This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 86%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
get-mcasalert -identity 62434cc3230a2b72004c723a
_id : 62434cc3230a2b72004c723a
timestamp : 1648538333000
entities : {@{type=account; label=Jon Doe; id=445b152d-9252-49a6-8a55-9c786ad4947f; pa=jonhdoe@mathieu.company .com; entityType=2; saas=11161; inst=0},
@{type=service; label=Office 365; id=11161}, @{type=app_permission; label=API-Costdashboard-SPN; id=6242b94ed0870f0d9ecbaab5;
clientId=83e94853-2b65-4780-a79b-fd394a7cff7f; service=11161}, @{type=policyRule; label=Unusual addition of credentials to an OAuth app;
id=5fe12a973006332443b9bb11; policyType=ANOMALY_DETECTION}...}
title : Unusual addition of credentials to an OAuth app
description : The user Jon Doe (jonhdoe@mathieu.company .com) performed an unusual addition of credentials to the application API-Costdashboard-SPN. This
usage pattern may indicate that an attacker has compromised the app, and is using it to spread phishing, exfiltrate data, or to gain access to
other accounts and devices. The user added a credential of type Password. A credential of type Password is added when an application is using
a password to authenticate.
stories : {0}
contextId : bc1b92b9-5dc9-49be-995b-c97eb515a1d3
threatScore : 35
threatScoreReasoning : {@{template=UEBA_ALERTS_SEVERITY_LEVEL_EVIDENCE; parameters=}}
evidence : {@{title=}, @{title=}, @{title=}, @{title=}...}
isPreview : False
intent : {3}
resolutionStatusValue : 0
statusValue : 0
severityValue : 1
idValue : 15859739
isSystemAlert : False
URL : https://xxxx.portal.cloudappsecurity.com/#/alerts/62434cc3230a2b72004c723a
Identity : 62434cc3230a2b72004c723a
What I would want is to only select a portion of value in entities Combined with the title and URL
So it will be like this
Title :Unusual addition of credentials to an OAuth app
Entities :pa=jonhdoe@mathieu.company .com
URL :https://xxxx.portal.cloudappsecurity.com/#/alerts/62434cc3230a2b72004c723a
TimeStamp :1648538333000
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
I believe I posted a small code sample as an answer to the last question you asked about this same topic, the same set of data, and how to extract the parts you wanted.
Your question, and my example, is here: exporting-my-array-properly-to-csv.html
Hi @Mike
The logic is for any event there are "Properties" that contain all of the specific values and you can use them to query your output as you need.
So you need to read a text file or a log and extract data and display data in columns to a .csv format using PowerShell if so you can follow the below thread where there are many suggestions on how to achieve this.
You can also refer to the below articles for more information:
Use PowerShell to Parse Saved Event Logs for Errors
https://devblogs.microsoft.com/scripting/use-powershell-to-parse-saved-event-logs-for-errors/
Use PowerShell to Perform Offline Analysis of Security Logs
https://devblogs.microsoft.com/scripting/use-powershell-to-perform-offline-analysis-of-security-logs/
Hope this resolves your Query!!
----------------
--If the reply is helpful, please Upvote and Accept it as an answer–