Unable to save query to alert on no sensor data as a custom detection rule

Question

Hello,&nbsp;I am trying to create a custom alert for an agent not reporting sensor data using&nbsp;the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule:&nbsp;'Can't save detection ruleThe query contains syntax errors and cannot be used to create a detection rule. Please fix errors in the query and try again.'&nbsp;KQL Query:&nbsp;DeviceTvmSecureConfigurationAssessment| where ConfigurationId in ('scid-2000', 'scid-2001')| extend Test = case(ConfigurationId == "scid-2000", "SensorEnabled",ConfigurationId == "scid-2001", "SensorDataCollection","N/A"),Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")| extend packed = pack(Test, Result)| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId| evaluate bag_unpack(Tests)| where SensorEnabled == "GOOD" and SensorDataCollection == "BAD"| summarize by DeviceName, DeviceIdCan someone point out something I am missing here ?&nbsp;&nbsp;Thanks,Princely Dmello&nbsp;&nbsp;&nbsp;

anuragsrivastava · Answer

PrincelyThe query works fine for me, it isn't returning any error.&nbsp;

Forum Discussion

Unable to save query to alert on no sensor data as a custom detection rule

1 Reply

Resources