I want to create code to extract JSON.

Question

I want to create code to extract JSON.

Koonnamchok Klongkaew 140

I need help pulling JSON. How do I pull it? I want to pull upnname and display it from playbook.

JSON

"name": "xxxxxxxxxxxx",
    "type": "Microsoft.SecurityInsights/Entities",
    "kind": "Account",
    "properties": {
      "accountName": "xxxxxxxxxxxx",
      "ntDomain": "xxxxxxxxxxxx",
      "upnSuffix": "xxxxxxxxxxxx",
      "sid": "xxxxxxxxxxxx",
      "aadTenantId": "xxxxxxxxxxxx",
      "aadUserId": "xxxxxxxxxxxx",
      "isDomainJoined": xxxxxxxxxxxx,
      "displayName": "xxxxxxxxxxxx",
      "dnsDomain": "xxxxxxxxxxxx",
      "additionalData": {
        "Sources": "[\"ActiveDirectory\"]",
        "AdUserId": "xxxxxxxxxxxx",
        "GivenName": "xxxxxxxxxxxx",
        "IsDeleted": "xxxxxxxxxxxx",
        "IsEnabled": "xxxxxxxxxxxx",
        "IsSensitive": "xxxxxxxxxxxx",
        "UserType": "Member",
        "UpnName": "xxxxxxxxxxxx",
        "SyncFromAad": "xxxxxxxxxxxx",
      
      },
      "friendlyName": "xxxxxxxxxxxx"
    }
  },
  {

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-12-05T20:25:20.6566667+00:00

@Koonnamchok Klongkaew

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

2 answers

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-12-05T20:25:20.6566667+00:00

@Koonnamchok Klongkaew

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Dillon Silzer 57,826 Volunteer Moderator

Hello,

The button "Use Sample payload to generate schema" is what you will want to use.

Run the Azure Logic App once to generate a response (see your logs for your run) and load it into your Parse JSON part of the flow after.

Hope this helps.

If this is helpful please accept answer.

Koonnamchok Klongkaew 140 Reputation points

2023-11-27T02:23:48.8133333+00:00

Do you have an example? I'm not quite sure about the code.
Koonnamchok Klongkaew 140 Reputation points

2023-11-27T15:01:01.16+00:00

Thank you

Answer 2

@Koonnamchok Klongkaew Thanks for reaching out.

I am assuming that your Entities is the JSON array. Please correct me if my understanding is correct.

You can navigate to any of your previous run history and copy the output Entities and I think it should be something as below which you haven't shared the full output of arrays.

[
   {
      "name":"xxxxxxxxxxxx",
      "type":"Microsoft.SecurityInsights/Entities",
      "kind":"Account",
      "properties":{
         "accountName":"xxxxxxxxxxxx",
         "ntDomain":"xxxxxxxxxxxx",
         "upnSuffix":"xxxxxxxxxxxx",
         "sid":"xxxxxxxxxxxx",
         "aadTenantId":"xxxxxxxxxxxx",
         "aadUserId":"xxxxxxxxxxxx",
         "isDomainJoined":"xxxxxxxxxxxx",
         "displayName":"xxxxxxxxxxxx",
         "dnsDomain":"xxxxxxxxxxxx",
         "additionalData":{
            "Sources":"[\"ActiveDirectory\"]",
            "AdUserId":"xxxxxxxxxxxx",
            "GivenName":"xxxxxxxxxxxx",
            "IsDeleted":"xxxxxxxxxxxx",
            "IsEnabled":"xxxxxxxxxxxx",
            "IsSensitive":"xxxxxxxxxxxx",
            "UserType":"Member",
            "UpnName":"xxxxxxxxxxxx",
            "SyncFromAad":"xxxxxxxxxxxx"
         },
         "friendlyName":"xxxxxxxxxxxx"
      }
   },
   {
      "name":"xxxxxxxxxxxx",
      "type":"Microsoft.SecurityInsights/Entities",
      "kind":"Account",
      "properties":{
         "accountName":"xxxxxxxxxxxx",
         "ntDomain":"xxxxxxxxxxxx",
         "upnSuffix":"xxxxxxxxxxxx",
         "sid":"xxxxxxxxxxxx",
         "aadTenantId":"xxxxxxxxxxxx",
         "aadUserId":"xxxxxxxxxxxx",
         "isDomainJoined":"xxxxxxxxxxxx",
         "displayName":"xxxxxxxxxxxx",
         "dnsDomain":"xxxxxxxxxxxx",
         "additionalData":{
            "Sources":"[\"ActiveDirectory\"]",
            "AdUserId":"xxxxxxxxxxxx",
            "GivenName":"xxxxxxxxxxxx",
            "IsDeleted":"xxxxxxxxxxxx",
            "IsEnabled":"xxxxxxxxxxxx",
            "IsSensitive":"xxxxxxxxxxxx",
            "UserType":"Member",
            "UpnName":"xxxxxxxxxxxx",
            "SyncFromAad":"xxxxxxxxxxxx"
         },
         "friendlyName":"xxxxxxxxxxxx"
      }
   }
]

