How to export this.

Mike 246 Reputation points

get-mcasalert -identity 62434cc3230a2b72004c723a

_id : 62434cc3230a2b72004c723a
timestamp : 1648538333000
entities : {@{type=account; label=Jon Doe; id=445b152d-9252-49a6-8a55-9c786ad4947f; .com; entityType=2; saas=11161; inst=0},
@{type=service; label=Office 365; id=11161}, @{type=app_permission; label=API-Costdashboard-SPN; id=6242b94ed0870f0d9ecbaab5;
clientId=83e94853-2b65-4780-a79b-fd394a7cff7f; service=11161}, @{type=policyRule; label=Unusual addition of credentials to an OAuth app;
id=5fe12a973006332443b9bb11; policyType=ANOMALY_DETECTION}...}
title : Unusual addition of credentials to an OAuth app
description : The user Jon Doe ( .com) performed an unusual addition of credentials to the application API-Costdashboard-SPN. This
usage pattern may indicate that an attacker has compromised the app, and is using it to spread phishing, exfiltrate data, or to gain access to
other accounts and devices. The user added a credential of type Password. A credential of type Password is added when an application is using
a password to authenticate.
stories : {0}
contextId : bc1b92b9-5dc9-49be-995b-c97eb515a1d3
threatScore : 35
threatScoreReasoning : {@{template=UEBA_ALERTS_SEVERITY_LEVEL_EVIDENCE; parameters=}}
evidence : {@{title=}, @{title=}, @{title=}, @{title=}...}
isPreview : False
intent : {3}
resolutionStatusValue : 0
statusValue : 0
severityValue : 1
idValue : 15859739
isSystemAlert : False
Identity : 62434cc3230a2b72004c723a

What I would want is to only select a portion of value in entities Combined with the title and URL

So it will be like this

Title :Unusual addition of credentials to an OAuth app
Entities .com
TimeStamp :1648538333000

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,431 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,461 Reputation points

    Hi @Mike

    The logic is for any event there are "Properties" that contain all of the specific values and you can use them to query your output as you need.

    So you need to read a text file or a log and extract data and display data in columns to a .csv format using PowerShell if so you can follow the below thread where there are many suggestions on how to achieve this.

    You can also refer to the below articles for more information:
    Use PowerShell to Parse Saved Event Logs for Errors

    Use PowerShell to Perform Offline Analysis of Security Logs

    Hope this resolves your Query!!


    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments