TechQA.

KQL - Joining 2 tables sing Equality by Value

412 views Asked by At

I am attempting to join two tables in KQL within Microsoft Defender.

These tables don't have matching columns however they do have matching fields.

LeftTable: EmailEvents Field: RecipientEmailAddress

RightTable: IdentityInfo Field: AccountUpn

The query I am using is as follows

EmailEvents
| where EmailDirection == "Inbound"
| where Subject == "invoice" or SenderFromAddress == "[email protected]"
| project RecipientEmailAddress, Subject, InternetMessageId, SenderFromAddress
| join kind=inner (IdentityInfo 
| distinct AccountUpn, AccountDisplayName, JobTitle , Department, City, Country) 
on $left.RecipientEmailAddress -- $right.AccountUpn

I am seeing the error

Semantic error Error message join: only column entities or equality expressions are allowed in this context. How to resolve Fix semantic errors in your query

Can someone assist I am not sure where I am going wrong here.

kql askql kqlmagic
Original Q&A
1

There are 1 answers

0
Yoni L. On

try replacing this:

on $left.RecipientEmailAddress -- $right.AccountUpn

with this:

on $left.RecipientEmailAddress == $right.AccountUpn

Related Questions in KQL

Related Questions in ASKQL

Related Questions in KQLMAGIC

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions