mv-expand - I cannot make it work!!

Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there ) I just don't get it. I understand that it can be used ...

GaryBushey
Feb 04, 2022
CodnChips I tend to use it when trying to get the related alerts from an incident. If you look at a row in the SecurityIncident table, you will see the AlertIds field is listed like:
["695ef2b2-ceb1-d087-b3bb-846a8555xxxx","xxxxxxxx-ceb1-d087-b3bb-846a8555xxxx"]
which means it is a JSON array and in this case has 2 entries. In order to really use this field you would use mv-expand on the column as in

SecurityIncident | mv-expand AlertIds

This will create a new row for each entry in the AlertIds column. All the other columns will be the same but the AlertIds column will only contain a single value per row. This makes it much easier to perform a join against the SecurityAlert table to get the alert information.

Clive_Watson

Bronze Contributor

May 02, 2023

Only the limits documented: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator

As you converted it to "string", maybe that's the restriction, if 1600 lines > 1MB? https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/string

SocInABox

Iron Contributor

May 02, 2023

Thanks Clive_Watson

Today I gave up on the logic app because I figure out how to get the Carbon Black Cloud Azure function data connector to work :).
if you're interested:

https://simple-security.ca/2023/05/02/cheat-sheet-for-configuring-carbon-black-cloud-edr-for-sentinel/

Thanks very much for your reply.

SocInABox
Iron Contributor
May 02, 2023
but you bring up an interesting point, I guess I should have expanded the 'big' json and then applied strings to the individual fields....

Forum Discussion

mv-expand - I cannot make it work!!

Resources