I have two sources with different data in each except one common column in each sourcetype called "DeviceName". In sourcetype two (device), I have a column called "Zones".
Is there a way of using "DeviceName" to print the "Zones" name from sourcetype two?
My logic: Let's say DeviceName is "user-pc" and is in zone "Personal". Search the second sourcetype by DeviceName (user-pc) and pull out the zone info and place it into the table.
What I have so far is:
index=protect sourcetype=threat OR sourcetype=device
| dedup SHA256, "File Path", "File Name"
| table SHA256 "DeviceName" "File Status" "Classification" "Ever Run" "Auto Run" "Running" "File Path" "Zones"
Nothing is printed in the Zones column in the table however. Any help would be appreciated!
↧