Hi
In my log for Crowdstirke i am facing an issue
security_result.action = Block is seen when i am export the UDM events . However when i am searching the same field inside Chronicle it is seen as . As a result when i am building the query with this logic security_result.action = Block some of the events are triggering although action = blocked , how to fix this issue ?
security_result[1].action[0] = "BLOCK"