Hello, So I am working on a CS for Enterprise Security that -- when run manually -- it returns results; however, when its scheduled to run it does not return anything. I've looked in the _internal index and found that: 0 suppressions are taking effect 0 results are returned All searches are ran successfully I've looked in the notable's index and confirmed that 0 alerts are firing. The CS is running as ADMIN within the application context of Enterprise Security. This is the search: index=cylance_protect sourcetype=threat | eval FirstFound=split('First Found'," ") | eval FirstFoundDate=mvindex(FirstFound,0) | eval FirstFoundDate_epoch=strptime(FirstFoundDate, "%m/%d/%Y") | eval currentTime=now() | eval currentTime=strftime(currentTime, "%m/%d/%Y") | eval currentTime_epoch=strptime(currentTime, "%m/%d/%Y") | eval CreatedDaysAgo=(currentTime_epoch-FirstFoundDate_epoch)/86400 | eval CreatedDaysAgo=round(CreatedDaysAgo) | search CreatedDaysAgo < 2 | table _time FirstFound CreatedDaysAgo DeviceName Tenant user action "Cylance Score" signature "Detected By" "Ever Run" "File Name" file_path file_hash Are the eval statements causing this issue? I used the above logic to ONLY return 'new' Cylance detections within the last 1 day.
... View more