我如何使用 KQL 验证子对象中是否存在 属性?
How do I KQL to verify presence of property in child object?
我想查询下面的 returns 对象。仅当下面的 policies 数组包含 policyDefinitionId 等于 somevalue 的元素而不使用 contains 关键字
时,我如何 return 结果
{
"isComplianceCheck": "False",
"resourceLocation": "southcentralus",
"ancestors": "thc-platform-mg,8f5a5a7f-3cdb-48f1-a894-351a54b84920",
"policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d/\",\"policySetDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8/\",\"policyDefinitionReferenceId\":\"diagnosticsLogsInLogicAppsMonitoring\",\"policySetDefinitionName\":\"1f3afdf9-d0c9-4c3d-847f-89da613e70a8\",\"policyDefinitionName\":\"34f95f76-5386-4de7-b824-0d8478470c9d\",\"policyDefinitionEffect\":\"AuditIfNotExists\",\"policyAssignmentId\":\"/providers/Microsoft.Management/managementGroups/8f5a5a7f-3cdb-48f1-a894-351a54b84920/providers/Microsoft.Authorization/policyAssignments/a45ca010a72c41ceac351431/\",\"policyAssignmentName\":\"a45ca010a72c41ceac351431\",\"policyAssignmentScope\":\"/providers/Microsoft.Management/managementGroups/8f5a5a7f-3cdb-48f1-a894-351a54b84920\",\"policyExemptionIds\":[]}]",
"eventCategory": "Policy",
"entity": "/subscriptions/3adcdebe-b99e-4781-bcdb-65a58a976594/resourceGroups/thc-man-scus-monitoring-rg/providers/Microsoft.Logic/workflows/this-man-scus-reboot-logic",
"message": "Microsoft.Authorization/policies/audit/action",
"hierarchy": "",
"caller": "me@me.com",
"eventDataId": "474c5466-033a-4910-90a1-0ce47d80f1c5",
"eventSubmissionTimestamp": "2021-11-24T15:22:22.7433954Z",
"httpRequest": "{\"clientIpAddress\":\"47.188.89.222\"}",
"resource": "this-man-scus-reboot-logic",
"resourceGroup": "THC-MAN-SCUS-MONITORING-RG",
"resourceProviderValue": "MICROSOFT.LOGIC",
"subscriptionId": "3adcdebe-b99e-4781-bcdb-65a58a976594",
"activityStatusValue": "Success"
}
给你:
let MyTable = datatable(d:dynamic) [
dynamic({
"prop1": "value1",
"prop2": "value2",
"policies": "[{\"policyKey1\":\"policyValue1\",\"policyKey2\":\"policyValue2\",\"policyKey3\":\"policyValue3\"},{\"policyKey10\":\"policyValue10\",\"policyKey20\":\"policyValue20\",\"policyKey30\":\"policyValue30\"}]"
}),
dynamic({
"prop1": "value10",
"prop2": "value20",
"policies": "[{\"policyKeyA\":\"policyValueA\",\"policyKeyB\":\"policyValueB\",\"policyKeyC\":\"policyValueC\"},{\"policyKeyAA\":\"policyValueAA\",\"policyKeyBB\":\"policyValueBB\",\"policyKeyCC\":\"policyValueCC\"}]"
}),
dynamic({
"prop1": "value100",
"prop2": "value200",
"policies": "[{\"policyKeyA\":\"policyValueAA\",\"policyKeyB\":\"policyValueB\",\"policyKeyC\":\"policyValueC\"},{\"policyKeyAA\":\"policyValueAA\",\"policyKeyBB\":\"policyValueBB\",\"policyKeyCC\":\"policyValueCC\"}]"
}),
];
MyTable
| mv-apply policy = todynamic(tostring(d.policies)) on
(
mv-expand policy
| where policy['policyKeyA'] == 'policyValueA'
)
| project-away policy
结果:
d
{
"prop1": "value10",
"prop2": "value20",
"policies": "[{"policyKeyA":"policyValueA","policyKeyB":"policyValueB","policyKeyC":"policyValueC"},{"policyKeyAA":"policyValueAA","policyKeyBB":"policyValueBB","policyKeyCC":"policyValueCC"}]"
}
解释:
你需要使用两个技巧来解决这个问题:
您需要使用 mv-apply 来遍历 policy 对象中的所有项目,然后过滤您正在寻找的确切策略(对于例如,| where policy['policyKeyA'] == 'policyValueA').
