Azure Query: 'where' operator: Failed to resolve column or scalar expression named 'displayName'

Copper Contributor

Hello.

 

Trying to enable a rule in Azure Sentinel that contains the following query:

 

 

let OperationList = dynamic(["Add member to role", "Add member to role in PIM requested (permanent)", "AzureDiagnostics"]);
let PrivilegedGroups = dynamic(["UserAccountAdmins", "PrivilegedRoleAdmins", "TenantAdmins"]);
AuditLogs
| where LoggedByService =~ "Core Directory"
| where Category =~ "RoleManagement"
| where OperationName in~ (OperationList)
| mv-expand TargetResources
| extend modProps = parse_json(TargetResources).modifiedProperties
| mv-expand bagexpansion=array modProps
| evaluate bag_unpack(modProps)
| where displayName =~ "Role.WellKnownObjectName"
| extend DisplayName = displayName, GroupName = replace('"', '', newValue)
| extend initByApp = parse_json(InitiatedBy).app, initByUser = parse_json(InitiatedBy).user
| extend AppId = initByApp.appId, 
    InitiatedByDisplayName = case(isnotempty(initByApp.displayName), initByApp.displayName, isnotempty(initByUser.displayName), initByUser.displayName, "not available"),
    ServicePrincipalId = initByApp.servicePrincipalId,
    ServicePrincipalName = initByApp.servicePrincipalName,
    UserId = initByUser.id,
    UserIPAddress = initByUser.ipAddress,
    UserRoles = initByUser.roles,
    UserPrincipalName = initByUser.userPrincipalName
//| where GroupName in~ (PrivilegedGroups)
// If you want to still alert for operations from PIM, remove below filtering for MS-PIM.
//| where InitiatedByDisplayName != "MS-PIM"
| project TimeGenerated, AADOperationType, Category, OperationName, AADTenantId, AppId, InitiatedByDisplayName, ServicePrincipalId, ServicePrincipalName, DisplayName, GroupName, UserId, UserIPAddress, UserRoles, UserPrincipalName
| extend timestamp = TimeGenerated, AccountCustomEntity = case(isnotempty(ServicePrincipalName), ServicePrincipalName, isnotempty(ServicePrincipalId), ServicePrincipalId, isnotempty(UserPrincipalName), UserPrincipalName, "not available")

 


Send the following error:

 

'where' operator: Failed to resolve column or scalar expression named 'displayName' If issue persists, please open a support ticket. Request id: 3e7b7ded-8631-4118-b133-d0501c20eba2
 

Do you have any idea if this expression stopped working in Azure or what setting could help me so that the query returns information?

 

Thanks, regards.

1 Reply