When using KQL in Microsoft Sentinel, which specific operator is designed to expand a dynamic array or bag into multiple rows, making it easier to analyze nested data from a single log entry?

The specific KQL operator designed to expand a dynamic array or bag into multiple rows, making it easier to analyze nested data from a single log entry, is `mv-expand`. This operator is used with fields that have a `dynamic` data type. A `dynamic array` is an ordered list of values, similar to a JSON array, such as `["value1", "value2"]`. A `bag`, also known as a dynamic object or property bag, is an unordered collection of key-value pairs, similar to a JSON object, such as `{"key1":"value1", "key2":"value2"}`. Both of these structures are common forms of `nested data`, where data elements are contained within another element inside a single log record.

When `mv-expand` is applied to a field containing a dynamic array, it transforms that single log entry into multiple distinct rows. Each new row corresponds to one element from the original array, and all other fields from the original log entry are duplicated across these newly generated rows. If a dynamic bag contains an array, `mv-expand` can be used to target and expand that nested array, similarly producing multiple rows. This process of expansion into multiple rows makes it significantly `easier to analyze` the nested data because each element or sub-component can then be individually filtered, projected, aggregated, or joined using standard KQL operators, as if they were top-level fields in separate records, eliminating the need for complex parsing within the dynamic type.