SOLVED

Different between Entity type 'File' and 'Machine'

Copper Contributor

Here we are trying to query and analysis alerts that caused by Files on a single PC via table AlertEvidence, but the problem is that I found sometimes file name & folder path can not be found in the table when EntityType is "Machine", the Title of the alerts will be like "XX unwanted software was blocked" or so, the EntityType still goes to "Machine"

Just want to know why are some alerts with unwanted software in the Title but EntityType go to "Machine", is there any way to get File and Folder path in such log?

Zzhaoxi_0-1660399389517.png

AlertEvidence
|join AlertInfo on AlertId
|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
|where AdditionalFields contains "input PC name here"
4 Replies
best response confirmed by Zzhaoxi (Copper Contributor)
Solution

Hi @Zzhaoxi 

The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc.  In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique. 

 

Try this one: 

 

AlertEvidence
|join  kind=leftouter AlertInfo on AlertId
|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
|where AdditionalFields contains "input PC name here"
Hi, thanks so much for the answer: ) It really helps me to define and understand the join type~
the thing is, there is still no file information with those alert that EntityType goes to machine while a file is actually detected in the alert, do you have any idea that how does an alert's entity get classified as machine?
Hello Again Bro, happy to tell you that I found that actually every alert that with EntityType "Machine" are sharing same procedure with a relative "File" type alert, so they are holding different alertids that toward same issue.
Thank you about the join kind reminding, I always got confused about that before: )
ofc! Happy it helped 🙂 Indeed this can be confusing
1 best response

Accepted Solutions
best response confirmed by Zzhaoxi (Copper Contributor)
Solution

Hi @Zzhaoxi 

The alert evidence table (See documentation) has multiple rows per each alert, with all the different evidence, machine, files etc.  In the alert you looked at, supposedly there should be more rows for the for the file entity. The problem might be that there's no definition for the join kind in your query, which will default to innerunique. 

 

Try this one: 

 

AlertEvidence
|join  kind=leftouter AlertInfo on AlertId
|project Timestamp,Title,EntityType,FileName,FolderPath,AlertId,SHA1,SHA256,Category,AdditionalFields
|where AdditionalFields contains "input PC name here"

View solution in original post