Hello,

I’ve been trying to trigger alarms every time an email with specific subject is Sent. I’m trying to Avoid new alerts when

-logs with similar subjects were already triggered

-multiple users reply or forward the email
I’m able to create an unique list, but my current output only shows the ‘subject_’ column due to distinct or summarize command. My goal is to merge this list with the OfficeActivity dataset to include all related columns. I’ve attempted using KQL for this purpose, but it’s resulting in duplicates once more: 

let RecentSentEvents = OfficeActivity

    | extend Subject_ = tostring(parse_json(Item).Subject)  // Extract subject

    | where Operation contains “Send”  // Filter for send operations

    | where tolower(Subject_) contains “X”  // With X subject

    | summarize Subject_; // In here, all the other colums disappear.

//Checking if previous alerts were triggered with similar subjects

let DeduplicatingAlerts = RecentSentEvents

    | join kind=leftanti SecurityAlert on $left.Subject_ == $right.DisplayName; 

//Adding (or bringing back) more columns from OfficeActivity to the results.

OfficeActivity

| extend EmailSubject = tostring(parse_json(Item).Subject) // Extract subject

| where Operation contains “Send”  // Filter for send operations

| where EmailSubject contains “X”

| join ???

Any tips will be much appreciated. Thanks!

​Hello, I’ve been trying to trigger alarms every time an email with specific subject is Sent. I’m trying to Avoid new alerts when-logs with similar subjects were already triggered-multiple users reply or forward the emailI’m able to create an unique list, but my current output only shows the ‘subject_’ column due to distinct or summarize command. My goal is to merge this list with the OfficeActivity dataset to include all related columns. I’ve attempted using KQL for this purpose, but it’s resulting in duplicates once more:  let RecentSentEvents = OfficeActivity    | extend Subject_ = tostring(parse_json(Item).Subject)  // Extract subject    | where Operation contains “Send”  // Filter for send operations    | where tolower(Subject_) contains “X”  // With X subject    | summarize Subject_; // In here, all the other colums disappear. //Checking if previous alerts were triggered with similar subjectslet DeduplicatingAlerts = RecentSentEvents    | join kind=leftanti SecurityAlert on $left.Subject_ == $right.DisplayName;  //Adding (or bringing back) more columns from OfficeActivity to the results.OfficeActivity| extend EmailSubject = tostring(parse_json(Item).Subject) // Extract subject| where Operation contains “Send”  // Filter for send operations| where EmailSubject contains “X”| join ??? Any tips will be much appreciated. Thanks!  Read More

​