Error in Azure Sysmon Workbook project' operator: Failed to resolve table or column expression named 'process_create_whitelist

Question

Hello everyone. I have been trying to set up a lab on my Azure Sentinel tenant to receive sysmon logs. I have followed some of the tutorials posted using the agents. Everything seem to work fine

I am receiving logs from sysmon to azure, but where I am having problems is with the Sysmon Workbook.

I get the error below, and nothing is being rendered. Has anyone run into this before?

'project' operator: Failed to resolve table or column expression named 'process_create_whitelist'
If issue persists, please open a support ticket. Request id:

Answer 1

There seems to be something missing here. The first tab has queries based on several undefined data sources; possibly parser functions. The workbook is possibly outdated and lacking full instructions. You might reach out to the author Eduardo listed in the opening comments.

Correction, The workbook description includes the following link describing the parser. https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel

Answer 2

So you think this might be a parsing issue?

Thank you for your recommendations, I will surely try those.

I took a snapshot of the complete errors from the Workbook Sysmon Threat Hunting.

Again thank you.

Answer 3

Those let statements are attempting to create stored lists by calling functions (stored KQL queries). At least I think those are functions. I assumed Step #9 in the instructions would address this missing requirement. I think the author may be the only person that can clear this up.