如何通过 KQL 验证子对象中是否存在属性？

Question

我有查询返回下面的对象。仅当下面的policies 数组包含policyDefinitionId 等于somevalue 的元素而不使用contains 关键字时，如何返回结果

{
   "isComplianceCheck": "False",
   "resourceLocation": "southcentralus",
   "ancestors": "thc-platform-mg,8f5a5a7f-3cdb-48f1-a894-351a54b84920",
   "policies": "[{\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d/\",\"policySetDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8/\",\"policyDefinitionReferenceId\":\"diagnosticsLogsInLogicAppsMonitoring\",\"policySetDefinitionName\":\"1f3afdf9-d0c9-4c3d-847f-89da613e70a8\",\"policyDefinitionName\":\"34f95f76-5386-4de7-b824-0d8478470c9d\",\"policyDefinitionEffect\":\"AuditIfNotExists\",\"policyAssignmentId\":\"/providers/Microsoft.Management/managementGroups/8f5a5a7f-3cdb-48f1-a894-351a54b84920/providers/Microsoft.Authorization/policyAssignments/a45ca010a72c41ceac351431/\",\"policyAssignmentName\":\"a45ca010a72c41ceac351431\",\"policyAssignmentScope\":\"/providers/Microsoft.Management/managementGroups/8f5a5a7f-3cdb-48f1-a894-351a54b84920\",\"policyExemptionIds\":[]}]",
   "eventCategory": "Policy",
   "entity": "/subscriptions/3adcdebe-b99e-4781-bcdb-65a58a976594/resourceGroups/thc-man-scus-monitoring-rg/providers/Microsoft.Logic/workflows/this-man-scus-reboot-logic",
   "message": "Microsoft.Authorization/policies/audit/action",
   "hierarchy": "",
   "caller": "me@me.com",
   "eventDataId": "474c5466-033a-4910-90a1-0ce47d80f1c5",
   "eventSubmissionTimestamp": "2021-11-24T15:22:22.7433954Z",
   "httpRequest": "{\"clientIpAddress\":\"47.188.89.222\"}",
   "resource": "this-man-scus-reboot-logic",
   "resourceGroup": "THC-MAN-SCUS-MONITORING-RG",
   "resourceProviderValue": "MICROSOFT.LOGIC",
   "subscriptionId": "3adcdebe-b99e-4781-bcdb-65a58a976594",
   "activityStatusValue": "Success"
}

Answer 1

给你：

let MyTable = datatable(d:dynamic) [
    dynamic({
       "prop1": "value1",
       "prop2": "value2",
       "policies": "[{\"policyKey1\":\"policyValue1\",\"policyKey2\":\"policyValue2\",\"policyKey3\":\"policyValue3\"},{\"policyKey10\":\"policyValue10\",\"policyKey20\":\"policyValue20\",\"policyKey30\":\"policyValue30\"}]"
    }),
    dynamic({
       "prop1": "value10",
       "prop2": "value20",
       "policies": "[{\"policyKeyA\":\"policyValueA\",\"policyKeyB\":\"policyValueB\",\"policyKeyC\":\"policyValueC\"},{\"policyKeyAA\":\"policyValueAA\",\"policyKeyBB\":\"policyValueBB\",\"policyKeyCC\":\"policyValueCC\"}]"
    }),
    dynamic({
       "prop1": "value100",
       "prop2": "value200",
       "policies": "[{\"policyKeyA\":\"policyValueAA\",\"policyKeyB\":\"policyValueB\",\"policyKeyC\":\"policyValueC\"},{\"policyKeyAA\":\"policyValueAA\",\"policyKeyBB\":\"policyValueBB\",\"policyKeyCC\":\"policyValueCC\"}]"
    }),
];
MyTable
| mv-apply policy = todynamic(tostring(d.policies)) on
(
    mv-expand policy
    | where policy['policyKeyA'] == 'policyValueA'
)
| project-away policy

结果：

d
{ "prop1": "value10", "prop2": "value20", "policies": "[{"policyKeyA":"policyValueA","policyKeyB":"policyValueB","policyKeyC":"policyValueC"},{"policyKeyAA":"policyValueAA","policyKeyBB":"policyValueBB","policyKeyCC":"policyValueCC"}]" }

说明：

你需要使用两个技巧来解决这个问题：

1. 您需要使用mv-apply 来遍历policy 对象中的所有项目，然后过滤您正在寻找的确切策略（例如| where policy['policyKeyA'] == 'policyValueA'）。

2. 因为policies 的值并不是真正的 json，而是代表 json 的 string，并且因为从 dynamic 对象中提取时会得到一个动态对象 - 你不能只迭代 d.policies - 你需要首先将它从动态转换为字符串，然后从这个字符串创建一个动态，如下所示：todynamic(tostring(d.policies))