Sentinel no longer shows the query, but a base 64 encoded string when an Incident is created

New Contributor

Having just recently started my adventure with Sentinel I really enjoyed the ability to drill down into incidents and explore them using the query that triggered them. 

 

Lately however when I select an incident and click on "Events" instead of seeing the logs blade and the query, I see a base 64 encoded "alertedEvent" that is decoded into query results. This is not happening on all incidents, but a few that are based on in house developed queries. I went over the process of creating the alert rule from a query and could find no option that hides the query in favor of the base 64 encoded message ( create new query -> "New Alert Rule" -> "Create Azure Sentinel Alert" ) .

 

Any thoughts as to what might be causing this? 

 

Many thanks, 

@fclark80

 

 

0 Replies