Forum Discussion
Solved
Different between Entity type 'File' and 'Machine'
Here we are trying to query and analysis alerts that caused by Files on a single PC via table AlertEvidence, but the problem is that I found sometimes file name & folder path can not be found in the ...
Hi Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one:
AlertEvidence|join kind=leftouter AlertInfo on AlertId|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields|where AdditionalFields contains "input PC name here"
Hi Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one:
AlertEvidence
|join kind=leftouter AlertInfo on AlertId
|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
|where AdditionalFields contains "input PC name here"
Hi, thanks so much for the answer: ) It really helps me to define and understand the join type~
the thing is, there is still no file information with those alert that EntityType goes to machine while a file is actually detected in the alert, do you have any idea that how does an alert's entity get classified as machine?
the thing is, there is still no file information with those alert that EntityType goes to machine while a file is actually detected in the alert, do you have any idea that how does an alert's entity get classified as machine?