'where' operator: Failed to resolve table or column expression named 'ProcessCreationEvents'

%3CLINGO-SUB%20id%3D%22lingo-sub-942590%22%20slang%3D%22en-US%22%3E'where'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20expression%20named%20'ProcessCreationEvents'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942590%22%20slang%3D%22en-US%22%3E%3CP%3EHow%20do%20i%20get%20reference%20the%20hunting%20schema%20outlined%20here%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fadvanced-hunting-schema-reference%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fadvanced-hunting-schema-reference%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIm%20unable%20to%20use%20any%20of%20the%20schema%20table%20in%20that%20article.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-942879%22%20slang%3D%22en-US%22%3ERe%3A%20'where'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20expression%20named%20'ProcessCreationEvents'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-942879%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F430657%22%20target%3D%22_blank%22%3E%40sreeman%3C%2FA%3E%26nbsp%3BI%20can%20see%20the%20tables%20listed%20in%20the%20article%20when%20I%20go%20to%20the%20Microsoft%20Defender%20ATP%20portal%20%3CA%20href%3D%22https%3A%2F%2Fsecuritycenter.windows.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecuritycenter.windows.com%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20don't%20see%20them%20in%20Azure%20Sentinel%20but%20not%20really%20expecting%20to.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-949625%22%20slang%3D%22en-US%22%3ERe%3A%20'where'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20expression%20named%20'ProcessCreationEvents'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-949625%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E%26nbsp%3B%2C%20thanks.%20I%20know%20they%20are%20part%20of%20Defender%20ATP's%20db%20schema%2C%20thats%20why%20i%20was%20wondering%20if%20its%20available%20on%20Sentinels%20DB%20Schema%20as%20well.%20After%20all%2C%20its%20just%20the%20schema%20table%20and%20not%20actions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951957%22%20slang%3D%22en-US%22%3ERe%3A%20'where'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20expression%20named%20'ProcessCreationEvents'%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951957%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F430657%22%20target%3D%22_blank%22%3E%40sreeman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20enabled%20the%20Sentinel%20connector%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-defender-advanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsentinel%2Fconnect-microsoft-defender-advanced-threat-protection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

How do i get reference the hunting schema outlined here?

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-...

 

Im unable to use any of the schema table in that article.

 

Thanks!

3 Replies
Highlighted

@sreeman I can see the tables listed in the article when I go to the Microsoft Defender ATP portal https://securitycenter.windows.com/

 

I don't see them in Azure Sentinel but not really expecting to.

Highlighted

Hi @Gary Bushey , thanks. I know they are part of Defender ATP's db schema, thats why i was wondering if its available on Sentinels DB Schema as well. After all, its just the schema table and not actions.