Error in Azure Sysmon Workbook project' operator: Failed to resolve table or column expression named 'process_create_whitelist

Alvarado, Peter 21 Reputation points
2022-03-26T01:43:54.167+00:00

Hello everyone. I have been trying to set up a lab on my Azure Sentinel tenant to receive sysmon logs. I have followed some of the tutorials posted using the agents. Everything seem to work fine

I am receiving logs from sysmon to azure, but where I am having problems is with the Sysmon Workbook.

I get the error below, and nothing is being rendered. Has anyone run into this before?

'project' operator: Failed to resolve table or column expression named 'process_create_whitelist'
If issue persists, please open a support ticket. Request id:

187094-screenshot-2022-03-25-203223.png

187103-sent1.png

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,782 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,485 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
970 questions
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,082 questions
0 comments
Accepted answer
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-03-26T05:10:35.103+00:00

    There seems to be something missing here. The first tab has queries based on several undefined data sources; possibly parser functions. The workbook is possibly outdated and lacking full instructions. You might reach out to the author Eduardo listed in the opening comments.

    Correction, The workbook description includes the following link describing the parser. https://github.com/BlueTeamLabs/sentinel-attack/wiki/Onboarding-sysmon-data-to-Azure-Sentinel

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alvarado, Peter 21 Reputation points
    2022-03-26T07:14:18.337+00:00

    So you think this might be a parsing issue?

    Thank you for your recommendations, I will surely try those.

    I took a snapshot of the complete errors from the Workbook Sysmon Threat Hunting.

    Again thank you.

    187066-screenshot-2022-03-26-021215.png

    0 comments
  2. Andrew Blumhardt 9,491 Reputation points Microsoft Employee
    2022-03-29T12:59:39.19+00:00

    Those let statements are attempting to create stored lists by calling functions (stored KQL queries). At least I think those are functions. I assumed Step #9 in the instructions would address this missing requirement. I think the author may be the only person that can clear this up.