Query Details
Impossible Travel KQL
Query
SecurityAlert | where AlertName == "Impossible travel activity" | project (parse_json(Entities)[1].Name), Entities | extend Name_ = tostring(parse_json(Entities)[3].Name)
Explanation
This query is searching for a specific type of security alert called "Impossible travel activity". It then extracts the name of the entity associated with the alert and displays it, along with the other entities related to the alert. Additionally, it creates a new column called "Name_" and converts the name of the third entity to a string.
Details
Rod Trent
Released: March 26, 2020
Tables
SecurityAlert
Keywords
SecurityAlert,AlertName,Impossible,Entities,Name
Operators
where==projectparse_json[].extendtostring