I want the bag_unpack function into a single row instead of it turning each entity into a new row without explicitly making a summarize and make_set for every column. (This is because i will not know what the column names are)
SecurityAlert
| where TimeGenerated >ago(1d)
| mv-expand parse_json(Entities)
| evaluate bag_unpack(Entities, OutputColumnPrefix='Entities_')
SecurityAlert
| where TimeGenerated >ago(1d)
| mv-expand p=parse_json(Entities)
| summarize bag=make_bag(p) by TimeGenerated
| evaluate bag_unpack(bag,OutputColumnPrefix='Entities_')
This will achieve the expansion without having to type every column