none
Processing Azure Monitor alert payload RRS feed

  • General discussion

  • I'm looking for some help processing some particular data, an array within an array within array inside a JSON payload.

    I'm trying to get a LogicApp to run to audit newly created Azure AD accounts. Getting it to run is easy, but extracting the data is difficult. 

    • I'm logging my Azure AD audit logs to Log Analytics.
    • I have a query to search for the action 'AddUser'
    • I have an alert set up to call a LogicApp when it finds a match
    • The payload may contain multiple results for the query (it has a resolution of 5 minutes, if multiple users were created in this timespan they will all be included in the alert payload)
    • Search results are sent in a 'rows' array. I need to access only one particular field per search result, which is an array of name:value pairs. There's an array nested within this field.
    • I'm only really interested in the one field however need to consider that there may be multiple results.

    I've tried to deconstruct and reconstruct the JSON table to a flat format in a variable using multiple loops and counters, but I just can't get it to work. I'm not a coder at all and even trying to work out the logic of how to piece this together seems beyond me. I'm really hoping there's a (fairly) simple way to do this... 

    I need to be able to parameterise the field starting with 'id' inside the 'rows' array so that I can act on this data. This appears to always be the 25th entry per "row". 

    The JSON payload is below. Any pointers on how to access the info that I need in an efficient way?

