Good day,
I have sysmon information collected in an index called sysmon. I also have created a summary index "HASh256" of all hashes that are known to be good.
I'd like to write a search that shows me all the events that the hash is not found in the summary index. I was planning to use the join command but seems to join only works when you want to include results from the main search and the subsearch.
I want to ***exclude*** entries that are found in the subsearch.
How can I achieve that?
Appreciate any help.
↧