From b5b3f54e302c145aba7896a5e9ed6e0f0b149e74 Mon Sep 17 00:00:00 2001
From: darioongit <66005183+darioongit@users.noreply.github.com>
Date: Thu, 1 Apr 2021 11:20:47 +0200
Subject: [PATCH] Update Open email link.txt

Replace old schema reference DeviceAlertEvents with AlertInfo | join AlertEvidence on AlertId
---
 Delivery/Open email link.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Delivery/Open email link.txt b/Delivery/Open email link.txt
index cfe0183f..531477ef 100644
--- a/Delivery/Open email link.txt	
+++ b/Delivery/Open email link.txt	
@@ -24,7 +24,7 @@ let outlookLinks =
     | project Timestamp, DeviceId, DeviceName, WasOutlookSafeLink, InitiatingProcessFileName,
             OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl["Query Parameters"]["url"])), RemoteUrl);
 let alerts =
-    DeviceAlertEvents
+    AlertInfo | join AlertEvidence on AlertId
     | summarize (FirstDetectedActivity, Title)=argmin(Timestamp, Title) by AlertId, DeviceId
     // Filter alerts that include events from before the queried time period
     | where FirstDetectedActivity > minTimeRange;