In my search results, I have multiple results for "Alert" & "UPN"
I want to only include "Alert=Anonymous IP address" for specific 10 "UPN" and other results to ignore.
So I made a lookup table to filter it. However, multiple other "Alert" results are also included in my search results for the "UPN"
Query
........
| lookup Trusted_Anonymizer Alert_UPN as UPN
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search Anonymizer_alert=Yes
|table Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert
@scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana @to4kawa @woodcock
The data and lookup samples are not obvious, so I am not sure.
alert="Anonymous IP address" | lookup ....
I suppose the order is this.
The data and lookup samples are not obvious, so I am not sure.
alert="Anonymous IP address" | lookup ....
I suppose the order is this.