Interval of ReportID used

%3CLINGO-SUB%20id%3D%22lingo-sub-1513937%22%20slang%3D%22en-US%22%3EInterval%20of%20ReportID%20used%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1513937%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20the%20ReportID%20for%20AdvancedHunting%2C%20the%20Docs%20states%20the%20following.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22%22%22%3C%2FP%3E%3CP%3E%3CSPAN%3EEvent%20identifier%20based%20on%20a%20repeating%20counter.%20To%20identify%20unique%20events%2C%20this%20column%20must%20be%20used%20in%20conjunction%20with%20the%20ComputerName%20and%20EventTime%20columns.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%22%22%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20will%20the%20Report%20ID%20be%20repeated%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20identify%20the%20event%20using%20the%20ReportID%20and%20Table%20listed%20in%20the%20DeviceAlertEvent.%3C%2FP%3E%3CP%3EBut%20multiple%20ReportIDs%20exist%20on%20the%20same%20device%20and%20cannot%20be%20identified.%3C%2FP%3E%3CP%3EMaybe%26nbsp%3BI%20need%20to%20narrow%20down%20the%20Timestamp.%3C%2FP%3E%3CP%3EIs%20there%20a%20better%20way%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1513937%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20hunting%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

Hi.

 

Regarding the ReportID for AdvancedHunting, the Docs states the following.

 

"""

Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns.

"""

 

When will the Report ID be repeated?

 

I want to identify the event using the ReportID and Table listed in the DeviceAlertEvent.

But multiple ReportIDs exist on the same device and cannot be identified.

Maybe I need to narrow down the Timestamp.

Is there a better way?

 

Thanks,

0 Replies