Oct 11 2021 01:56 AM
Greetings,
I have recently been trying to figure out a decent way to make an alert when a certain amount of informational alerts triggers from other Defender products, like for example large amounts of Emails with malicious URL's removed. This could indicate a phishing campaign that i would like to be notified about.
The problem is this:
The sender domains are stored in different parts of Entities although they are from the same sender.
Is there a way to merge these into one variable instead of having them separated like this.
Oct 11 2021 02:19 AM
Solution
mv_expand will help
SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
//| summarize make_set(Entities.P2SenderDomain)
| where isnotempty(Entities.P2SenderDomain)
| distinct tostring(Entities.P2SenderDomain)
or
SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
| summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)
lots of other examples: Search · mv-expand (github.com)
Oct 11 2021 03:07 AM
Oct 11 2021 02:19 AM
Solution
mv_expand will help
SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
//| summarize make_set(Entities.P2SenderDomain)
| where isnotempty(Entities.P2SenderDomain)
| distinct tostring(Entities.P2SenderDomain)
or
SecurityAlert
| where Description contains "Emails with malicious URL"
| mv-expand todynamic(Entities)
| summarize make_set(Entities.P2SenderDomain) by AlertName, tostring(Entities.MailboxPrimaryAddress)
lots of other examples: Search · mv-expand (github.com)