Sentinel Alert- Querying multiple Entities

Copper Contributor

Hi team,

Trying to build an alert in Sentinel when a phish report is submitted by users, an email containing sender,recipient and subject in sent to ops team.


Query I have built in my logic app to run when the alert is received:

| where AlertName =="Email reported by user as malware or phish"
| extend Sender=parse_json(Entities)[1].Sender
| extend Reported_by =parse_json(Entities)[1].Recipient
| extend Subject=parse_json(Entities)[1].Subject
| where isnotnull(Reported_by)
| project TimeGenerated,Reported_by,Sender,Subject


This works fine however, however if the alert contains more then one entities, how can I include all of them in one Query?

For example If  I wanted to include parse_json(Entities)[0].Sender  ,parse_json(Entities)[1].Sender and parse_json(Entities)[2].Sender and so on..

Wildcard does'nt seem to work parse_json(Entities)[*].Sender has'nt worked, is there a way to loop through all entities? 

Thank you.


1 Reply
best response confirmed by Aman_Khan (Copper Contributor)
Take a look at the mv-expand operator and see if that will work for you.