Hi,
I've had an issue for well over a year now where I want to summarize all relevant fields by AlertId, so as to create a single row containing all information surrounding an alert in the SecurityPortal.
I'm fairly sure I've been able to solve it before, but as of now I can't recall how.
What I want is essentially this:
| summarize FileName, SHA256, DeviceName by AlertId.
That obviously doesn't work, but there's gotta be a simple way to do it without creating a bunch of subqueries with let.
The background of the issue is wanting to create a custom detection for specific detections from the AV that hasn't created an alert in the EDR, as we've seen our red teams Mimikatz being prevented by the AV without creating any alerts in the SOC.
Any input?