Forum Discussion
Sign in risk alert and playbook
I am running into some issues with an alert I am trying to build and I wonder if anyone else has come across this. I have an alert rule with the following query: SecurityAlert | where TimeGener...
andrew_bryant the entity extraction supports only string values, simply add tostring on the column you would want to map and this will work.
we will add a warning in the UI to surface this issue to make sure the customers understand the route cause of this.
Thanks,
Liza
Hi Liza,
Having an issue with another alert. Here is the query:
SecurityAlert
| where ProviderName == "MCAS"
| where TimeGenerated > ago(15m)
| where AlertName == "Impossible travel activity"
| extend Entities = todynamic(Entities)
| mvexpand Entities
| project AlertName, AlertSeverity, Entities, TimeGenerated
| evaluate bag_unpack(Entities)
| extend Type = columnifexists("Type", "")
| where Type in("account", "host", "ip")
| where Type == "account"
I want to map the cloumn Name to the AccountCustomEntity. If I add this line in the log query it displays fine:
| extend AccountCustomEntity = tostring(Name)
But it will not allow me to save that in the alert rule. It says query syntax error. In fact, any attempt I make to add a line in the alert rule that uses the "Name" column gives me that error.