Splunk Enterprise Security

FIELDALIAS-app = networkConnections{}.applicationName AS app never filled

Azeemering
Builder

Hello,

This app contains a list of Field aliases including a field alias for the field "networkConnections{}.applicationName AS app"
Except this field never seems to filled in the data that we receive from the MS Graph API.
Instead I am manually going to change this using the field vendorInformation.provider AS app
as this field contains app like values like:

IPC
Office 365 Security and Compliance
MCAS
Azure Advanced Threat Protection

Would this be a good idea? And why is the networkConnections{}.applicationName field never filled with values?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...