因为 policies 的值并不是真正的 json,而是表示 [=45] 的 string =],因为当从 dynamic 对象中提取时,您也会得到一个动态对象 - 您不能只遍历 d.policies - 您需要先转换它从动态到字符串,然后从该字符串创建一个动态,如下所示:todynamic(tostring(d.policies))
我想查询下面的 returns 对象。仅当下面的 policies 数组包含 policyDefinitionId 等于 somevalue 的元素而不使用 contains 关键字
{
"isComplianceCheck": "False",
"resourceLocation": "southcentralus",
"ancestors": "thc-platform-mg,8f5a5a7f-3cdb-48f1-a894-351a54b84920",
"policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d/\",\"policySetDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8/\",\"policyDefinitionReferenceId\":\"diagnosticsLogsInLogicAppsMonitoring\",\"policySetDefinitionName\":\"1f3afdf9-d0c9-4c3d-847f-89da613e70a8\",\"policyDefinitionName\":\"34f95f76-5386-4de7-b824-0d8478470c9d\",\"policyDefinitionEffect\":\"AuditIfNotExists\",\"policyAssignmentId\":\"/providers/Microsoft.Management/managementGroups/8f5a5a7f-3cdb-48f1-a894-351a54b84920/providers/Microsoft.Authorization/policyAssignments/a45ca010a72c41ceac351431/\",\"policyAssignmentName\":\"a45ca010a72c41ceac351431\",\"policyAssignmentScope\":\"/providers/Microsoft.Management/managementGroups/8f5a5a7f-3cdb-48f1-a894-351a54b84920\",\"policyExemptionIds\":[]}]",
"eventCategory": "Policy",
"entity": "/subscriptions/3adcdebe-b99e-4781-bcdb-65a58a976594/resourceGroups/thc-man-scus-monitoring-rg/providers/Microsoft.Logic/workflows/this-man-scus-reboot-logic",
"message": "Microsoft.Authorization/policies/audit/action",
"hierarchy": "",
"caller": "me@me.com",
"eventDataId": "474c5466-033a-4910-90a1-0ce47d80f1c5",
"eventSubmissionTimestamp": "2021-11-24T15:22:22.7433954Z",
"httpRequest": "{\"clientIpAddress\":\"47.188.89.222\"}",
"resource": "this-man-scus-reboot-logic",
"resourceGroup": "THC-MAN-SCUS-MONITORING-RG",
"resourceProviderValue": "MICROSOFT.LOGIC",
"subscriptionId": "3adcdebe-b99e-4781-bcdb-65a58a976594",
"activityStatusValue": "Success"
}
给你:
let MyTable = datatable(d:dynamic) [
dynamic({
"prop1": "value1",
"prop2": "value2",
"policies": "[{\"policyKey1\":\"policyValue1\",\"policyKey2\":\"policyValue2\",\"policyKey3\":\"policyValue3\"},{\"policyKey10\":\"policyValue10\",\"policyKey20\":\"policyValue20\",\"policyKey30\":\"policyValue30\"}]"
}),
dynamic({
"prop1": "value10",
"prop2": "value20",
"policies": "[{\"policyKeyA\":\"policyValueA\",\"policyKeyB\":\"policyValueB\",\"policyKeyC\":\"policyValueC\"},{\"policyKeyAA\":\"policyValueAA\",\"policyKeyBB\":\"policyValueBB\",\"policyKeyCC\":\"policyValueCC\"}]"
}),
dynamic({
"prop1": "value100",
"prop2": "value200",
"policies": "[{\"policyKeyA\":\"policyValueAA\",\"policyKeyB\":\"policyValueB\",\"policyKeyC\":\"policyValueC\"},{\"policyKeyAA\":\"policyValueAA\",\"policyKeyBB\":\"policyValueBB\",\"policyKeyCC\":\"policyValueCC\"}]"
}),
];
MyTable
| mv-apply policy = todynamic(tostring(d.policies)) on
(
mv-expand policy
| where policy['policyKeyA'] == 'policyValueA'
)
| project-away policy
结果:
| d |
|---|
| { "prop1": "value10", "prop2": "value20", "policies": "[{"policyKeyA":"policyValueA","policyKeyB":"policyValueB","policyKeyC":"policyValueC"},{"policyKeyAA":"policyValueAA","policyKeyBB":"policyValueBB","policyKeyCC":"policyValueCC"}]" } |
解释:
你需要使用两个技巧来解决这个问题:
您需要使用
mv-apply来遍历policy对象中的所有项目,然后过滤您正在寻找的确切策略(对于例如,| where policy['policyKeyA'] == 'policyValueA').因为
policies的值并不是真正的 json,而是表示 [=45] 的 string =],因为当从 dynamic 对象中提取时,您也会得到一个动态对象 - 您不能只遍历d.policies- 您需要先转换它从动态到字符串,然后从该字符串创建一个动态,如下所示:todynamic(tostring(d.policies))