This is really helpful thank you - my last question is how much more complex would this be if I said that my URL IOCs are specific domains but the logs might contain any number of variants of these (e.g. google.com, google.com/search?q=....) and I want to merge all of these potentially different items of traffic into one "hit")? Can I just use wildcards to allow more flexibility in the search results? ... View more

Sorry for lack of details, I am at that place of not even quite understanding what i'm asking for yet lol! Let me try and describe: I have a bunch of data ingested from a proxy log that I'm not actually interested in, but two of the accelerated fields are user and url which both populate from access logs (beyond this, I am not sure what extra detail would be helpful). I want to search for URLs which are IOCs (I have a known short list of them), and then separately compile a report of if any user has interacted with more than one of these URLs. I don't really need the volume of access,  primarily just the usernames of any user that has indeed hit more than one criteria. I had started creating searches/reports individually for each URL and was going to make a lookup table with the results which I could then produce a further report from but this feels overly complicated for what seems like a simple enough task. Thanks for your help!  ... View more