cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

L2 Linker

hi @MatthieuFouet 

 

I hope i got the use correctly, and based on my understadning, you may try the below query 


dataset = alerts
| fields rule_id , file_name , file_sha256
| arrayexpand file_name
| comp count(file_name ) as Hits by file_name
| sort desc Hits

Sample output should look like the below 

zarnous_0-1706796223324.png

You may also add more fields, and filters as you wish if you need so!

If this answers your question feel free to mark it as a solution so other can benefit from!

Thanks
Z

Z

View solution in original post

Who rated this post