Oct 05 2021
I'm really sorry for the newbie comment, but I have both template Analytic rules and my own Analytic rules and map identities to allow the investigation function to work, but I get an error
Investigation cannot be used to investigate this incident because of an error, please try again later.
I'm scratching my head as to what is not working here, even considering rebuilding our Sentinel environment.
SecurityEvent| where EventID == "4688"| where Process == "cscript.exe"|project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, CommandLine, ParentProcessName| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
and I have mapped the fields shown.
Please could anybody kindly help?