Query Details
Parsing Unify Sign In Logs
Query
T
| extend
ConditionalAccessPolicies = coalesce(column_ifexists("ConditionalAccessPolicies_string", ""), tostring(column_ifexists("ConditionalAccessPolicies_dynamic", dynamic(null)))),
DeviceDetail = coalesce(column_ifexists("DeviceDetail_string", ""), tostring(column_ifexists("DeviceDetail_dynamic", dynamic(null)))),
LocationDetails = coalesce(column_ifexists("LocationDetails_string", ""), tostring(column_ifexists("LocationDetails_dynamic", dynamic(null)))),
MfaDetail = coalesce(column_ifexists("MfaDetail_string", ""), tostring(column_ifexists("MfaDetail_dynamic", dynamic(null)))),
Status = coalesce(column_ifexists("Status_string", ""), tostring(column_ifexists("Status_dynamic", dynamic(null))))
| project-away
ConditionalAccessPolicies_*,
DeviceDetail_*,
LocationDetails_*,
MfaDetail_*,
Status_*
Explanation
This query extends and renames certain columns in the T table, and then removes the original columns. The extended columns are created by combining two columns, one with a "_string" suffix and the other with a "_dynamic" suffix. If both columns exist, their values are concatenated as strings. If one of the columns is missing, it is replaced with a null value. The resulting extended columns are then renamed and the original columns are removed from the final result.
Details
Jose Sebastián Canós
Released: September 25, 2023
Tables
T
Keywords
Devices,Intune,User
Operators
extendcoalescecolumn_ifexiststostringproject-away