Aug 13 2022 07:08 AM
Here we are trying to query and analysis alerts that caused by Files on a single PC via table AlertEvidence, but the problem is that I found sometimes file name & folder path can not be found in the table when EntityType is "Machine", the Title of the alerts will be like "XX unwanted software was blocked" or so, the EntityType still goes to "Machine"
Just want to know why are some alerts with unwanted software in the Title but EntityType go to "Machine", is there any way to get File and Folder path in such log?
Aug 15 2022 04:58 AM
SolutionHi @Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one:
Aug 17 2022 11:46 PM
Aug 18 2022 12:11 AM
Aug 18 2022 03:51 AM
Aug 15 2022 04:58 AM
SolutionHi @Zzhaoxi
The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc. In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique.
Try this one: