inspired
commented
2 months ago Fixed in 4ca9c3be373b621d209a026fd5d4f579552e9ca2
Open inspired opened 2 months ago
inspired
commented
2 months ago Fixed in 4ca9c3be373b621d209a026fd5d4f579552e9ca2
inspired
commented
2 months ago Change this to use bitwise operators instead because the static lookup lacks several flags.
Something along these lines:
| eval tcp_flag=case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents", lookup("ms_365_defender_tcp_flag", json_object("tcp_flag_hex", json_extract('properties.AdditionalFields',"Tcp Flags")), json_array(tcp_flag)), 1==1, null())