Hi all, I have a search with a Join. For the event I am Joining the Master search may not always have corresponding events in the join/subsearch.  Is it possible to also return the results from the master search if the join does not find corresponding events? index=*azure* *#EXT#* Operation="Add member to group." |spath output=groupname path=ModifiedProperties{1}.NewValue |spath output=TID path=Target{1}.ID |eval time=strftime(_time,"%H:%M:%S %d-%m-%Y") |rename UserId as src_user |stats earliest(time) as start_time latest(time) as last_time values(Operation) as operation values(ObjectId) as dest_user by groupname,src_user, TID | rename operation AS operation1 | table start_time, last_time, operation1, groupname, src_user, dest_user, TID | join TID [search index=*o365* |spath output=TID path=Parameters{1}.Value |eval time=strftime(_time,"%H:%M:%S %d-%m-%Y") |rename UserId as src_user |stats earliest(time) as start_time latest(time) as last_time values(Operation) as operation values(ObjectId) as dest_group by src_user, TID] |table start_time, last_time, src_user, operation, operation1, dest_group, groupname, dest_user TID ... View more

Hi All, Has anyone managed to map CrowdStrike Falcon FileVantage (FIM) logs to a Datamodel; if so could you share your field mappings? We were looking at he Change DM, would this be the best option?  thanks ... View more

Hi I have an ask to create an alert that must trigger if there are more than 50 '404' status codes in a 3 min period. This window must repeat three times in a row - for e.g 9:00 - 9:03, 9:03 - 9:06, 9:06 - 9:09.   The count should trigger only for those requests with 404 status code and for certain urls. The alert must only trigger if there are three values over 50 in consecutive 3 min windows. I have some initial SPL not using streamstats, but was wondering if streamstats would be better? Initial SPL - run over a 9 min time range: index="xxxx" "httpMessage.status"=404 url = "xxxx/1" OR url="xxxx/2" OR url ="xxxx/3" | timechart span=3m count(httpMessage.status) AS HTTPStatusCount | where HTTPStatusCount>50 | table _time HTTPStatusCount   thanks. ... View more

Hi All, I'm trying to calculate the failureRate as a percentage between the NumberOfAuthErrors column and the TotalRequest column, but i do not get any values. I do have two columns of values. I would like to calculate the failureRate for each ROW.   [SEARCH] | bin _time span=15m | stats count as NumberOfAuthErrors by _time | append [ SEARCH | bin _time span=15m | stats count as TotalRequest by _time ] | stats values(NumberOfAuthErrors) AS NumberOfAuthErrors, values(TotalRequest) AS TotalRequest | eval failureRate = round((NumberOfAuthErrors / TotalRequest) * 100,3) | table TotalRequest NumberOfAuthErrors failureRate     thanks ... View more

Hi All, I have an issue which i am unable to resolve. I have a lookup with two columns: Process_Command_Line, score Under 'Process_Command_Line', the values are wild carded e.g. *net user*. The 'score' column has an arbitrary numerical value added. The SPL is working with the 'Process_Command_Line' wild carded values and we only see events relevant to the Lookup values, but I cannot get the score value to be also visible. Is there something fundamentally incorrect with the SPL i am using: index=wineventlog source="WinEventLog:*" EventCode=4688 Process_Command_Line!="" user!="-" user="*123serviceProd*" [| inputlookup SuspiciousDiscoveryActivity.csv | fields Process_Command_Line] | dedup Process_Command_Line | lookup SuspiciousDiscoveryActivity.csv Process_Command_Line as Process_Command_Line OUTPUTNEW score thanks. ... View more