SOLVED

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

%3CLINGO-SUB%20id%3D%22lingo-sub-3366507%22%20slang%3D%22en-US%22%3E'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3366507%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3EI%20am%20struggling%20to%20define%20time%20within%20query%20for%20workbook.%20My%20kql%20is%20represent%2010%20deny%20action%20followed%20by%201%20allow%20connection%20with%20same%20external%20source%20IP%20to%20private%20destination%20IP%20with%20in%20300%20second.%20First%20deny%20connection%20should%20be%20Start%20time%20and%20first%20allow%20connection%20should%20be%20end%20time.%20Source%20IP%20should%20be%20summarize%20so%20we%20can%20check%20how%20many%20external%20source%20ip%20successed%20to%20make%20connection%20with%20in%2024%20hours%20or%2048%20hours.%20Please%20some%20one%20help%20me%20to%20get%20proper%20result%20for%20workbook.%20when%20i%20am%20running%20this%20query%20below%20notification%20occurs%3A%3C%2FP%3E%3CP%3E'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FP%3E%3CP%3Elet%20threshold%3D10%3B%3CBR%20%2F%3Elet%20threshold1%3D1%3B%3CBR%20%2F%3Elet%20authenticationWindow%20%3D%205m%3B%3CBR%20%2F%3Elet%20a%3D%3CBR%20%2F%3ECommonSecurityLog%3CBR%20%2F%3E%7C%20where%20DeviceVendor%20%3D%3D%20%22Palo%20Alto%20Networks%22%20and%20DeviceProduct%20%3D~%20%22PAN-OS%22%3CBR%20%2F%3E%7C%20where%20DeviceAction%20%3D%3D%20%22deny%22%3CBR%20%2F%3E%7C%20where%20(ipv4_is_private(SourceIP)%20%3D%3D%20'False'%20and%20ipv4_is_private(DestinationIP)%20%3D%3D%20'True')%3CBR%20%2F%3E%7C%20summarize%20denycount%20%3D%20count()%20by%20DeviceAction%2C%20SourceIP%2C%20DestinationIP%3CBR%20%2F%3E%7C%20where%20denycount%20%26gt%3B%3D%20%5B%22threshold%22%5D%3B%3CBR%20%2F%3Elet%20b%3D%3CBR%20%2F%3ECommonSecurityLog%3CBR%20%2F%3E%7C%20where%20DeviceVendor%20%3D%3D%20%22Palo%20Alto%20Networks%22%20and%20DeviceProduct%20%3D~%20%22PAN-OS%22%3CBR%20%2F%3E%7C%20where%20DeviceAction%20%3D%3D%20%22allow%22%3CBR%20%2F%3E%7C%20where%20(ipv4_is_private(SourceIP)%20%3D%3D%20'False'%20and%20ipv4_is_private(DestinationIP)%20%3D%3D%20'True')%3CBR%20%2F%3E%7C%20summarize%20allowcount%20%3D%20count()%20by%20DeviceAction%2C%20SourceIP%2C%20DestinationIP%3CBR%20%2F%3E%7C%20where%20allowcount%20%26gt%3B%3D%20%5B%22threshold1%22%5D%3B%3CBR%20%2F%3Ea%7Cjoin%20kind%20%3D%20inner(b)%20on%20SourceIP%3CBR%20%2F%3E%7C%20summarize%20StartTimeUtc%20%3D%20min(TimeGenerated)%2C%20EndTimeUtc%20%3D%20max(TimeGenerated)%20by%20bin(TimeGenerated%2C%20authenticationWindow)%2C%20SourceIP%2C%20DestinationIP%2C%20denycount%2C%20allowcount%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3369915%22%20slang%3D%22en-US%22%3ERe%3A%20'summarize'%20operator%3A%20Failed%20to%20resolve%20scalar%20expression%20named%20'TimeGenerated'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3369915%22%20slang%3D%22en-US%22%3EYou%20haven't%20used%20that%20Column%20before%20in%20the%20code%20above%2C%20so%20the%20last%20line%20doesn't%20know%20about%20it%20-%20maybe%20add%20to%20this%20line%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%7C%20summarize%20denycount%20%3D%20count()%20by%20DeviceAction%2C%20SourceIP%2C%20DestinationIP%2C%20TimeGenerated%3C%2FLINGO-BODY%3E
New Contributor

Hi Everyone,

I am struggling to define time within query for workbook. My kql is represent 10 deny action followed by 1 allow connection with same external source IP to private destination IP with in 300 second. First deny connection should be Start time and first allow connection should be end time. Source IP should be summarize so we can check how many external source ip successed to make connection with in 24 hours or 48 hours. Please some one help me to get proper result for workbook. when i am running this query below notification occurs:

'summarize' operator: Failed to resolve scalar expression named 'TimeGenerated'

let threshold=10;
let threshold1=1;
let authenticationWindow = 5m;
let a=
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks" and DeviceProduct =~ "PAN-OS"
| where DeviceAction == "deny"
| where (ipv4_is_private(SourceIP) == 'False' and ipv4_is_private(DestinationIP) == 'True')
| summarize denycount = count() by DeviceAction, SourceIP, DestinationIP
| where denycount >= ["threshold"];
let b=
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks" and DeviceProduct =~ "PAN-OS"
| where DeviceAction == "allow"
| where (ipv4_is_private(SourceIP) == 'False' and ipv4_is_private(DestinationIP) == 'True')
| summarize allowcount = count() by DeviceAction, SourceIP, DestinationIP
| where allowcount >= ["threshold1"];
a|join kind = inner(b) on SourceIP
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), SourceIP, DestinationIP, denycount, allowcount

2 Replies
best response confirmed by akshay250692 (New Contributor)
Solution
You haven't used that Column before in the code above, so the last line doesn't know about it - maybe add to this line?

| summarize denycount = count() by DeviceAction, SourceIP, DestinationIP, TimeGenerated
Thanks Clive for ur response. It is not working in ur line i.e. it is running but data is not coming but its working in
| summarize allowcount = count() by DeviceAction, SourceIP, DestinationIP, TimeGenerated