Work in Progress.
This search 'works' but does not keep the SHA256HashData from the original search. I need the hash and other fields in ProcessRollup2 too!
event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 earliest=-10d@d latest=@m
| dedup aid
| stats count by aid SHA256HashData
|map search="search sourcetype="UserIdentityV2-v02" aid=$aid$ earliest=-60d@d latest=@m "
| dedup aid UserPrincipal SHA256HashData
| table aid UserPrincipal SHA256HashData
This is what used to work sort of as long as it's around 1-4 days because of the max limits I can't change in the Crowdstrike server
sourcetype=UserLogonV8-v02
[| search sourcetype=json_predefined_timestamp SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString
| dedup AgentIdString
| rename AgentIdString as aid]
| table aid UserName UserPrincipal LocalAddressIP4
| dedup UserPrincipal
| sort by aid
| join type=outer aid
[| search sourcetype=json_predefined_timestamp SHA256String="3239a185c653b1f2385fbb9716172e116551fc68867e36ffdb96d5d7c8eaea5b" | table AgentIdString DetectDescription
| rename AgentIdString as aid]
| table aid DetectDescription UserName UserPrincipal LocalAddressIP4
| lookup aid_master aid OUTPUT City Country ComputerName MachineDomain
| table aid DetectDescription ComputerName LocalAddressIP4 MachineDomain UserName UserPrincipal FULLNAME City Country
Found my own post 😛 use the following query to bind UserName to email like so ...
| join UserName
[search event_simpleName IN ("UserLogon*", "Login*") UserPrincipal!="svcSCOM.SvcNow@newellco.com" UserPrincipal=*.*@*.com UserPrincipal!=*.$*.com UserName!=svcSCCM.ClientPush UserName!=SYSTEM earliest=-2d@d]
Reference : https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting
In general, when you are looking at the same timerange, I always recommend trying to do a single search, instead of map or sub search.
Does this help, or do you still need to split by SHA256HashData and aid ?
earliest=-10d@d latest=@m ( event_simpleName="ProcessRollup2" SHA256HashData=87ca1167cf2350e163f17688ea0c23e493c8f2e43492b9514818724f1a77c8f0 ) OR (sourcetype="UserIdentityV2-v02" )
| stats count values(UserPrincipal) values(SHA256HashData) by aid