'where' operator: Failed to resolve table or column or scalar expression named

Question

For a Query in Microsoft Defender Advanced Hunting I want to use Data from an external Table (here the KQL_Test_Data.csv) but when I try to run it I get the Error message:

'where' operator: Failed to resolve table or column or scalar expression named 'IOC'

and when i highlight the whole Query as told in 'where' operator: failed to resolve scalar expression named 'timeOffsetMin' i get this error message:

No tabular expression statement found

This is the code i used:

let IOC = externaldata(column:string) 
[   
h@"https://raw.githubusercontent.com/Kornuptiko/TEMP/main/KQL_Test_Data.csv" 
] 
with(format="csv");

DeviceNetworkEvents 
| where Timestamp > ago(30d) 
| where RemoteIP in (IOC);

Does `externaldata` works for you by its own? – David דודו Markovitz Jul 12 '22 at 12:32 — David דודו Markovitz, Jul 12 '22 at 12:32

score 1 · Accepted Answer · answered Jul 12 '22 at 12:55

1

Assuming microsoft365-defender supports externaldata:

Your file is not a valid CSV, and KQL is strict about this.
As a work-around we can read the file as txt and then parse it.

let IOC = externaldata(column:string) 
[   
    h@"https://raw.githubusercontent.com/Kornuptiko/TEMP/main/KQL_Test_Data.csv" 
] 
with(format="txt")
| parse column with * '"' ip '"' *
| project ip;
DeviceNetworkEvents 
| where Timestamp > ago(30d) 
| where RemoteIP in (IOC);

answered Jul 12 '22 at 12:55

David דודו Markovitz

42,900
6
64
88

1

That works thanks! Now i only have to add authentication for sharepoint since GitHub was only to test is... – Kornuptiko Jul 13 '22 at 11:31

'where' operator: Failed to resolve table or column or scalar expression named

1 Answers1