Yes: index=conf detectionSource=MCAS NOT title IN("Potential ransomware activity*", "Multiple delete VM activities*", "Mass delete*","Data exfiltration to an app that is not sanctioned*", "Cloud Discovery anomaly detection*", "Investigation priority score increase*", "Risky hosting apps*", "DXC*") status=new NOT ((title="Impossible travel activity" AND description="*Mexico*" AND description="*United States*")) | dedup incidentId | rename entities{}.* AS * devices{}.* AS * evidence{}.* AS * | stats values(title) as AlertName, values(deviceDnsName) as Host, values(user) as "Account", values(description) as "Description", values(fileName) as file, values(ipAddress) as "Source IP", values(category) as "Mitre" by incidentId | rename incidentId AS ID_Defender | tojson auto(AlertName), auto(Host), auto("Account"), auto("Description"), auto(file), auto("Source IP"), auto("Mitre") output_field=events | eval events=replace(events, "\\[\"", "\""), events=replace(events, "\"\\]", "\"") | rex field=events mode=sed "s/:\\[([0-9])\\]/:\\1/g" | eval native_alert_id = "SPL" . strftime(now(), "%Y%m%d%H%M%S") . "" . tostring(random()) | tojson auto(native_alert_id) output_field=security | eval security=replace(security, "\\[\"", "\""), security=replace(security, "\"\\]", "\"") | rename security AS "security-alert" | tojson json(security-alert), auto(events) output_field=security-alert | eval _time=now()
... View more