I want to create code to extract JSON.

Koonnamchok Klongkaew 140 Reputation points
2023-11-26T02:19:12.7833333+00:00

I need help pulling JSON. How do I pull it? I want to pull upnname and display it from playbook.

JSON

"name": "xxxxxxxxxxxx",
    "type": "Microsoft.SecurityInsights/Entities",
    "kind": "Account",
    "properties": {
      "accountName": "xxxxxxxxxxxx",
      "ntDomain": "xxxxxxxxxxxx",
      "upnSuffix": "xxxxxxxxxxxx",
      "sid": "xxxxxxxxxxxx",
      "aadTenantId": "xxxxxxxxxxxx",
      "aadUserId": "xxxxxxxxxxxx",
      "isDomainJoined": xxxxxxxxxxxx,
      "displayName": "xxxxxxxxxxxx",
      "dnsDomain": "xxxxxxxxxxxx",
      "additionalData": {
        "Sources": "[\"ActiveDirectory\"]",
        "AdUserId": "xxxxxxxxxxxx",
        "GivenName": "xxxxxxxxxxxx",
        "IsDeleted": "xxxxxxxxxxxx",
        "IsEnabled": "xxxxxxxxxxxx",
        "IsSensitive": "xxxxxxxxxxxx",
        "UserType": "Member",
        "UpnName": "xxxxxxxxxxxx",
        "SyncFromAad": "xxxxxxxxxxxx",
      
      },
      "friendlyName": "xxxxxxxxxxxx"
    }
  },
  {
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,985 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,057 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Dillon Silzer 56,361 Reputation points
    2023-11-26T20:11:24.2766667+00:00

    Hello,

    The button "Use Sample payload to generate schema" is what you will want to use.

    Run the Azure Logic App once to generate a response (see your logs for your run) and load it into your Parse JSON part of the flow after.

    Hope this helps.


    If this is helpful please accept answer.


  2. MayankBargali-MSFT 69,991 Reputation points
    2023-11-27T05:26:44.14+00:00

    @Koonnamchok Klongkaew Thanks for reaching out.

    I am assuming that your Entities is the JSON array. Please correct me if my understanding is correct.

    You can navigate to any of your previous run history and copy the output Entities and I think it should be something as below which you haven't shared the full output of arrays.

    [
       {
          "name":"xxxxxxxxxxxx",
          "type":"Microsoft.SecurityInsights/Entities",
          "kind":"Account",
          "properties":{
             "accountName":"xxxxxxxxxxxx",
             "ntDomain":"xxxxxxxxxxxx",
             "upnSuffix":"xxxxxxxxxxxx",
             "sid":"xxxxxxxxxxxx",
             "aadTenantId":"xxxxxxxxxxxx",
             "aadUserId":"xxxxxxxxxxxx",
             "isDomainJoined":"xxxxxxxxxxxx",
             "displayName":"xxxxxxxxxxxx",
             "dnsDomain":"xxxxxxxxxxxx",
             "additionalData":{
                "Sources":"[\"ActiveDirectory\"]",
                "AdUserId":"xxxxxxxxxxxx",
                "GivenName":"xxxxxxxxxxxx",
                "IsDeleted":"xxxxxxxxxxxx",
                "IsEnabled":"xxxxxxxxxxxx",
                "IsSensitive":"xxxxxxxxxxxx",
                "UserType":"Member",
                "UpnName":"xxxxxxxxxxxx",
                "SyncFromAad":"xxxxxxxxxxxx"
             },
             "friendlyName":"xxxxxxxxxxxx"
          }
       },
       {
          "name":"xxxxxxxxxxxx",
          "type":"Microsoft.SecurityInsights/Entities",
          "kind":"Account",
          "properties":{
             "accountName":"xxxxxxxxxxxx",
             "ntDomain":"xxxxxxxxxxxx",
             "upnSuffix":"xxxxxxxxxxxx",
             "sid":"xxxxxxxxxxxx",
             "aadTenantId":"xxxxxxxxxxxx",
             "aadUserId":"xxxxxxxxxxxx",
             "isDomainJoined":"xxxxxxxxxxxx",
             "displayName":"xxxxxxxxxxxx",
             "dnsDomain":"xxxxxxxxxxxx",
             "additionalData":{
                "Sources":"[\"ActiveDirectory\"]",
                "AdUserId":"xxxxxxxxxxxx",
                "GivenName":"xxxxxxxxxxxx",
                "IsDeleted":"xxxxxxxxxxxx",
                "IsEnabled":"xxxxxxxxxxxx",
                "IsSensitive":"xxxxxxxxxxxx",
                "UserType":"Member",
                "UpnName":"xxxxxxxxxxxx",
                "SyncFromAad":"xxxxxxxxxxxx"
             },
             "friendlyName":"xxxxxxxxxxxx"
          }
       }
    ]
    

    Now in you Parse JSON action you should see the Use sample payload to generate the schema and paste your previous run history action so the schema is generated for your correctly.

    Now you will have the tokenized value that you can use it in your next actions. As your Json is array so either you need to use the for each action to get the individual value of upnname and displayname.

    But in case your json output has only one array element so you can use the below expression to access the zeroth element of the array.

    body('Parse_JSON')[0]?['properties']?['additionalData']?['UpnName']

    User's image

    Let me know if you need any assistance.

    Please 'Accept Answer' if it helped so that it can help others in the community looking for help on similar topics.