Forum Discussion

Zzhaoxi's avatar
Zzhaoxi
Copper Contributor
Aug 13, 2022
Solved

Different between Entity type 'File' and 'Machine'

Here we are trying to query and analysis alerts that caused by Files on a single PC via table AlertEvidence, but the problem is that I found sometimes file name & folder path can not be found in the ...
incident management
investigation
microsoft defender for endpoint
  • Oren_Saban's avatar
    Oren_Saban
    Aug 15, 2022

    Hi Zzhaoxi 

    The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc.  In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique. 

     

    Try this one: 

     

    AlertEvidence
    |join  kind=leftouter AlertInfo on AlertId
    |project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
    |where AdditionalFields contains "input PC name here"
Oren_Saban's avatar
Oren_Saban
Iron Contributor
Aug 15, 2022

Hi Zzhaoxi 

The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc.  In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique. 

 

Try this one: 

 

AlertEvidence
|join  kind=leftouter AlertInfo on AlertId
|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
|where AdditionalFields contains "input PC name here"
  • Zzhaoxi's avatar
    Zzhaoxi
    Copper Contributor
    Aug 18, 2022
    Hello Again Bro, happy to tell you that I found that actually every alert that with EntityType "Machine" are sharing same procedure with a relative "File" type alert, so they are holding different alertids that toward same issue.
    Thank you about the join kind reminding, I always got confused about that before: )
    • Oren_Saban's avatar
      Oren_Saban
      Iron Contributor
      Aug 18, 2022
      ofc! Happy it helped 🙂 Indeed this can be confusing
  • Zzhaoxi's avatar
    Zzhaoxi
    Copper Contributor
    Aug 18, 2022
    Hi, thanks so much for the answer: ) It really helps me to define and understand the join type~
    the thing is, there is still no file information with those alert that EntityType goes to machine while a file is actually detected in the alert, do you have any idea that how does an alert's entity get classified as machine?

Resources