About PV_Byrd

Good Day,   I am fairly new to Cortex but have been looking to detect git related activity not associated to Github. I believe I have a decent grasp on the volume as well as the observed destinations. I am running into issues differentiating what initiated these flows (HTTP/S, SSH, Etc.). The only remote port that shows in the network story is DNS(53).   I am wondering if I need to join another dataset and how would I go about doing so? Or if there is a better way to get this result set outside of network story   Below is what I have so far, any help would be greatly appreciated: config case_sensitive = false | preset = network_story | filter (dns_resolutions != null) | arrayexpand dns_resolutions | alter Resolution_Value = dns_resolutions -> value{}, Resolution_Name = dns_resolutions -> name{} | fields agent_hostname , actor_process_image_name , actor_process_image_name , actor_process_command_line , Resolution_Name , Resolution_Value , dns_query_type , dns_resolutions , dns_query_name , dns_reply_code, user_id , actor_effective_username , action_local_port , action_remote_port | filter Resolution_Name not contains "github" and actor_process_command_line contains "http" and actor_process_command_line contains "git" | sort desc actor_process_command_line | dedup actor_process_command_line ... View more