Investigations - Investigation cannot be used to investigate this incident because of an error.

%3CLINGO-SUB%20id%3D%22lingo-sub-2812978%22%20slang%3D%22en-US%22%3EInvestigations%20-%20Investigation%20cannot%20be%20used%20to%20investigate%20this%20incident%20because%20of%20an%20error.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2812978%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20really%20sorry%20for%20the%20newbie%20comment%2C%20but%20I%20have%20both%20template%20Analytic%20rules%20and%20my%20own%20Analytic%20rules%20and%20map%20identities%20to%20allow%20the%20investigation%20function%20to%20work%2C%20but%20I%20get%20an%20error%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EInvestigation%20cannot%20be%20used%20to%20investigate%20this%20incident%20because%20of%20an%20error%2C%20please%20try%20again%20later.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI'm%20scratching%20my%20head%20as%20to%20what%20is%20not%20working%20here%2C%20even%20considering%20rebuilding%20our%20Sentinel%20environment.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EMy%20example%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ESecurityEvent%3CBR%20%2F%3E%7C%20where%20EventID%20%3D%3D%20%224688%22%3CBR%20%2F%3E%7C%20where%20Process%20%3D%3D%20%22cscript.exe%22%3CBR%20%2F%3E%7Cproject%20StartTimeUtc%20%3D%20TimeGenerated%2C%20Computer%2C%20Account%2C%20NewProcessName%2C%20CommandLine%2C%20ParentProcessName%3CBR%20%2F%3E%7C%20extend%20timestamp%20%3D%20StartTimeUtc%2C%20AccountCustomEntity%20%3D%20Account%2C%20HostCustomEntity%20%3D%20Computer%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Eand%20I%20have%20mapped%20the%20fields%20shown.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPlease%20could%20anybody%20kindly%20help%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Visitor

Hi,

 

I'm really sorry for the newbie comment, but I have both template Analytic rules and my own Analytic rules and map identities to allow the investigation function to work, but I get an error

 

Investigation cannot be used to investigate this incident because of an error, please try again later.

 

I'm scratching my head as to what is not working here, even considering rebuilding our Sentinel environment.

 

My example

 

SecurityEvent
| where EventID == "4688"
| where Process == "cscript.exe"
|project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, CommandLine, ParentProcessName
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer

 

and I have mapped the fields shown.

 

Please could anybody kindly help?

 

0 Replies