Sentinel Alert- Querying multiple Entities

New Contributor

Hi team,

Trying to build an alert in Sentinel when a phish report is submitted by users, an email containing sender,recipient and subject in sent to ops team.

 

Query I have built in my logic app to run when the alert is received:

SecurityAlert
| where AlertName =="Email reported by user as malware or phish"
| extend Sender=parse_json(Entities)[1].Sender
| extend Reported_by =parse_json(Entities)[1].Recipient
| extend Subject=parse_json(Entities)[1].Subject
| where isnotnull(Reported_by)
| project TimeGenerated,Reported_by,Sender,Subject

 

This works fine however, however if the alert contains more then one entities, how can I include all of them in one Query?

For example If  I wanted to include parse_json(Entities)[0].Sender  ,parse_json(Entities)[1].Sender and parse_json(Entities)[2].Sender and so on..

Wildcard does'nt seem to work parse_json(Entities)[*].Sender has'nt worked, is there a way to loop through all entities? 

Thank you.


 

1 Reply
Take a look at the mv-expand operator and see if that will work for you. https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/mvexpandoperator