Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
HOw to resolve the error'where' operator: Failed to resolve table or column expression named 'Okta_CL' for Analytics rule User Session Impersonation(Okta)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 75%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJT%3C/text%3E%3C/svg%3E)
John Tyson
0
Reputation points
Name is User Session Impersonation(Okta)
Logic is :
Okta_CL
| where eventType_s == "user.session.impersonation.initiate" and outcome_result_s == "SUCCESS"
// Expand the JSON array in 'target_s' field to extract detailed information about the event
| mv-expand parsed_json = todynamic(target_s) // Unpack and understand the details from the 'target_s' JSON array
// Enhance visibility by extending columns with extracted details for better analysis
| extend TargetUser_id = tostring(parsed_json.id),
TargetUser_type = tostring(parsed_json.type),
TargetUser_alternateId = tostring(parsed_json.alternateId),
TargetUser_displayName = tostring(parsed_json.displayName),
Target_detailEntry = tostring(parsed_json.detailEntry)
// Project event details to gain insights into the security context, including actor and target user information
| project TimeGenerated, actor_alternateId_s, actor_displayName_s, TargetUser_alternateId,
TargetUser_displayName, TargetUser_type, TargetUser_id,
eventType_s, outcome_result_s
Original Error is:
'where' operator: Failed to resolve table or column expression named 'Okta_CL'
IF I edit the table to OktaSSO i get the error:
'union' operator: Failed to resolve table expression named 'Okta_CL'
If I edit the table to OktaV2_CL which is present in the system due to using the recommended modern Okta collector I get the following error:
Semantic error
Error message'where' operator: Failed to resolve column or scalar expression named 'eventType_s'
Line1
Position0
I ended up using this for the logic but am unsure if it correlates to the original logic:
OktaV2_CL
| where LegacyEventType == "user.session.impersonation.initiate" and OriginalOutcomeResult == "SUCCESS"
// Expand the JSON array in 'target_s' field to extract detailed information about the event
| mv-expand parsed_json = todynamic(OriginalTarget) // Unpack and understand the details from the 'target_s' JSON array
// Enhance visibility by extending columns with extracted details for better analysis
| extend TargetUser_id = tostring(parsed_json.id),
TargetUser_type = tostring(parsed_json.type),
TargetUser_alternateId = tostring(parsed_json.alternateId),
TargetUser_displayName = tostring(parsed_json.displayName),
Target_detailEntry = tostring(parsed_json.detailEntry)
// Project event details to gain insights into the security context, including actor and target user information
| project TimeGenerated, ActorUserId, ActorDisplayName, TargetUser_alternateId,
TargetUser_displayName, TargetUser_type, TargetUser_id,
LegacyEventType, OriginalOutcomeResult
Microsoft Security | Microsoft Sentinel
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu 1,710 Reputation points Microsoft Employee2025-11-25T11:09:31.0566667+00:00 I think the errors might have occurred because the original query referenced legacy Okta_CL columns such as
eventType_s,outcome_result_s, andtarget_s, which no longer exist in the updated OktaV2_CL schema. The modern connector uses different column names, includingLegacyEventTypeforeventType_s,OriginalOutcomeResultforoutcome_result_s, andOriginalTargetfortarget_s, while actor fields are nowActorUserIdandActorDisplayName. To resolve the issue, try updating the query to align with the new schema by filtering onLegacyEventType == "user.session.impersonation.initiate"andOriginalOutcomeResult == "SUCCESS", expanding the JSON inOriginalTargetusingmv-expand parsed_json = todynamic(OriginalTarget), and extending columns for target user details such asid,type,alternateId, anddisplayName.
Tell me if this works or if you were able to resolve the issue.
Sign in to comment
Sign in to answer