https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/559302#M10060 <P>The explanation for this is that there is a limit on how many results can be returned in a sub-search (right-side of a join). I believe 50k results is the limit. So try to make sure your search is as narrow as possible.</P> Tue, 13 Jul 2021 19:09:35 GMT swebb07g 2021-07-13T19:09:35Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412119#M4865 <P>Hello,</P> <P>I got this query from Crowdstrike Documentation https[://]www[.]crowdstrike[. ]com/blog/tech-center/hunt-threat-activity-falcon-endpoint-protection/</P> <P>Under "Events App: Step-By-Step Procedure" Step no. 4, there is this query:</P> <P>aid=* event_simpleName="DnsRequest" | rename ContextProcessId as TargetProcessId | join TargetProcessId [search aid=* event_simpleName="ProcessRollup2" ImageFileName="*notepad.exe"] | table ImageFileName DomainName</P> <P>Individually, the main search or the sub search works fine. If I join them like in the above and change <EM>notepad.exe to *chrome.exe, I am able to see all DnsRequests events from chrome.exe process. But if I only say ImageFileName="</EM>.exe" in the subset, the resulting table has the correct DomainName column but the ImageFileName column contains only a single process (.e,.g \Device\HarddiskVolume2\Program Files\AppSense\Performance Manager\Agent\PmAgentAssist.exe). How come the search is only picking up this one process "pmAgentAssist.exe"? </P> <P>Any idea how to solve this? My goal is to locate all DNS requests made in all machines and determine the process/programs which sent the requests.</P> Tue, 29 Sep 2020 20:56:14 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412119#M4865 splunkb0y 2020-09-29T20:56:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412120#M4866 <P>typo, ImageFileName=".exe" should be "ImageFileName="*.exe"</P> Fri, 17 Aug 2018 23:57:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412120#M4866 splunkb0y 2018-08-17T23:57:02Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412121#M4867 <P>Actually, this is the ImageFileName I get, if I don't specify a ComputerName on both Main and Sub search: <BR /> \Device\HarddiskVolume2\Windows\System32\dllhost.exe</P> Sat, 18 Aug 2018 00:15:32 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412121#M4867 splunkb0y 2018-08-18T00:15:32Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412122#M4868 <P>I'm experiencing the same issue. Did you ever find a solution?</P> <P>I can say (not sure when this changed) that TargetProcessId and ContextProcessId are now TargetProcessId_decimal and ContextProcessId_decimal. </P> Wed, 30 Sep 2020 00:48:15 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/412122#M4868 slw07gdev 2020-09-30T00:48:15Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/559302#M10060 <P>The explanation for this is that there is a limit on how many results can be returned in a sub-search (right-side of a join). I believe 50k results is the limit. So try to make sure your search is as narrow as possible.</P> Tue, 13 Jul 2021 19:09:35 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Crowdstrike-DnsRequest-ImageFileName-join/m-p/559302#M10060 swebb07g 2021-07-13T19:09:35Z