Share via

We are not getting the required data from AlertEvidence table ( Defender for Endpoint) using Advanced Hunting connector.

MOD Administrator 21 Reputation points
2023-01-04T10:57:07.877+00:00

The logic app is working perfectly fine we are using below query.

DeviceInfo
| where DeviceId contains "dd71b3fb23feca64a073cdb10186b1fde1090770"
| where OSPlatform != ""
| summarize max(Timestamp) by DeviceId,DeviceName,OSPlatform

----------------------------------------------------

But when we are using this query:

AlertEvidence
| where Timestamp > ago(30m)
| where DeviceName == "vm01"
| summarize count= count() by DeviceName

We are getting the error-
{
"error": {
"code": "BadRequest",
"message": "'where' operator: Failed to resolve table or column expression named 'AlertEvidence'. Fix semantic errors in your query.",
"target": "|1d161bd4-45ba8932dafe0f69."
}
}

276034-screenshot-2023-01-04-135453.png

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,324 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,473 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Budhaditya Bose 0 Reputation points
    2025-01-24T13:27:28.5766667+00:00

    Apparently, I did find the answer to this. The answer secondarily is MS' Poor Documentation. The actual answer.

    The tables AlertEvidence AND AlertInfo are new tables that broke down from DeviceAlertEvents which was their old API I guess. But apparently, the MDEATP connector still supports the old one. So to correct this, your new query would be

    DeviceAlertEvents | where ... etc

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.