This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

discrepancy in search result based on data table

Posted a week ago
Rached1996
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello,

we are performing a search based on data table, we are not getting any results

the query:

metadata.log_type = "S1_ALERT"

principal.ip in cidr %data_table_xx.cidr

while performing the same logic in a test rule we get the results that we need

the rule logic:

events:

$e.metadata.log_type = "S1_ALERT"

$e.principal.ip in cidr %data_table_xx.cidr

outcome:

$related_hostnames = array_distinct($e.principal.hostname)

$related_threatname = array_distinct($e.security_result.threat_name)

$related_username = array_distinct($e.principal.user.userid)

condition:

$e

can you please tell if there is something missing in my query or there is an issue with data tables in searches?

1 6 660
Topic Labels
6 REPLIES 6
Top Solution Authors
View all