SOLVED

Query could not be parsed at 'SecurityEvent' on line.....

Copper Contributor

We upgraded to the standard tier, but this still isn't working.


I can query events, but if I use any queries that involve SecurityEvent it doesn't work. Basically I'm trying to follow this:

 

https://pixelrobots.co.uk/2019/07/query-active-directory-security-events-using-azure-log-analytics-o...

 

 

query-securiytevent.jpg

2 Replies
best response confirmed by natv (Copper Contributor)
Solution

@natv 

That error is saying that the SecurityEvent table doesn't (yet) exist - there could be a delay, so please try again today.  You need to confirm in ASC that you are sending the data to the correct Log Analytics workspace, either a named one (like below) or a default one (there maybe a few)?

 

clipboard_image_0.png

@CliveWatson  thanks, it magically started working the next day. Then stopped working after I added a few more servers for a period of time, and started all working again sometime after.

 

All good now.

 

 

1 best response

Accepted Solutions
best response confirmed by natv (Copper Contributor)
Solution

@natv 

That error is saying that the SecurityEvent table doesn't (yet) exist - there could be a delay, so please try again today.  You need to confirm in ASC that you are sending the data to the correct Log Analytics workspace, either a named one (like below) or a default one (there maybe a few)?

 

clipboard_image_0.png

View solution in original post