none
Drift in attested controls Kusto Query Errors

    Question

  • According to the MS Doc here: https://azsk.azurewebsites.net/06-Security-Telemetry/App-Insights-Queries/Readme.html#drift-in-attested-controls

    I should be able to copy paste the code into a query for app insights and get the result. When I paste the Kusto code in, it errors at renaming a column heading (in bold):

    | project tostring(customDimensions.SubscriptionId), tostring(customDimensions.SubscriptionName),tostring(customDimensions.ResourceId),

    tostring(customDimensions.ControlId), newresult = tostring(customDimensions.AttestationStatus)

    Then, there are many errors after that.

    According to the Kusto tabular operator 'project', syntactically the code is correct:

    EXAMPLE

    T
    |
    project
       
    X=C,                       // Rename column C to X
        A=2*B,                     // Calculate a new column A from the old B
        C=strcat("-",tostring(C)), // Calculate a new column C from the old C
        B=2*B                      // Calculate a new column B from the old B

    Any thoughts on editing this code to work properly? I have all the correct log data (table.. columns) for this to be working correctly.

    Thanks in advance from a Kusto rookie.

    Olivia


    • Edited by ocorliss Wednesday, April 3, 2019 5:46 AM
    Wednesday, April 3, 2019 5:44 AM

Answers

  • Hi ocorliss,

    Hope you are seeing the below in the query explorer. 

    However that should not stop you from running the query and getting the desired result provided you have relevant data in the required tables. Please make sure you select the entire query instead of the snippet of the query and then the run it. 

    Hope the above information helps you, we will further dig into why the newresult is showing a error line in the query editor and share our findings accordingly. 

    Wednesday, April 3, 2019 3:54 PM
    Owner