Having a JSON array is nice, but what if we really want a dataset of individual rows, where each item from the JSON array appears in a row? As you may have guessed by now, the mv-expand operator can do this for us. We take the same query as before, and pipe it into the mv-ex...
(Array/String(for IP's)). The rest of the loop : Note: Even if i have a "failed to retrieve" error on the picture don't bother with that, it's just about the dynamic value about the Subscription, I've entered it manually, it's working fine. What I’ve tried: Using concat('...
SecurityAlert| extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type)| where Entitytype in~ (\"host\",\"process\")| extend hostname = EntitiesDynamicArray.HostName| extend commandline = Entities...
SecurityAlert| extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type)| where Entitytype in~ ("host","process")| extend hostname = EntitiesDynamicArray.HostName| extend commandline = EntitiesDynamicArray...
Hi Team, Please help us to write KQL. We have created rule with help of "SecurityAlert" table. but due to last its not working. We dont want particular command line alert. how it will excluded... You are still using a single "\" not "\\". You can also use a combination of a...
Flattening the array using a secondary Select to extract only values. Using Compose to debug outputs. Despite these attempts, the query string is always malformed due to extra escaping or nested JSON structure. I would like to know if someone has encountered or have the solution to this ...
Since Parameters stores a JSON array you can convert it to a dynamic type and then use the mv-expand command to expand each entry in the array into its own row and then filter the rows OfficeActivity | where OfficeWorkload == "Exchange" | where Operation == "Add-MailboxPe...
(Array/String(for IP's)). The rest of the loop : Note: Even if i have a "failed to retrieve" error on the picture don't bother with that, it's just about the dynamic value about the Subscription, I've entered it manually, it's working fine. What I’ve tried: Using concat('...