I want to extract the file name from Entities column from sentinel logs in log analytics
Using the below query i am able to extract particular column Entities
SecurityAlert | where ProviderName == "MDATP" | where AlertType == "WindowsDefenderAv"| project Entities
But I want to fetch highlighted text ( File name) from nested rows, can anyone let me know what filters do i add to get specific value ?
something like this (using mv-expand or mv-apply) can get you started:
SecurityAlert
| where ProviderName == "MDATP"
| where AlertType == "WindowsDefenderAv"
| project Entities
| mv-expand Entities
| project Entities.Name
see documentation: