https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689982#M235056 <P>So basically I'd like to do concatenation between DeviceProcess and DeviceRegistry events in advanced hunting query | advhunt&nbsp;</P><P>&nbsp;</P> Fri, 07 Jun 2024 13:15:05 GMT heskez 2024-06-07T13:15:05Z https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689839#M235022 <DIV class=""><DIV class=""><DIV><DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class="">I am having an issue in Advanced hunting for Defender app in Splunk<SPAN>&nbsp;</SPAN><A class="" href="https://splunkbase.splunk.com/app/5518" target="_blank" rel="noopener noreferrer">https://splunkbase.splunk.com/app/5518</A><SPAN>&nbsp;</SPAN>My original KQL query in azure contains | JOIN KIND INNER. Is such syntax also possible in SPL?</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV>&nbsp;</DIV></DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV><DIV class="">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV> Thu, 06 Jun 2024 12:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689839#M235022 heskez 2024-06-06T12:57:50Z https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689844#M235023 <P>Yes, SPL has a join command, but it should be avoided because it doesn't perform well.&nbsp; See <A href="https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Join" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.2.1/SearchReference/Join</A></P><P>&nbsp;</P> Thu, 06 Jun 2024 14:37:20 GMT https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689844#M235023 richgalloway 2024-06-06T14:37:20Z https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689977#M235055 <P>Thanks for your answer. I'm not sure if this is what I want. Because the advanced hunting app requires an API call with a limit of calls, I start doing a call on DeviceProcessEvents. Then I'm not sure if I need to do another API call on DeviceRegistryEvents, since I'd like to joint these two instances.&nbsp;</P> Fri, 07 Jun 2024 12:56:04 GMT https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689977#M235055 heskez 2024-06-07T12:56:04Z https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689982#M235056 <P>So basically I'd like to do concatenation between DeviceProcess and DeviceRegistry events in advanced hunting query | advhunt&nbsp;</P><P>&nbsp;</P> Fri, 07 Jun 2024 13:15:05 GMT https://community.splunk.com/t5/Splunk-Search/Azure-defender-advanced-hunting-to-Splunk-SPL/m-p/689982#M235056 heskez 2024-06-07T13:15:05Z