https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/556111#M5076 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>&nbsp;</P> <P>Assuming type of the field which contains above value is json, could you try this below:</P> <P>&nbsp;</P> <P>| alter attachment_id = arraymap(json_extract_array(to_json_string(fieldname),"$."),json_extract_scalar("@element","$.id"))<BR />| arrayexpand attachment_id</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> <P><BR />Regards.</P> Fri, 01 Sep 2023 08:51:52 GMT PiyushKohli 2023-09-01T08:51:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/555990#M5066 <DIV><SPAN>Hi,</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN>I am trying to filter o365 attachments without success, could you help pls</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV>sample</DIV> <DIV> <DIV> <DIV><LI-CODE lang="markup">[ { "@odata.type": "#microsoft.graph.fileAttachment", "@odata.mediaContentType": "image/jpeg", "id": "AAMkADEzYjJhMzM1LTY0ODctNGUxOS05ZDc5LTQ2MWM3NzFmMTRjOABGAAAAAABaN8y0q3IrQ6fyDga7Z5M3BwBvSXHDOoi0TJ5-l2B-i9PgAAAAAAEMAADyHfSb-T8wR5Fak3aFlfaBAACPB9PLAAABEgAQAE8kDtOZeABMuRd54VyYgc4=", }, { "@odata.type": "#microsoft.graph.fileAttachment", "@odata.mediaContentType": "image/png", "id": "AAMkADEzYjJhMzM1LTY0ODctNGUxOS05ZDc5LTQ2MWM3NzFmMTRjOABGAAAAAABaN8y0q3IrQ6fyDga7Z5M3BwBvSXHDOoi0TJ5-l2B-i9PgAAAAAAEMAADyHfSb-T8wR5Fak3aFlfaBAACPB9PLAAABEgAQAI8pDv4IgY1BhJhVm9_2_E8=", } ]</LI-CODE></DIV> <DIV>&nbsp;</DIV> <DIV>&nbsp;XQL</DIV> <DIV>&nbsp;</DIV> <DIV> <DIV><LI-CODE lang="markup">dataset = msft_o365_emails_raw | | fields attachments as attach | alter attachid = json_extract_scalar_array(to_json_string(arrayindex(attach, 0)) , "$.id")</LI-CODE> <P>&nbsp;</P> <P>Regards,</P> <P>Fabio Ferreira</P> </DIV> </DIV> </DIV> </DIV> Thu, 31 Aug 2023 11:21:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/555990#M5066 FabioFerreira 2023-08-31T11:21:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/556111#M5076 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271703">@FabioFerreira</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for writing to live community!</P> <P>&nbsp;</P> <P>Assuming type of the field which contains above value is json, could you try this below:</P> <P>&nbsp;</P> <P>| alter attachment_id = arraymap(json_extract_array(to_json_string(fieldname),"$."),json_extract_scalar("@element","$.id"))<BR />| arrayexpand attachment_id</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>Please mark the response as "Accept as Solution" if it answers your query.</P> <P><BR />Regards.</P> Fri, 01 Sep 2023 08:51:52 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/556111#M5076 PiyushKohli 2023-09-01T08:51:52Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/556372#M5081 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/276269">@PiyushKohli</a>&nbsp;</P> <P>&nbsp;</P> <P>It worked!</P> <P>&nbsp;</P> <P>Thanks a lot <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Regards,</P> Mon, 04 Sep 2023 09:47:19 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-filter-o365-attachments/m-p/556372#M5081 SuporteDVT 2023-09-04T09:47:19Z