Skip to content

Instantly share code, notes, and snippets.

@rezamt

rezamt/query1.spl

Created May 9, 2025 01:51
Show Gist options
  • Save rezamt/2708f531fec0590123943ce8cd240cf2 to your computer and use it in GitHub Desktop.
Save rezamt/2708f531fec0590123943ce8cd240cf2 to your computer and use it in GitHub Desktop.
Download ZIP
SPLK1-AD
Raw
query1.spl
source="AuditLogs_2025-05-09.json" host="auditlog" index="entra1" sourcetype="_json"
| eval GroupType=mvindex('additionalDetails{}.value', mvfind('additionalDetails{}.key', "GroupType"))
| where GroupType="DynamicMembership"
| eval formatted_output = if(GroupType="DynamicMembership", "===============================
targetResources:
- displayName: " + mvindex('targetResources{}.displayName', 0) + "
type: " + mvindex('targetResources{}.type', 0) + "
modifiedProperties:
- displayName: MembershipRule
oldValue: " + mvindex('targetResources{}.modifiedProperties{}.oldValue', 0) + "
newValue: " + mvindex('targetResources{}.modifiedProperties{}.newValue', 0) + "
- displayName: Included Updated Properties
oldValue: " + mvindex('targetResources{}.modifiedProperties{}.oldValue', 1) + "
newValue: " + mvindex('targetResources{}.modifiedProperties{}.newValue', 1) + "
- displayName: TargetId.GroupType
oldValue: " + mvindex('targetResources{}.modifiedProperties{}.oldValue', 2) + "
newValue: " + mvindex('targetResources{}.modifiedProperties{}.newValue', 2) + "
additionalDetails:
- key: GroupType
value: " + GroupType + "
- key: User-Agent
value: " + mvindex('additionalDetails{}.value', mvfind('additionalDetails{}.key', "User-Agent")) + "
", null)
| table formatted_output
Raw
query2.spl
source="AuditLogs_2025-05-09.json" host="auditlog" index="entra1" sourcetype="_json"
| eval GroupType=mvindex('additionalDetails{}.value', mvfind('additionalDetails{}.key', "GroupType"))
| where GroupType="DynamicMembership"
| eval DETAILS = "===============================
targetResources:
- displayName: " + mvindex('targetResources{}.displayName', 0) + "
type: " + mvindex('targetResources{}.type', 0) + "
modifiedProperties:
- displayName: MembershipRule
oldValue: " + mvindex('targetResources{}.modifiedProperties{}.oldValue', 0) + "
newValue: " + mvindex('targetResources{}.modifiedProperties{}.newValue', 0) + "
- displayName: Included Updated Properties
oldValue: " + mvindex('targetResources{}.modifiedProperties{}.oldValue', 1) + "
newValue: " + mvindex('targetResources{}.modifiedProperties{}.newValue', 1) + "
- displayName: TargetId.GroupType
oldValue: " + mvindex('targetResources{}.modifiedProperties{}.oldValue', 2) + "
newValue: " + mvindex('targetResources{}.modifiedProperties{}.newValue', 2) + "
additionalDetails:
- key: GroupType
value: " + GroupType + "
- key: User-Agent
value: " + mvindex('additionalDetails{}.value', mvfind('additionalDetails{}.key', "User-Agent")) + "
"
| table DETAILS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment