Splunk Enterprise Security

FIELDALIAS-app = networkConnections{}.applicationName AS app never filled



This app contains a list of Field aliases including a field alias for the field "networkConnections{}.applicationName AS app"
Except this field never seems to filled in the data that we receive from the MS Graph API.
Instead I am manually going to change this using the field vendorInformation.provider AS app
as this field contains app like values like:

Office 365 Security and Compliance
Azure Advanced Threat Protection

Would this be a good idea? And why is the networkConnections{}.applicationName field never filled with values?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...