Found my own post 😛 use the following query to bind UserName to email like so ... | join UserName [search event_simpleName IN ("UserLogon*", "Login*") UserPrincipal!="svcSCOM.SvcNow@newellco.com" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-2d@d] Reference : https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting
... View more