Hi yuanliu. Thanks for trying, but I realize by question wasn't phrased very well and my example JSON wasn't a very good example. I think I have a solution, but I'll try explaining it differently. Here's a sample JSON log. {
"operationName": "Add app role assignment to group",
"properties": {
"targetResources": [
{
"administrativeUnits": [],
"displayName": "MyAwesomeDisplayName",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"modifiedProperties": [
{
"displayName": "Group.DisplayName",
"newValue": "myAwesomeGroupName",
"oldValue": null
}
],
"type": "ServicePrincipal"
}
],
"userAgent": null
},
"operationName": "Add app role assignment grant to user",
"properties": {
"targetResources": [
{
"administrativeUnits": [],
"displayName": "MyAwesomeDisplayNameTwo",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"modifiedProperties": [
{
"displayName": "User.UPN",
"newValue": "myemail@onetrust.com",
"oldValue": null
}
],
"type": "ServicePrincipal"
}
],
"userAgent": null
}
} What I want to do is, if properties.targetResources.modifiedProperties.displayName = "Group.DisplayName" then I want to retrieve the corresponding value in properties.targetResources.modifiedProperties.newValue (in this case "myAwesomeGroupName") and put it into a new field. Correspondingly, if properties.targetResources.modifiedProperties.displayName = "User.UPN" then I want to get the corresponding newValue for that as a separate field. Although, as I pondered it over the weekend, I think it's better if I make two separate alerts with two separate queries where my search only includes records where operationName = "Add app role assignment to group", then I know properties.targetResources.modifiedProperties.displayName = "Group.DisplayName" will always be there (and then a separate one for the User.UPN query/alert). I was trying to do it as a single query/alert, but there are two different things, really, so breaking them up makes more sense and should work for me.
... View more
