09-02-2018 05:04 AM
09-02-2018 05:04 AM
Whenever I attempt to run the following Log Analytic query in Azure Log Analytics I get the following error:
'where' operator: Failed to resolve table or column expression named 'SecurityEvent'
I think it's because I need to enable 'SecurityEvent' in Log Analytics but I'm not sure. I was wondering if someone could provide a guide;
| where AccountType == "User" and EventID == 4625 and TimeGenerated > ago(6h)
| summarize IPCount = dcount(IpAddress), makeset(IpAddress) by Account
| where IPCount > 5
| sort by IPCount desc
Any ideas would be much appreciated.
09-02-2018 06:12 AM
The Security and Compliance solution has to be added to log security events.
09-02-2018 06:53 AM
Thanks for getting in touch.
Can you let me know how to add the Security and Compliance solution to the log security events?
Will I then be able to get a result from the script from Log Analytics?
09-02-2018 06:56 AM
The reason I asked how to " add the Security and Compliance solution to the log security events?" is because I believe I have already added it. However, when I run the query I get the same error
09-02-2018 09:04 AMSolution
I posted a video with a walkthrough on log collection setup. The quick version is to go into the Log Analytics workspace in Azure, Go to Workspace Overview and Add. Scroll down to the Security and Compliance solution.
You could also try going into Logs (Preview) for Advanced Log Analytics and check what shows in the Schema.
09-03-2018 07:02 AM
I haven't checked out the video yet, but just wanted to say thanks.
I will check it out later this afternoon.
09-04-2018 07:40 AM
I tried to access the link you provided for the first time today, but the site appears to be down.
Can you provide another link?
If I don't hear from you I'll submit another question, as I'm not sure if you'll see this once it has been answered.
09-04-2018 11:36 AM
Sorry about that. My site is hosted in the Azure South Central region and that seems to be offline this morning. Here is a link to the video in YouTube. https://www.youtube.com/watch?v=OI2iUIh340U&list=PLnWpsLZNgHzVXXyN9a0jm9xNNDrikHf8I&index=3&t=0s
09-04-2018 12:05 PM
Fantastic video .. very informative. Thanks
Unfortunately, the video doesn't cover adding Security Policy to allow the the following query from being added with the error:
'where' operator: Failed to resolve table or column expression named 'SecurityEvent'.
| where TimeGenerated > ago(30m)
05-29-2019 01:42 AM