@bowesmana is correct. mvfind won't accept two variables. Also as he says, single quote should be used to represent value in where command. This is an alternative solution: ``` the above emula...
See more...
@bowesmana is correct. mvfind won't accept two variables. Also as he says, single quote should be used to represent value in where command. This is an alternative solution: ``` the above emulates
index="okta" actor.alternateId=*@* authenticationContext.externalSessionId!="unknown"
| eval "ASN"='securityContext.asNumber'
| eval "Session ID"='authenticationContext.externalSessionId'
| eval "User"='actor.alternateId' | eval "Risk"='debugContext.debugData.risk'
| stats dc("user_agent") as "Agent Count" values(user_agent) AS "User Agent" dc(ASN) as "ASN Count" values(ASN) as ASN dc(Risk) as "Risk Count" values(Risk) as Risk by User "Session ID"
| table "Session ID", ASN, "ASN Count", "User Agent", "Agent Count", User, Risk
| lookup asn_user.csv User output ASN as ASNfound
| where 'ASN Count' > 1 AND 'Agent Count' > 1 AND mvmap(ASN, if(ASN == ASNfound, "yes", "no")) == "no" Here is an emulation of your illustrated data after lookup: | makeresults format=csv data="Session ID, ASN, ASN Count, User Agent, Agent Count, User, Risk, ASNfound
idxxxxxxxxxxxx ,\"12345
321\",2 ,\"UserAgent1
UserAgent2\",2, user@company.com, \"{reasons=Anomalous Device, level=MEDIUM}\", \"12345
321\"
idxxxxxxxxxxxx, \"6789
321\",2, \"UserAgent1
UserAgent2\",2, user@company.com, \"{reasons=Anomalous Device, level=MEDIUM}\", \"12345
321\""
``` the above emulates
index="okta" actor.alternateId=*@* authenticationContext.externalSessionId!="unknown"
| eval "ASN"='securityContext.asNumber'
| eval "Session ID"='authenticationContext.externalSessionId'
| eval "User"='actor.alternateId' | eval "Risk"='debugContext.debugData.risk'
| stats dc("user_agent") as "Agent Count" values(user_agent) AS "User Agent" dc(ASN) as "ASN Count" values(ASN) as ASN dc(Risk) as "Risk Count" values(Risk) as Risk by User "Session ID"
| table "Session ID", ASN, "ASN Count", "User Agent", "Agent Count", User, Risk
| lookup asn_user.csv User output ASN as ASNfound
```
| where 'ASN Count' > 1 AND 'Agent Count' > 1 AND mvmap(ASN, if(ASN == ASNfound, "yes", "no")) == "no" (The above uses a side effect of SPL's equality operator.) It gives ASN ASN Count ASNfound Agent Count Risk Session ID User User Agent 6789 321 2 12345 321 2 {reasons=Anomalous Device, level=MEDIUM} idxxxxxxxxxxxx user@company.com UserAgent1 UserAgent2 Play with it and compare with real data.