KQL: setting query time leads to problem in watchlist column projecting

New Contributor

Hello to the community!

 

I have stumbled upon a very strange issue when using watchlists.

 

I have a watchlist with 2 columns (userPrincipalName,allowedActivity) that I am then using to whitelist activities.

Watchlist is imported using: 

let WhitelistedUsers = _GetWatchlist("testQuery") | project userPrincipalName, allowedActivity;

 

Then I wanted to set it to a specific time frame to test it on given data set:

set query_now = datetime("1/14/2022, 1:45:46.556 PM");

 

Problem is that when setting my query for a specific time, I get the following error from the watchlist:

'project' operator: Failed to resolve scalar expression named 'userPrincipalName'. Commenting the set query_now solves the project problem (not my problem though).

 

I tried to set the time before and after watchlist import but that does not solve the issue. I could not find any posts around the topic (quite a specific one), so anyone observed similar behaviors or has a possible explanation? I can probably work around the set query_now with other functions but I gotten used to it, and find this behavior extremely strange

1 Reply
You should use Let rather than Set (Set is a Azure Data Explorer statement)

So in Sentinel Logs it would be (unless you are using ADX?):

let query_now = datetime("1/14/2022, 1:45:46.556 PM");
print query_now
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE