Forum Discussion

KevinHemelrijk's avatar
KevinHemelrijk
Copper Contributor
Oct 26, 2023
Solved

Watchlists: failed to resolve scalar expression

Hi Techies,

 

We want to use a watchlist inside a KQL query which is supposed to be simple, but we are actually struggling a bit with the following issue "'project' operator: Failed to resolve scalar expression named 'emailAddress'". According to the documentation it should look something like this, but it is not working correctly:

Our watchlist looks like this:

Sentinel Docs:

 

EDIT:

The problem has been solved. We have an invisible space character inside our deployment script which caused the problem. Thanks everyone for helping out, and thanks Clive_Watson for leading us in the right direction.

 

analytics
azure
detection
KQL
  • Clive_Watson's avatar
    Clive_Watson
    Oct 26, 2023
    Thats odd. Will any other Column project ok, such as SearchKey?
    Maybe there are some control characters or spaces in the original CSV file, or it's corrupted in some way?
  • Ulrik_Klepsch's avatar
    Ulrik_Klepsch
    Copper Contributor
    Oct 27, 2023
    How about something like:
    _GetWatchlist('VIPUsers') | Summarize make_set(emailAddress)
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Oct 26, 2023
    If you just query this, does it work? That error is usually the Column name not being found by project (and its case sensitive).

    _GetWatchlist('VIPUsers') | project emailAddress

      • Clive_Watson's avatar
        Clive_Watson
        Bronze Contributor
        Oct 26, 2023
        Now try it without the project: _GetWatchlist('VIPUsers')

        It seems like the Column is named something other than "emailAddresses"

Resources