I started working with Microsoft's sentinel one.
I'm working on gathering information from the logs that sentinel is producing. For better readability, I want to change the names of the columns that I'm projecting, but couldn't rename a column that contained numbers and special characters. I'm using KQL to gather the logs from sentinel
AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project TargetResources[0].displayName, OperationName, ActivityDateTime
| project-rename GroupName = TargetResources[0].displayName, Time = ActivityDateTime, Type = OperationName
So renaming the columns: ActivityDateTime & OperationName is working, but I get an error that says "column name expected" when trying to rename the first column. Even though it appear when running that code.
Is there a way to rename that column?
Extend operator is used to create a calculated column and new column is appended to result set. Since you just need to rename a column you can do it with project operator. project-rename doesn't work for expressions.
AuditLogs
| where OperationName == "Add group" or OperationName == "Delete group"
| where TimeGenerated > ago(20d)
| project GroupName=TargetResources[0].displayName, Type=OperationName, Time = ActivityDateTime