The Base module is using sub routines to enrich the account entities in a best effort mode. The followings two:
get_account_by_dn
get_account_by_samaccountname
Are using the IdentityInfo info table. But it is possible that this table doesn't exist if Sentinel UBEA feature is not enabled, and the Defender for Identity integration not set up either. This makes the base module fail like this:
{
"Error": "Microsoft Sentinel KQL Query failed to execute",
"InvocationId": "e57c96f0-c64c-45f6-8503-641088b91702",
"SourceError": {
"error": {
"message": "The request had some invalid properties",
"code": "BadArgumentError",
"correlationId": "7eed5340-b652-46d8-8e16-534d6079075c",
"innererror": {
"code": "SemanticError",
"message": "A semantic error occurred.",
"innererror": {
"code": "SEM0100",
"message": "'where' operator: Failed to resolve table or column expression named 'IdentityInfo'"
}
}
}
},
"Traceback": [
"Traceback (most recent call last):\n",
" File \"/home/site/wwwroot/modules/__init__.py\", line 19, in main\n return_data = coordinator.initiate_module(module_name=module_name, req_body=req_body)\n",
" File \"/home/site/wwwroot/shared/coordinator.py\", line 9, in initiate_module\n return_data = base.execute_base_module(req_body)\n",
" File \"/home/site/wwwroot/modules/base.py\", line 31, in execute_base_module\n enrich_accounts(entities)\n",
" File \"/home/site/wwwroot/modules/base.py\", line 172, in enrich_accounts\n get_account_by_samaccountname(friendly_name, attributes, properties)\n",
" File \"/home/site/wwwroot/modules/base.py\", line 271, in get_account_by_samaccountname\n results = rest.execute_la_query(base_object, query, 14)\n",
" File \"/home/site/wwwroot/shared/rest.py\", line 150, in execute_la_query\n raise STATError('Microsoft Sentinel KQL Query failed to execute', data)\n",
"classes.STATError: ('Microsoft Sentinel KQL Query failed to execute', {'error': {'message': 'The request had some invalid properties', 'code': 'BadArgumentError', 'correlationId': '7eed5340-b652-46d8-8e16-534d6079075c', 'innererror': {'code': 'SemanticError', 'message': 'A semantic error occurred.', 'innererror': {'code': 'SEM0100', 'message': \"'where' operator: Failed to resolve table or column expression named 'IdentityInfo'\"}}}})\n"
]
}
Perhaps prefixing the request by union isfuzzy=true might be good enough of a fix.
briandelmsft
commented
7 months ago
The Base module is using sub routines to enrich the account entities in a best effort mode. The followings two:
get_account_by_dnget_account_by_samaccountnameAre using theIdentityInfoinfo table. But it is possible that this table doesn't exist if Sentinel UBEA feature is not enabled, and the Defender for Identity integration not set up either. This makes the base module fail like this:Perhaps prefixing the request by
union isfuzzy=truemight be good enough of a fix.