I started working with Microsoft’s sentinel one.
I’m working on gathering information from the logs that sentinel is producing.
For better readability, I want to change the names of the columns that I’m projecting, but couldn’t rename a column that contained numbers and special characters.
I’m using KQL to gather the logs from sentinel
AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project TargetResources[0].displayName, OperationName, ActivityDateTime
| project-rename GroupName = TargetResources[0].displayName, Time = ActivityDateTime, Type = OperationName
So renaming the columns: ActivityDateTime & OperationName is working, but I get an error that says "column name expected" when trying to rename the first column. Even though it appear when running that code.
Is there a way to rename that column?
>Solution :
TargetResources[0].displayName is an expression, not a column name, so there’s nothing to rename here.
If you want to give this expression a name, you can use the extend operator.
| extend GroupName = TargetResources[0].displayName
print TargetResources = dynamic([{"displayName": "Tic"}, {"displayName": "Tac"}, {"displayName": "Toe"}])
| project-rename GroupName = TargetResources[0].displayName
project-rename: expression ” cannot be used as a column name
print TargetResources = dynamic([{"displayName": "Tic"}, {"displayName": "Tac"}, {"displayName": "Toe"}])
| extend GroupName = TargetResources[0].displayName
| TargetResources | GroupName |
|---|---|
| [{"displayName":"Tic"},{"displayName":"Tac"},{"displayName":"Toe"}] | Tic |