Now in you Parse JSON action you should see the Use sample payload to generate the schema and paste your previous run history action so the schema is generated for your correctly.

Now you will have the tokenized value that you can use it in your next actions. As your Json is array so either you need to use the for each action to get the individual value of upnname and displayname.

But in case your json output has only one array element so you can use the below expression to access the zeroth element of the array.

body('Parse_JSON')[0]?['properties']?['additionalData']?['UpnName']

User's image

Let me know if you need any assistance.

Please 'Accept Answer' if it helped so that it can help others in the community looking for help on similar topics.

Koonnamchok Klongkaew 140 Reputation points

2023-11-27T12:23:00.8+00:00

I have sample results. You let me find out that it can be done. But for other values, I tried and the results didn't work. Could you please tell me again? Account {"accountName":"xxxx","ntDomain":"xxxx","upnSuffix":"xxxx.com","sid":"S-1-5-21-2xxx249453-1492587677-1640847306-233236","aadTenantId":"c03b7ea5-365c-4a0f-b767-955babc64911","aadUserId":"45836cb3-7a4c-4a02-a32d-4bc731c7163b","isDomainJoined":true,"displayName":"xxx xxx","dnsDomain":"xxxx.com","additionalData":{"Sources":"[\\"AzureActiveDirectory\\"]","AdUserId":"xxxx","GivenName":"xxx","IsDeleted":"False","IsEnabled":"True","IsSensitive":"False","MailAddress":"******@xxxx.com","OnPremisesDistinguishedName":"CN=xxx xxx,OU=Vendors,OU=Bangkok,OU=Users and groups,OU=xxxx,DC=xxxx,DC=com","OnPremisesId":"xxxx","PasswordUpdateTime":"2023-10-09T02:23:39.7795277Z","OnPremisesSamAccountName":"xxxxP","Surname":"xxx","UserAccountControl":"[\\"NormalAccount\\"]","UserType":"Member","UpnName":"******@xxxx.com"," Url {"url":"[\\\\\\"20.43.13x.xxx\\\\\\",\\\\\\"20.43.xxx.xx\\\\\\",\\\\\\"20.43.xxx.95\\\\\\",\\\\\\"20.43.xxx.3\\\\\\",\\\\\\"182.53.xxx.214\\\\\\"]","additionalData":{"DetonationVerdict":"GOOD","DetonationFinalUrl":"[\\"20.43.xxx.93\\",\\"20.43.xxx.79\\",\\"20.43.xxx.95\\",\\"20.43.xxx.3\\",\\"182.53.xxx.214\\"]"},"friendlyName":"[\\\\\\"20.43.xxx.93\\\\\\",\\\\\\"20.43.xxx.79\\\\\\",\\\\\\"20.43.xxx.95\\\\\\",\\\\\\"20.43.xxx.3\\\\\\",\\\\\\"182.53.xxx.214\\\\\\"]"} Host {"hostName":"[\\"United States\\",\\"Thailand\\"]","netBiosName":"[\\"United States\\",\\"Thailand\\"]","friendlyName":"[\\"United States\\",\\"Thailand\\"]"} The value that needs to be cut in Json is special. Account Upn : xxx@xxx URL xxx.xxx.xxx.xxx, Host United States Thailand
Koonnamchok Klongkaew 140 Reputation points

2023-11-27T12:23:20.38+00:00

I have sample results. You let me find out that it can be done. But for other values, I tried and the results didn't work. Could you please tell me again?
MayankBargali-MSFT 70,936 Reputation points Moderator

2023-11-29T02:27:05.5866667+00:00

@Koonnamchok Klongkaew Are the above shared are three different JSON objects and can you confirm what JSON property you want to retrieve from individual JSON object. Also confirm if this is the array of JSON object or not.

Share via

I want to create code to extract JSON.

2 answers

Your answer