Merge pull request #9925 from Azure/users/v-muuppugund/office365activity

Corrected index in query
Azure · Mar 18, 2024 · 808b08a · 808b08a
2 parents 6d72a32 + bbd3e29
commit 808b08a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml
@@ -22,7 +22,7 @@ query: |
   OfficeActivity
   | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule")
   and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox"))
-  | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0][0])
+  | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0])
   | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
 entityMappings:
   - entityType: Account
@@ -41,5 +41,5 @@ entityMappings:
     fieldMappings:
       - identifier: AppId
         columnName: AppId
-version: 2.0.4
+version: 2.0.5
 kind: Scheduled