Unable to save query to alert on no sensor data as a custom detection rule

Occasional Contributor

Hello, 
I am trying to create a custom alert for an agent not reporting sensor data using the following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule:

 

'Can't save detection rule

The query contains syntax errors and cannot be used to create a detection rule. Please fix errors in the query and try again.'

 

KQL Query: 

DeviceTvmSecureConfigurationAssessment
| where ConfigurationId in ('scid-2000', 'scid-2001')
| extend Test = case(
ConfigurationId == "scid-2000", "SensorEnabled",
ConfigurationId == "scid-2001", "SensorDataCollection",
"N/A"),
Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD")
| extend packed = pack(Test, Result)
| summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId
| evaluate bag_unpack(Tests)
| where SensorEnabled == "GOOD" and SensorDataCollection == "BAD"
| summarize by DeviceName, DeviceId


Can someone point out something I am missing here ? 

 

Thanks,

Princely Dmello

 

 

 

1 Reply

@Princely

The query works fine for me, it isn't returning any error.

 

www.000webhost.com