Sentinel no longer shows the query, but a base 64 encoded string when an Incident is created

%3CLINGO-SUB%20id%3D%22lingo-sub-3302775%22%20slang%3D%22en-US%22%3ESentinel%20no%20longer%20shows%20the%20query%2C%20but%20a%20base%2064%20encoded%20string%20when%20an%20Incident%20is%20created%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3302775%22%20slang%3D%22en-US%22%3E%3CP%3EHaving%20just%20recently%20started%20my%20adventure%20with%20Sentinel%20I%20really%20enjoyed%20the%20ability%20to%20drill%20down%20into%20incidents%20and%20explore%20them%20using%20the%20query%20that%20triggered%20them.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELately%20however%20when%20I%20select%20an%20incident%20and%20click%20on%20%22Events%22%20instead%20of%20seeing%20the%20logs%20blade%20and%20the%20query%2C%20I%20see%20a%20base%2064%20encoded%20%22alertedEvent%22%20that%20is%20decoded%20into%20query%20results.%20This%20is%20not%20happening%20on%20all%20incidents%2C%20but%20a%20few%20that%20are%20based%20on%20in%20house%20developed%20queries.%20I%20went%20over%20the%20process%20of%20creating%20the%20alert%20rule%20from%20a%20query%20and%20could%20find%20no%20option%20that%20hides%20the%20query%20in%20favor%20of%20the%20base%2064%20encoded%20message%20(%20create%20new%20query%20-%26gt%3B%20%22New%20Alert%20Rule%22%20-%26gt%3B%20%22Create%20Azure%20Sentinel%20Alert%22%20)%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20thoughts%20as%20to%20what%20might%20be%20causing%20this%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1380988%22%20target%3D%22_blank%22%3E%40fclark80%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3302775%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnalytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKusto%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Data%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Having just recently started my adventure with Sentinel I really enjoyed the ability to drill down into incidents and explore them using the query that triggered them. 

 

Lately however when I select an incident and click on "Events" instead of seeing the logs blade and the query, I see a base 64 encoded "alertedEvent" that is decoded into query results. This is not happening on all incidents, but a few that are based on in house developed queries. I went over the process of creating the alert rule from a query and could find no option that hides the query in favor of the base 64 encoded message ( create new query -> "New Alert Rule" -> "Create Azure Sentinel Alert" ) .

 

Any thoughts as to what might be causing this? 

 

Many thanks, 

@fclark80

 

 

0 Replies