Ok, it looks like we finally narrowed it down. The actual query was a such

let m = dynamic(["malapp1","malapp2"]);
OfficeActivity
| where Operation == "FileMalwareDetected"
and SourceFileName in (m)

This would fail every time as "m is not a known table, variable, or function"

BUT

if I switched it to

|where SourceFileName in (m) and Operation == "FileMalwareDetected"

then the query works fine. We spent hours troubleshooting this. At least it wasn't a semicolon.

#MSSentinel #KQL

I need some help from anyone using #MSSentinel or #KQL or #KustoQueryLanguage

In Sentinel, I'm creating the below query, but being told the variable I'm assigning isn't the name of a known function table or variable. I don't need insight on a different way to write the statement, just to understand why it won't work.

`let names = dynamic(["Admin1","Admin2"]);
AuditLogs
|where Principal in (names)`

The same query works in LogAnalytics without issue. I'm losing my mind.