Hi Folks,
I’m new to SecOps and still getting familiar with the platform’s functionality. Apologies if this is a basic question, but I believe it will be helpful not only for me but also for others who are beginning their SecOps journey.
I’m looking for guidance on how to search logs in SecOps for the following requirement:
We have onboarded Windows servers via Bindplane, and I want to run a query to list all logs coming from a specific Windows server.
Currently, we are using a query similar to the one below (Partial query) :
metadata.log_type = "WINEVTLOG"
$host = strings.coalesce(principal.asset.hostname, principal.hostname)
However, we are observing an issue where we have onboarded only 50 Windows servers, but the query returns more than 50 host values. Upon initial review, these additional hosts appear to be introduced during parsing (exact cause not yet confirmed).
In Splunk, we typically rely on the host field to retrieve all logs from a specific server/device. Could someone please advise on the equivalent approach in SecOps to accurately search and filter logs that are genuinely originating from a particular Windows server?
Any guidance or best practices would be greatly appreciated.
Thanks
Karthik
