I have an event hub streaming all sorts of data, and while I do see CA policy results, searching the logs and grouping is not possible because when I do a log search using SSO as the source, the CA policies are stored in an array, my policy changes from source_json.properties.appliedConditionalAccessPolicies.20.displayName to source_json.properties.appliedConditionalAccessPolicies.22.displayName etc - that number changes between log entries. Any sense of how I can use Insight IDR to track this? In chatting with AI, they suggest using Azure Log Analytics as it can unpack arrays. What do you all do?
Maybe using the HAS operator will work? Similar to how it is used in this blog post?
I haven’t done it yet, but I think this is exactly what I need - thank you! I will report back when I have this up and running. Thanks!