Forum Discussion
Solved
Merge identical values from different variables
Greetings, I have recently been trying to figure out a decent way to make an alert when a certain amount of informational alerts triggers from other Defender products, like for example large amo...
mv_expand will help
SecurityAlert | where Description contains "Emails with malicious URL" | mv-expand todynamic(Entities) //| summarize make_set(Entities.P2SenderDomain) | where isnotempty(Entities.P2SenderDomain) | distinct tostring(Entities.P2SenderDomain)or
SecurityAlert | where Description contains "Emails with malicious URL" | mv-expand todynamic(Entities) | summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)
lots of other examples: Search · mv-expand (github.com)
mv_expand will help
SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
//| summarize make_set(Entities.P2SenderDomain)
| where isnotempty(Entities.P2SenderDomain)
| distinct tostring(Entities.P2SenderDomain)
or
SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
| summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)
lots of other examples: Search · mv-expand (github.com)
- Aha, so if i understand this correct the mv_expand unfolds the previously aggregated Entities into singular entries making it possible to search across them without having to look trough different possible locations within the Entities category?
Thanks for a quick and easy answer!
