Forum Discussion
Solved
Different between Entity type 'File' and 'Machine'
Here we are trying to query and analysis alerts that caused by Files on a single PC via table AlertEvidence, but the problem is that I found sometimes file name & folder path can not be found in the ...
Hi Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one:
AlertEvidence|join kind=leftouter AlertInfo on AlertId|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields|where AdditionalFields contains "input PC name here"
Hello Again Bro, happy to tell you that I found that actually every alert that with EntityType "Machine" are sharing same procedure with a relative "File" type alert, so they are holding different alertids that toward same issue.
Thank you about the join kind reminding, I always got confused about that before: )
Thank you about the join kind reminding, I always got confused about that before: )
ofc! Happy it helped 🙂 Indeed this can be confusing