+10Hi Team
Recently i came across a scenario where in i am trying to recreate an yara l alert that my colleague created for another project. However at my end i noticed that values are not been seen in that field . log source is o365 and its ingestion method is identical (o365 management api) we both are using same default parser. He has not done any adhoc parsing too. Any reason?
+5Does the value exist in the raw log? If you compare the logs between each project are they logging the same things?
+22Another question I'd want to ask is the field an enriched field or unenriched? Unenriched would come in from the parser but enrichment would be dependent upon having user or asset context being populated...
+16rahul - it seems like all your recent questions are pointing to the same thing here. First and foremost for o365 are they configured exactly the same for sending the source data?
which fields are being populated?
it’s extremely hard to help without knowing exactly what you see.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
