Hi @AL3Z, please try this regex: C:\\Program Files\\Windows Defender Advanced Threat Protection\\(MsSense|SenseCM|SenseIR)\.exe if it doesn't run , please try: C:\\\Program Files\\\Windows Defender Advanced Threat Protection\\\(MsSense|SenseCM|SenseIR)\.exe Something there's an issue with backslashes. Ciao. Giuseppe

Hello, I think my original question was not clear. My apology. my search with regex below works for both ipv4 and ipv6 and it's faster than 3rd party ipv6compress function my original question:  is it possible only to bypass regex statement for ipv4 (only use regex for ipv6)? I was able to use drilldown condition in XML source as a workaround, but it made the code complex and it's not transferrable to Dashboard Studio. Thank you for your help. Search  | index=vulnerability_index | rex mode=sed field=ip "s/<regex>/<replacement>/<flags>" | search ip="$ip_token$"

Hello, Can you give an example how to implement your suggestion in the search with cidrmatch?  Assume that the mask already added in the dropdown box.  Thank you for your help ip_token=1.1.1.1/32 ip_token=2001:db8:3333:4444:5555:6666::2101/128 Search | index=vulnerability_index ``` if cidrmatch then ```   ??? ip="$ip_token$" ------------------------------------------------------- Note that my search with regex below works for both ipv4 and ipv6 and it's faster than 3rd party ipv6compress function my original question:  is it possible only to bypass regex statement for ipv4 (only use regex for ipv6)? I was able to use drilldown condition in XML source as a workaround, but it made the code complex and it's not transferrable to Dashboard Studio Search: | index=vulnerability_index | rex mode=sed field=ip "s/<regex>/<replacement>/<flags>" | search ip="$ip_token$"

Found another app that needs kvstore, but this one is a vendor TA. kvstore was not referenced in any documentation and I only found out after I stopped getting data. Fixed now, just keep an eye out for missing data after disabling kvstore on a HF.

Thanks and noted. All your assumptions were correct except: the stats is also exactly the same except field name of the output My target output fields will look like this: Src_ip of systems of the first 23 hours (-24h to -1h) count distinct number of dest_location-dest_ip combinations (-24h to -1h) count distinct number of dest_location-dest_ip combinations in full last 24hrs (-24h to now()) I see the logic of your code and am trying to tweak it so that it will match my target output.

@gcusello  Pls help in  excluding these 3 paths using single regex ? C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe  C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe

Hi @alexspunkshell, I don't understand the structure of your search, anyway, the raw "| search NOT idp_user" requires something after the field, otherwise Splunk excludes only events with the string "idp_user". like the following | search NOT idp_accountname IN (*idp*references*): you'll never have results and you cannot check it because you are working with the NOT operator. You could modify the stats command using my approach and the following check: index=test | rex field=_raw "user (?<idp_user>\d+\S+)" | search NOT idp_user=* NOT actor.alternateId="*idp*" eventType IN (security.threat.detected, security.internal.threat.detected) | rex field=debugContext.debugData.url "\S+username\=(?<idp_accountname>\S+idp-references)" | regex src_ip!="47.37.\d{1,3}.\d{1,3}" | search NOT idp_accountname IN ("*idp*references*") |rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser | strcat "Outcome Reason: " outcome.reason ", Outcome Result: " outcome.result Outcome_Details | strcat "Source Country: " src_country ", Source State: " src_state Src_Details | eval period=if(_time>now()-86400,"Last 24 hours","Previous") | eventstats dc(period) AS period_count BY IP user | stats count values(period_count) AS period_count min(_time) as firstTime max(_time) as lastTime by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City Outcome_Details User_Agent Client_Browser outcome.reason | where period_count=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_threatinsight_suspected_passwordspray_attack_filter` | `okta_threatinsight_threat_detected_filter` As I said, try to adapt the approach of my search to your. Ciao. Giuseppe  

@gcusello  index=test eventType IN (security.threat.detected, security.internal.threat.detected) |rename client.userAgent.rawUserAgent as User_Agent client.geographicalContext.city as Src_City client.geographicalContext.state as src_state client.geographicalContext.country as src_country displayMessage as Threat_Description signature as Signature client.device as Client_Device client.userAgent.browser as Client_Browser | stats count min(_time) as firstTime max(_time) as lastTime by src_ip user Signature Threat_Description Client_Device eventType Src_Details Src_City User_Agent Client_Browser

Hi @alexspunkshell, could you share your search? anyway, you could run something like this: <your_search> | eval period=if(_time>now()-86400,"Last 24 hours","Previous") | stats dc(period) AS period_count values(period) AS period latest(if(evalperiod="Last 24 hours",_time,"") AS latest_last_24_hours latest(if(evalperiod="Previous",_time,"") AS latest_previous BY IP user | where period_count12 AND period="Previous" | eval latest_previous=strftime(latest_last_24_hours,"%Y-%m-%d %H:%M:%S") | table IP user latest_previous Anyway, see my approach and adapt it to your requirements. Ciao. Giuseppe

Here are some sample events. One per host: Mon Sep 25 13:22:14 UTC 2023 - Host: slaznocaasmon01 slaznocaasmon01;Check_MK HW/SW Inventory;Found 86 inventory entries, Found 18 status entries ;0; slaznocaasmon01;Systemd Service Summary;Total: 179, Disabled: 17, Failed: 1, 1 static service failed (dnf-makecache)(!!);2; slaznocaasmon01;OMD nocaas apache;0.02 Requests/s, 0.00 Seconds serving/s, 0.52 B Sent/s;0; slaznocaasmon01;Check_MK Discovery;no unmonitored services found, no vanished services found, no new host labels ;0; slaznocaasmon01;Mount options of /var;Mount options exactly as expected;0; slaznocaasmon01;Mount options of /usr;Mount options exactly as expected;0;   Mon Sep 25 13:22:04 UTC 2023 - Host: slaznocaasevm01 slaznocaasevm01;Check_MK Discovery;no unmonitored services found, no vanished services found, no new host labels ;0; slaznocaasevm01;Disk IO SUMMARY;Read: 0.00 B/s, Write: 862 kB/s, Latency: 508 microseconds;0; slaznocaasevm01;Filesystem /var;37.37% used (2.99 of 7.99 GB), trend: -27.75 MB / 24 hours;0; slaznocaasevm01;Filesystem /usr;41.03% used (4.10 of 9.99 GB), trend: +128.74 kB / 24 hours;0; slaznocaasevm01;Filesystem /mnt;5.3% used (1.66 of 31.37 GB), trend: 0.00 B / 24 hours;0; slaznocaasevm01;Filesystem /home;28.35% used (287.49 of 1014.00 MB), trend: +16.26 kB / 24 hours;0;   Hostnames are: slaznocaasevm01, slaznocaasmon01, VMMS01 and VMBT02