Hi @RiveraMarco
You may try this and edit this query based on your requirements:
config case_sensitive = false
| dataset = host_inventory
| fields host_name, applications
| arrayexpand applications
| alter readable_application_name = json_extract(applications, "$.application_name")
| alter app_name = trim (readable_application_name ,"\"")
| fields app_name
| join type = inner (dataset= xdr_data | fields actor_process_image_name , os_actor_process_image_name , action_file_name , actor_primary_username , causality_actor_process_image_name ) as aip aip.actor_process_image_name contains app_name
| filter (actor_primary_username != """NT AUTHORITY\\SYSTEM""")
| dedup app_name , actor_primary_username , actor_process_image_name
Feel free to write back if you have further query.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
Hi @RiveraMarco
You may try this and edit this query based on your requirements:
config case_sensitive = false
| dataset = host_inventory
| fields host_name, applications
| arrayexpand applications
| alter readable_application_name = json_extract(applications, "$.application_name")
| alter app_name = trim (readable_application_name ,"\"")
| fields app_name
| join type = inner (dataset= xdr_data | fields actor_process_image_name , os_actor_process_image_name , action_file_name , actor_primary_username , causality_actor_process_image_name ) as aip aip.actor_process_image_name contains app_name
| filter (actor_primary_username != """NT AUTHORITY\\SYSTEM""")
| dedup app_name , actor_primary_username , actor_process_image_name
Feel free to write back if you have further query.
Hope this helps!
Please mark the response as "Accept as Solution" if it answers your query.
