Sentinel Alert- Querying multiple Entities

Aman_Khan · ‎Jul 24 2022

Hi team,

Trying to build an alert in Sentinel when a phish report is submitted by users, an email containing sender,recipient and subject in sent to ops team.

Query I have built in my logic app to run when the alert is received:

SecurityAlert
| where AlertName =="Email reported by user as malware or phish"
| extend Sender=parse_json(Entities)[1].Sender
| extend Reported_by =parse_json(Entities)[1].Recipient
| extend Subject=parse_json(Entities)[1].Subject
| where isnotnull(Reported_by)
| project TimeGenerated,Reported_by,Sender,Subject

This works fine however, however if the alert contains more then one entities, how can I include all of them in one Query?

For example If I wanted to include parse_json(Entities)[0].Sender ,parse_json(Entities)[1].Sender and parse_json(Entities)[2].Sender and so on..

Wildcard does'nt seem to work parse_json(Entities)[*].Sender has'nt worked, is there a way to loop through all entities?

Thank you.

Aman_Khan · ‎Jul 26 2022

Take a look at the mv-expand operator and see if that will work for you. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator

Aman_Khan · ‎Jul 26 2022

Take a look at the mv-expand operator and see if that will work for you. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator

View solution in original post

Sentinel Alert- Querying multiple Entities

Sentinel Alert- Querying multiple Entities

Re: Sentinel Alert- Querying multiple Entities

Re: Sentinel Alert- Querying multiple Entities

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Sentinel Alert- Querying multiple Entities