Forum Discussion
Solved
Merge identical values from different variables
Greetings,
I have recently been trying to figure out a decent way to make an alert when a certain amount of informational alerts triggers from other Defender products, like for example large amounts of Emails with malicious URL's removed. This could indicate a phishing campaign that i would like to be notified about.
The problem is this:
The sender domains are stored in different parts of Entities although they are from the same sender.
Is there a way to merge these into one variable instead of having them separated like this.
mv_expand will help
SecurityAlert | where Description contains "Emails with malicious URL" | mv-expand todynamic(Entities) //| summarize make_set(Entities.P2SenderDomain) | where isnotempty(Entities.P2SenderDomain) | distinct tostring(Entities.P2SenderDomain)or
SecurityAlert | where Description contains "Emails with malicious URL" | mv-expand todynamic(Entities) | summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)
lots of other examples: Search · mv-expand (github.com)
2 Replies
mv_expand will help
SecurityAlert | where Description contains "Emails with malicious URL" | mv-expand todynamic(Entities) //| summarize make_set(Entities.P2SenderDomain) | where isnotempty(Entities.P2SenderDomain) | distinct tostring(Entities.P2SenderDomain)or
SecurityAlert | where Description contains "Emails with malicious URL" | mv-expand todynamic(Entities) | summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)
lots of other examples: Search · mv-expand (github.com)- Aha, so if i understand this correct the mv_expand unfolds the previously aggregated Entities into singular entries making it possible to search across them without having to look trough different possible locations within the Entities category?
Thanks for a quick and easy answer!
