KenMAG
commented
9 months ago Thanks. I will reproduce and look into it.
Closed djcmct closed 2 months ago
KenMAG
commented
9 months ago Thanks. I will reproduce and look into it.
arnoldvilleneuve
commented
9 months ago Oct 13 2023 - for our class it was just a matter of time before the second search actually worked.
MSFT-MarcoEs
commented
3 months ago @KenMAG If the entities are not being pre-populated in the rule, we need to add them manually, just like the previous rule:
KenMAG
commented
2 months ago I added the steps @MSFT-MarcoEs provided. Let me know if that resolves this bug.
Contact Details
davecooke1967@gmail.com
What happened?
Task 2 Step 5
Got an odd issue with this....
If instructions are followed, when running KQL Query result is as expected, see 1st screenshot, but if run again without modifying query, result changes and now doesn't include custom entries, (second screenshot) problem becomes when new alert rule is created and incident subsequently generated, no entities are detailed for investigation. If I edit analytic rule to replace line 9 with exactly the same extend and don't run the query, the incident does include the entities, Any idea's?
Lab
Lab 07 Exercise 06 Create Detections
Relevant screenshots
paste here
Do you want to help us? 👏