Forum Discussion
Zzhaoxi
Aug 13, 2022Copper Contributor
Different between Entity type 'File' and 'Machine'
Here we are trying to query and analysis alerts that caused by Files on a single PC via table AlertEvidence, but the problem is that I found sometimes file name & folder path can not be found in the table when EntityType is "Machine", the Title of the alerts will be like "XX unwanted software was blocked" or so, the EntityType still goes to "Machine"
Just want to know why are some alerts with unwanted software in the Title but EntityType go to "Machine", is there any way to get File and Folder path in such log?
AlertEvidence
|join AlertInfo on AlertId
|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
|where AdditionalFields contains "input PC name here"
Hi Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one:
AlertEvidence|join kind=leftouter AlertInfo on AlertId|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields|where AdditionalFields contains "input PC name here"
- Oren_Saban
Microsoft
Hi Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one:
AlertEvidence|join kind=leftouter AlertInfo on AlertId|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields|where AdditionalFields contains "input PC name here"- ZzhaoxiCopper ContributorHello Again Bro, happy to tell you that I found that actually every alert that with EntityType "Machine" are sharing same procedure with a relative "File" type alert, so they are holding different alertids that toward same issue.
Thank you about the join kind reminding, I always got confused about that before: )- Oren_Saban
Microsoft
ofc! Happy it helped 🙂 Indeed this can be confusing
- ZzhaoxiCopper ContributorHi, thanks so much for the answer: ) It really helps me to define and understand the join type~
the thing is, there is still no file information with those alert that EntityType goes to machine while a file is actually detected in the alert, do you have any idea that how does an alert's entity get classified as machine?