Trying to build an alert in Sentinel when a phish report is submitted by users, an email containing sender,recipient and subject in sent to ops team.
Query I have built in my logic app to run when the alert is received:
SecurityAlert | where AlertName =="Email reported by user as malware or phish" | extend Sender=parse_json(Entities).Sender | extend Reported_by =parse_json(Entities).Recipient | extend Subject=parse_json(Entities).Subject | where isnotnull(Reported_by) | project TimeGenerated,Reported_by,Sender,Subject
This works fine however, however if the alert contains more then one entities, how can I include all of them in one Query?
For example If I wanted to include parse_json(Entities).Sender ,parse_json(Entities).Sender and parse_json(Entities).Sender and so on..
Wildcard does'nt seem to work parse_json(Entities)[*].Sender has'nt worked, is there a way to loop through all entities?