Hi.

Regarding the ReportID for AdvancedHunting, the Docs states the following.

"""

Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.

"""

When will the Report ID be repeated?

I want to identify the event using the ReportID and Table listed in the DeviceAlertEvent.

But multiple ReportIDs exist on the same device and cannot be identified.

Maybe I need to narrow down the Timestamp.

Is there a better way?

Thanks,