TechQA.

Parsing KQL Json and using it to join another table

147 views Asked by At

I am trying to query in Defender Advanced hunting

Basically where I am having an issue is parsing the json for LoggedOnUsers and joining certain data there which is the Sid with IdentityInfo's CloudSid

For this one I am getting the error

Semantic error Error message Ensure that expression: LoggedOnUsers.Sid is indeed a simple name How to resolve Fix semantic errors in your query

DeviceTvmSoftwareInventory
| where SoftwareName contains "softwarename"
| distinct DeviceId, SoftwareName
| join kind=inner (
    DeviceInfo 
    | mv-expand parsejson(LoggedOnUsers)
    | extend LoggedOnUsers_Sid = tostring(toscalar(LoggedOnUsers.Sid))
    | project DeviceId, LoggedOnUsers_Sid
    )
    on DeviceId
| join kind=inner (
    IdentityInfo
    )
    on $left.LoggedOnUsers_Sid == $right.CloudSid
| project DeviceId, SoftwareName, AccountUpn

kql windows-defender
Original Q&A
0

There are 0 answers

Related Questions in KQL

Related Questions in WINDOWS-DEFENDER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions