DeviceNetworkEvents
| where TimeGenerated > ago(30d)
| where InitiatingProcessVersionInfoProductName =~ "Microsoft Office"
| where ipv4_is_private(RemoteIP)==false or RemoteIPType =~ "public"
| extend InitiatingProcessCommandLine=url_decode(InitiatingProcessCommandLine)
| extend CID=extract_all("([a-f,A-F,0-9]{8}\\-[a-f,A-F,0-9]{4}\\-[a-f,A-F,0-9]{4}\\-[a-f,A-F,0-9]{4}\\-[a-f,A-F,0-9]{12})",InitiatingProcessCommandLine)
| mv-expand CID
| where isnotempty(CID)
| extend URLS=extract_all(@"(\b(?:https?:\/\/([-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}[a-z,0-9]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?))\b)",InitiatingProcessCommandLine)
| mv-expand URLS
Hello,
I ran into the following problem and I suspect there is a bug behind that. I am running the following KQL query and for a reason I cannot understand , mv-expands the CID values, but it refuses to expand the URLS field, even though it is dynamic.
I have not encountered this behavior before so I thought it might be worth looking into