How-To: Add ComputerName or UserName to Falcon search results
Not every Falcon Data Replicator (FDR) event includes a ComputerName or UserName field by default - however, it's possible to add those fields at the time of your query.
Version 1.1.1 of the FDR package includes a scheduled search that
creates a .CSV lookup file every 3 hours, and can be used to look up the
ComputerName via the aid field
and the match() function. It's located at the
Files page of the LogScale UI - if the
scheduled search is running as expected, the file will be named
fdr_aidmaster.csv.
Adding the ComputerName
To add the ComputerName field, simply add this to your query:
| match(file="fdr_aidmaster.csv", field=aid, include=ComputerName, ignoreCase=true, strict=false)A more robust version can be saved as a search, then referenced in subsequent queries as a function:
// First look for events missing ComputerName.
//
| case {
//
// Identify any events that have an aid field but not a ComputerName field.
// Note that neither of these overwrite the value if it already exists.
//
aid=* AND ComputerName!=*
//
// Grab the ComputerName from the aidmaster file.
//
| match(file="fdr_aidmaster.csv", field=aid, include=ComputerName, ignoreCase=true, strict=true);
//
// Assign the value NotMatched to anything else.
//
* | default(field=ComputerName, value=NotMatched);
}
If that were saved as AddComputerName,
then it could be called in a query by using
$"AddComputerName"().
Adding the UserName
The UserName field can be
added via a join() query:
| join({#event_simpleName=UserLogon}, field=aid, include=UserName, mode=left)This also shows the last known user on the aid in question - keep this in mind if there are multiple users over an extended timeframe, as it will only be reporting the last user.
It can also be called as a function, and is included in several of the example queries.
// Grab the UserName. This also excludes any of the generic Windows usernames.
//
default(field=UserName, value="NotMatched")
//
//
| join({#event_simpleName=UserLogon | UserName!=/(\$$|^DWM-|LOCAL\sSERVICE|^UMFD-|^$)/}, field=aid, include=UserName, mode=left)