cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Merge identical values from different variables

stianhoydal
Brass Contributor

‎Oct 11 2021 01:56 AM

‎Oct 11 2021 01:56 AM

Merge identical values from different variables

Greetings, 

 

I have recently been trying to figure out a decent way to make an alert when a certain amount of informational alerts triggers from other Defender products, like for example large amounts of Emails with malicious URL's removed. This could indicate a phishing campaign that i would like to be notified about. 

 

The problem is this:

stianhoydal_0-1633942416986.png

The sender domains are stored in different parts of Entities although they are from the same sender. 

Is there a way to merge these into one variable instead of having them separated like this. 

718 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by stianhoydal (Brass Contributor)
CliveWatson

‎Oct 11 2021 02:19 AM

‎Oct 11 2021 02:19 AM

Solution

Re: Merge identical values from different variables

@stianhoydal 

 

mv_expand will help

 


SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
//| summarize make_set(Entities.P2SenderDomain)
| where isnotempty(Entities.P2SenderDomain)
| distinct tostring(Entities.P2SenderDomain)

 

or

 

SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
| summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)


lots of other examples: Search · mv-expand (github.com)

 

1 Like
Reply
stianhoydal

‎Oct 11 2021 03:07 AM

‎Oct 11 2021 03:07 AM

Re: Merge identical values from different variables

Aha, so if i understand this correct the mv_expand unfolds the previously aggregated Entities into singular entries making it possible to search across them without having to look trough different possible locations within the Entities category?

Thanks for a quick and easy answer!
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by stianhoydal (Brass Contributor)
CliveWatson

‎Oct 11 2021 02:19 AM

‎Oct 11 2021 02:19 AM

Solution

Re: Merge identical values from different variables

@stianhoydal 

 

mv_expand will help

 


SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
//| summarize make_set(Entities.P2SenderDomain)
| where isnotempty(Entities.P2SenderDomain)
| distinct tostring(Entities.P2SenderDomain)

 

or

 

SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
| summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)


lots of other examples: Search · mv-expand (github.com)

 

View solution in original post

1 Like
Reply