1

I started working with Microsoft's sentinel one.

I'm working on gathering information from the logs that sentinel is producing. For better readability, I want to change the names of the columns that I'm projecting, but couldn't rename a column that contained numbers and special characters. I'm using KQL to gather the logs from sentinel

AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project TargetResources[0].displayName, OperationName, ActivityDateTime
| project-rename GroupName = TargetResources[0].displayName, Time = ActivityDateTime, Type = OperationName

So renaming the columns: ActivityDateTime & OperationName is working, but I get an error that says "column name expected" when trying to rename the first column. Even though it appear when running that code.

Is there a way to rename that column?

David דודו Markovitz
  • 42,900
  • 6
  • 64
  • 88
Dolev
  • 151
  • 1
  • 4
  • 14

2 Answers2

2

Extend operator is used to create a calculated column and new column is appended to result set. Since you just need to rename a column you can do it with project operator. project-rename doesn't work for expressions.

AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project GroupName=TargetResources[0].displayName, Type=OperationName, Time = ActivityDateTime
maced
  • 46
  • 2
1

TargetResources[0].displayName is an expression, not a column name, so there's nothing to rename here.

If you want to give this expression a name, you can use the extend operator.

| extend GroupName = TargetResources[0].displayName

project-rename

print TargetResources = dynamic([{"displayName": "Tic"}, {"displayName": "Tac"}, {"displayName": "Toe"}])
| project-rename GroupName = TargetResources[0].displayName

project-rename: expression '' cannot be used as a column name

Fiddle

print TargetResources = dynamic([{"displayName": "Tic"}, {"displayName": "Tac"}, {"displayName": "Toe"}])
| extend GroupName = TargetResources[0].displayName
TargetResources GroupName
[{"displayName":"Tic"},{"displayName":"Tac"},{"displayName":"Toe"}] Tic

Fiddle

David דודו Markovitz
  • 42,900
  • 6
  • 64
  • 88
  • Any reason you accepted this answer and then revoked? FYI, both `project-rename` & `extend` impact only the columns they deal with, leaving all the rest of the columns As Is. `project` require you to list all the columns that you want to pass to the next stage and not only the columns that you actually want to change. – David דודו Markovitz Oct 11 '22 at 15:15