security_content icon indicating copy to clipboard operation
security_content copied to clipboard
verified publisher icon splunk

Fields missing from joined tstats

Open TheLawsOfChaos opened this issue 3 years ago • 1 comments

https://github.com/splunk/security_content/blob/aeceacc7378e501c4fd3b01816e1d6dc1e34de8c/detections/endpoint/registry_keys_used_for_persistence.yml#L29-L32

Joined subsearch needs to have Processes.user & Processes.process_path added into it, as the fields at the end is trying to use them and they aren't grabbed from the tstats.

While user could be used from the top search, process_path is not defined in that EventCode/search so has to be used from the joined tstats line.

TheLawsOfChaos avatar Jul 08 '22 14:07 TheLawsOfChaos

fix is in PR https://github.com/splunk/security_content/pull/2298

tccontre avatar Jul 20 '22 09:07 tccontre