    {
        "headers": {
            "Connection": "Keep-Alive",
            "Expect": "100-continue",
            "Host": "prod-24.southeastasia.logic.azure.com",
            "User-Agent": "IcMBroadcaster/1.0",
            "X-CorrelationContext": "RkkKACgAAAACAAAAEAAXGKqFpZ7kR4Y3K/Ni8EV5AQAQACianxvmEvVPlnnjaNBohjM=",
            "Content-Length": "5247",
            "Content-Type": "application/json; charset=utf-8"
        },
        "body": {
            "schemaId": "azureMonitorCommonAlertSchema",
            "data": {
                "essentials": {
                    "alertId": "xxx",
                    "alertRule": "Audit New User",
                    "severity": "Sev1",
                    "signalType": "Log",
                    "monitorCondition": "Fired",
                    "monitoringService": "Log Analytics",
                    "alertTargetIDs": [
                        "xxx"
                    ],
                    "originAlertId": "xxx",
                    "firedDateTime": "2019-10-21T01:31:52.0472916Z",
                    "description": "Fires when a new user is created in the directory. Used to run an audit process to determine if there's missing attributes which will prevent this user from being able to onboard completely (ie. is it matching attributes required for licenses and specific app provisions which are based on dynamic groups).",
                    "essentialsVersion": "1.0",
                    "alertContextVersion": "1.1"
                },
                "alertContext": {
                    "SearchQuery": "AuditLogs\n| where Type == \"AuditLogs\" and OperationName == \"Add user\" and Result == \"success\"\n",
                    "SearchIntervalStartTimeUtc": "2019-10-21T01:24:21Z",
                    "SearchIntervalEndtimeUtc": "2019-10-21T01:29:21Z",
                    "ResultCount": 1,
                    "LinkToSearchResults": "https://xxx",
                    "SeverityDescription": "Warning",
                    "WorkspaceId": "xxx",
                    "SearchIntervalDurationMin": "5",
                    "AffectedConfigurationItems": [
                        "xxx"
                    ],
                    "AlertType": "Number of results",
                    "SearchIntervalInMinutes": "5",
                    "SearchResults": {
                        "tables": [
                            {
                                "name": "PrimaryResult",
                                "columns": [
                                    {
                                        "name": "TenantId",
                                        "type": "string"
                                    },
                                    {
                                        "name": "SourceSystem",
                                        "type": "string"
                                    },
                                    {
                                        "name": "TimeGenerated",
                                        "type": "datetime"
                                    },
                                    {
                                        "name": "ResourceId",
                                        "type": "string"
                                    },
                                    {
                                        "name": "OperationName",
                                        "type": "string"
                                    },
                                    {
                                        "name": "OperationVersion",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Category",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ResultType",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ResultSignature",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ResultDescription",
                                        "type": "string"
                                    },
                                    {
                                        "name": "DurationMs",
                                        "type": "long"
                                    },
                                    {
                                        "name": "CorrelationId",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Resource",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ResourceGroup",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ResourceProvider",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Identity",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Level",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Location",
                                        "type": "string"
                                    },
                                    {
                                        "name": "AdditionalDetails",
                                        "type": "dynamic"
                                    },
                                    {
                                        "name": "Id",
                                        "type": "string"
                                    },
                                    {
                                        "name": "InitiatedBy",
                                        "type": "dynamic"
                                    },
                                    {
                                        "name": "LoggedByService",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Result",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ResultReason",
                                        "type": "string"
                                    },
                                    {
                                        "name": "TargetResources",
                                        "type": "dynamic"
                                    },
                                    {
                                        "name": "AADTenantId",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ActivityDisplayName",
                                        "type": "string"
                                    },
                                    {
                                        "name": "ActivityDateTime",
                                        "type": "datetime"
                                    },
                                    {
                                        "name": "AADOperationType",
                                        "type": "string"
                                    },
                                    {
                                        "name": "Type",
                                        "type": "string"
                                    }
                                ],
                                "rows": [
                                    [
                                        "xxx",
                                        "Azure AD",
                                        "2019-10-21T01:24:32.479Z",
                                        "xxx",
                                        "Add user",
                                        "1.0",
                                        "UserManagement",
                                        "",
                                        "None",
                                        "",
                                        0,
                                        "xxx",
                                        "Microsoft.aadiam",
                                        "Microsoft.aadiam",
                                        "",
                                        "",
                                        "",
                                        "",
                                        "[]",
                                        "xxx",
                                        "{\"user\":{\"id\":\"00000000-0000-0000-0000-000000000000\",\"displayName\":null,\"userPrincipalName\":\"exo_evo_migration@support.onmicrosoft.com\",\"ipAddress\":null}}",
                                        "Core Directory",
                                        "success",
                                        "",
                                        "[{\"id\":\"a56f0fd0-76c5-4dd9-9f91-a0077c1b2466\",\"displayName\":null,\"type\":\"User\",\"userPrincipalName\":\"xxx\",\"modifiedProperties\":[{\"displayName\":\"AccountEnabled\",\"oldValue\":\"[]\",\"newValue\":\"[true]\"},{\"displayName\":\"PasswordPolicies\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"None\\\"]\"},{\"displayName\":\"StsRefreshTokensValidFrom\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"2019-10-21T01:24:32Z\\\"]\"},{\"displayName\":\"UserPrincipalName\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"xxx@xxx\\\"]\"},{\"displayName\":\"UserType\",\"oldValue\":\"[]\",\"newValue\":\"[\\\"Member\\\"]\"},{\"displayName\":\"Included Updated Properties\",\"oldValue\":null,\"newValue\":\"\\\"AccountEnabled, PasswordPolicies, StsRefreshTokensValidFrom, UserPrincipalName, UserType\\\"\"}]}]",
                                        "xxx",
                                        "Add user",
                                        "2019-10-21T01:24:32Z",
                                        "Add",
                                        "AuditLogs"
                                    ]
                                ]
                            }
                        ],
                        "dataSources": [
                            {
                                "resourceId": "xxx",
                                "tables": [
                                    "AuditLogs"
                                ]
                            }
                        ]
                    },
                    "Threshold": 0,
                    "Operator": "Greater Than",
                    "IncludedSearchResults": "True"
                }
            }
        }
    }

    Wednesday, October 23, 2019 3:18 AM

All replies

  • I would look at the filter shape, it enables you to get a top n from an array using the take function. So in the filter shape you could do take(triggerBody()?['SearchResults']['Rows'],25). Then after the filter you can use the last(body('filter array')) to get the 25th one. 

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Thursday, October 24, 2019 8:43 PM