Oct 13 2022 03:27 AM
I am trying to create a simple use case based on the Signin logs for the "detection of singin from a single username from two different location".
Please find below the query:-
SigninLogs
| where TimeGenerated >= ago(24h) | evaluate bag_unpack(LocationDetails) | project Identity, state| summarize dcount(state) by Identity | where dcount_state >1
I am getting the error
'project' operator: Failed to resolve scalar expression named 'state'.
I tried to extract the locationDetails through extend command also but same results.
Please let me know the following:-
1) Are there any limits on the operations/usage on the dynamically extracted fields in Sentinel?
2) What limitaitons are there?
3) Please suggest a solution so that I can use the State field to get the required results.
Oct 13 2022 09:40 AM
Oct 17 2022 10:04 AM