diff --git a/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml b/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
index 2b83939192..73fbd81e42 100644
--- a/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
+++ b/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
@@ -24,7 +24,7 @@ query: |
   | extend EventData = parse_xml(EventData).EventData.Data
   | mv-expand bagexpansion = array EventData
   | evaluate bag_unpack(EventData)
-  | extend Key = column_ifexists('@Name', ""), Value = column_ifexists('#text', "")
+  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
   | evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
   // Where changes relate to Exchange OAB
   | extend ObjectClass = column_ifexists("ObjectClass", "")