Good day,
I have sysmon information collected in an index called sysmon. I also have created a summary index "HASh256" of all hashes that are known to be good. I'd like to write a query that shows me all the events that the hash is not found in the summary index. I was planning to use the join command but seems join only works when you want to include results from the main search and the subsearch. I want to ***exclude*** entries that are found in the subsearch.
How can i achieve that?
Appreciate any help.
↧