Data table event enrichment (inner vs left vs outer)

Question

Hello,Is there a way to influcence the type of join operation when using data tables ?Previously, when working with splunk there was an option to pick one of 3 choices: inner, outer or left.When working with data tables in secops I see that it behaves like an inner join, which effectively filters results, which is something I want to avoid.Example:when a data table contains account A and events contain account A enrichment works as expected.	when a data table contains account B and events contain account A enrichment does not work and events are filtered out (but I want to see them despite ‘unsuccessful’ enrichment).

jstoner · Answer

There is on-going work on joins with data tables occurring and this question is timely but potentially a little early. I tested this on my internal tenant and was able to get a result but I don’t believe it has been pushed out fully. That said, we can (shortly) do a left join between the events and a data table and the search syntax would look something like this:

$e.metadata.event_type = "USER_LOGIN"
$e.target.user.userid = $user
left join $e.target.user.userid = %adhoc_users.userid
match:
    $user
outcome:
    $company = array_distinct(%adhoc_users.organization)
    $state = array_distinct(%adhoc_users.state)
    $probationary = array_distinct(%adhoc_users.probationary)

This would give you all the user login events and then show the org, state and probationary status of the users that exist in both the event and data table but still provide the users in the events even if they are not in the data table.

Again, this may not be in your tenant yet but should be getting there soon.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded