserRolePermissions.AllowedToCreateApp, PermissionGrantPolicyIdsAssignedToDefaultUserRole\"" }, { "displayName": "DefaultUserRolePermissions.AllowedToCreateApp", "oldValue": "true", "newValue": "false" } ], "administrativeUnits": [] } ], "additionalDetails": [ { "key": "User-Agent", "value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" } ] } } I tried to create below query but not sure if it's the right way because then i need to hard code array position {2} in the query. Could you please suggest right way sourcetype=azure:logs "properties.targetResources{}.modifiedProperties{}.displayName"="DefaultUserRolePermissions.AllowedToCreateApp" "properties.activityDisplayName"="Update authorization policy" | spath path=properties.targetResources{} output=mp | spath path=properties.activityDisplayName output=activityName | spath output=UPN path=properties.initiatedBy.user.userPrincipalName | spath output=NewTenantCreationRestriction path=properties.targetResources{0}.modifiedProperties{2}.newValue | search NewTenantCreationRestriction=*false* | spath output=OldTenantCreationRestriction path=properties.targetResources{0}.modifiedProperties{2}.oldValue | search OldTenantCreationRestriction=*true* | spath output=Date path=properties.activityDateTime | spath output=tenantId path=properties.tenantId | table tenantId, Date, activityName, UPN , NewTenantCreationRestriction, OldTenantCreationRestriction
... View more
04-05-2023
11:11 AM
below is my json file. I want to notify whenever there is a change in last property , "displayName": Included Updated Properties when newvalue:false and oldvalue:true. please let me know the search query
json file
resultReason: targetResources: [ [-] { [-] administrativeUnits: [ [+] ] displayName: Authorization Policy id: abc modifiedProperties: [ [-] { [-] displayName: PermissionGrantPolicyIdsAssignedToDefaultUserRole newValue: ["microsoft-user"] oldValue: ["Manage"] } { [-] displayName: Included Updated Properties newValue: "true" oldValue: "false" } { [+] } ]
... View more
Labels
- Labels:
-
field extraction
-
subsearch
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-07-2023
01:51 AM
|
