Hi All,
I'm using a data model search to retrieve all emails sent to/from a user, and am trying to populate the email address using a subsearch from another data model. Something has gone a bit awry, and I can't quite figure out what. Search is below.
| datamodel Email search
| join All_Identities.mail type=left
[| datamodel Identity_Management All_Identities search
| search All_Identities.sAMAccountName=MikeElliott
| fields All_Identities.mail]
| search All_Email.orig_src=All_Identities.mail
| fillnull value="-"
| table _time sourcetype All_Email.orig_src All_Email.orig_recipient All_Email.action All_Email.subject All_Email.size All_Email.file_name All_Email.src All_Email.dest All_Email.return_addr
| rename _time as Date/Time sourcetype AS Sourcetype All_Email.orig_src AS Sender_Address All_Email.orig_recipient AS Recipient_Address All_Email.action AS Action All_Email.subject AS Subject All_Email.size AS Email_Size All_Email.file_name AS File_Name All_Email.src AS Source_IP All_Email.dest AS Dest_IP All_Email.return_addr AS Return_Address
| convert ctime(Date/Time) timeformat="%H:%M:%S %d/%m/%y"
| fields Date/Time Sourcetype Sender_Address Recipient_Address Subject Action Email_Size File_Name Source_IP Dest_IP Return_Address
I'm trying to do the following:
- Search Identity_Management All_Identities data model (not a standard CIM data model) and retrieve the email address associated with the user MikeElliott;
- Plug the email address from the sub search into the parent (| search All_Email.orig_src=All_Identities.mail);
- Return all events where the email address is the Sender Address;
I'm quite new to data models and can't seem to just create the sub search like I normally would.
Any advice?
