Forum Discussion
teamwavecokr
Apr 26, 2022Copper Contributor
Analytic questions from azure sentienl
I'm trying to create an Analytic rule with the query statement below
SecurityAlert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| project SystemAlertId, Entities
| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))
| mvexpand Entities
| evaluate bag_unpack(Entities)
| extend Type = columnifexists("Type", "")
| where Type contains "host"
| summarize count() by HostName
| where count_ >= 5
'summarize' operator: Failed to resolve scalar expression named 'HostName'.
However, the above error occurs.
I think it's an error caused by the absence of a column called hostname, how should I fix it?
No RepliesBe the first to reply