Query cannot find OfficeActivity table

%3CLINGO-SUB%20id%3D%22lingo-sub-1062810%22%20slang%3D%22en-US%22%3EQuery%20cannot%20find%20OfficeActivity%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1062810%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20posted%20a%20similar%20question%20on%20the%20Log%20Analytics%20forum%20as%20I%20believe%20that%20this%20has%20to%20do%20more%20with%20it%20than%20Sentinel%20so%20I%20apologize%20for%20the%20double%20posting.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20at%20least%20two%20instances%20where%20I%20receive%20OfficeActivity%20logs%20from%20Office%20365%20yet%2C%20when%20I%20try%20to%20query%20it%2C%20the%20table%20cannot%20be%20found%3A%3C%2FP%3E%3CP%3EExample%20query%3A%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EOfficeActivity%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20limit%2010%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EResult%3A%3C%2FP%3E%3CP%3E%3CSPAN%3E'take'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20expression%20named%20'OfficeActivity'%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThe%20connector%20has%20been%20configured%20several%20days%20ago%20and%20I%20know%20that%20the%20logs%20are%20received%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161402iA15FFD7F8DF32FB6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhile%20I%20tried%20to%20connect%20from%203%20different%20ISPs%20with%20no%20luck%2C%20it%20seems%20that%20from%20some%20locations%2C%20the%20data%20is%20accessible%20so%20it%20must%20be%20something%20about%20these%20tables%20being%20replicated%20through%20Azure.%20I%20have%20contributor%20role%20to%20the%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20another%20Sentinel%20instance%2C%20I'm%20able%20to%20get%20the%20OfficeActivity%20query%20results%20if%20I%20try%20to%20submit%20it%203-4%20times.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1062810%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOfficeActivity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072577%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20cannot%20find%20OfficeActivity%20table%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072577%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F353788%22%20target%3D%22_blank%22%3E%40AdiGrio%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20open%20a%20support%20ticket.%20this%20sounds%20like%20a%20bug.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I've posted a similar question on the Log Analytics forum as I believe that this has to do more with it than Sentinel so I apologize for the double posting. 

 

I have at least two instances where I receive OfficeActivity logs from Office 365 yet, when I try to query it, the table cannot be found:

Example query:

OfficeActivity
| limit 10

 

Result:

'take' operator: Failed to resolve table or column expression named 'OfficeActivity'

 

The connector has been configured several days ago and I know that the logs are received:

 

clipboard_image_0.png

 

While I tried to connect from 3 different ISPs with no luck, it seems that from some locations, the data is accessible so it must be something about these tables being replicated through Azure. I have contributor role to the subscription.

 

On another Sentinel instance, I'm able to get the OfficeActivity query results if I try to submit it 3-4 times. 

 

Any thoughts?

1 Reply

@AdiGrio 

Please open a support ticket. this sounds like a bug.