Forum Discussion

teamwavecokr's avatar
teamwavecokr
Copper Contributor
Apr 26, 2022

Analytic questions from azure sentienl

I'm trying to create an Analytic rule with the query statement below

 

SecurityAlert

| summarize arg_max(TimeGenerated, *) by SystemAlertId

| project SystemAlertId, Entities

| extend Entities = iff(isempty(Entities), todynamic('[{"dummy" : ""}]'), todynamic(Entities))

| mvexpand Entities

| evaluate bag_unpack(Entities)

| extend Type = columnifexists("Type", "")

| where Type contains "host"

| summarize count() by HostName

| where count_ >= 5

 

'summarize' operator: Failed to resolve scalar expression named 'HostName'.

 

However, the above error occurs.
I think it's an error caused by the absence of a column called hostname, how should I fix it?

No RepliesBe the first to reply

Resources