get-mcasalert -identity 62434cc3230a2b72004c723a
_id : 62434cc3230a2b72004c723a
timestamp : 1648538333000
entities : {@{type=account; label=Jon Doe; id=445b152d-9252-49a6-8a55-9c786ad4947f; pa=jonhdoe@mathieu.company .com; entityType=2; saas=11161; inst=0},
@{type=service; label=Office 365; id=11161}, @{type=app_permission; label=API-Costdashboard-SPN; id=6242b94ed0870f0d9ecbaab5;
clientId=83e94853-2b65-4780-a79b-fd394a7cff7f; service=11161}, @{type=policyRule; label=Unusual addition of credentials to an OAuth app;
id=5fe12a973006332443b9bb11; policyType=ANOMALY_DETECTION}...}
title : Unusual addition of credentials to an OAuth app
description : The user Jon Doe (jonhdoe@mathieu.company .com) performed an unusual addition of credentials to the application API-Costdashboard-SPN. This
usage pattern may indicate that an attacker has compromised the app, and is using it to spread phishing, exfiltrate data, or to gain access to
other accounts and devices. The user added a credential of type Password. A credential of type Password is added when an application is using
a password to authenticate.
stories : {0}
contextId : bc1b92b9-5dc9-49be-995b-c97eb515a1d3
threatScore : 35
threatScoreReasoning : {@{template=UEBA_ALERTS_SEVERITY_LEVEL_EVIDENCE; parameters=}}
evidence : {@{title=}, @{title=}, @{title=}, @{title=}...}
isPreview : False
intent : {3}
resolutionStatusValue : 0
statusValue : 0
severityValue : 1
idValue : 15859739
isSystemAlert : False
URL : https://xxxx.portal.cloudappsecurity.com/#/alerts/62434cc3230a2b72004c723a
Identity : 62434cc3230a2b72004c723a
What I would want is to only select a portion of value in entities Combined with the title and URL
So it will be like this
Title :Unusual addition of credentials to an OAuth app
Entities :pa=jonhdoe@mathieu.company .com
URL :https://xxxx.portal.cloudappsecurity.com/#/alerts/62434cc3230a2b72004c723a
TimeStamp :1648538333000