How-To: Add ComputerName or UserName to Falcon search results

Not every Falcon Data Replicator (FDR) event includes a ComputerName or UserName field by default - however, it's possible to add those fields at the time of your query.

Version 1.1.1 of the FDR package includes a scheduled search that creates a .CSV lookup file every 3 hours, and can be used to look up the ComputerName via the aid field and the match() function. It's located at the Files menu at the top of the LogScale UI - if the scheduled search is running as expected, the file will be named fdr_aidmaster.csv.

Adding the `ComputerName`

To add the ComputerName field, simply add this to your query:

logscale

| match(file="fdr_aidmaster.csv", field=aid, include=ComputerName, ignoreCase=true, strict=false)

A more robust version can be saved as a search, then referenced in subsequent queries as a function:

logscale

// First look for events missing ComputerName.
//
| case {
//
// Identify any events that have an aid field but not a ComputerName field.
// Note that neither of these overwrite the value if it already exists.
//
aid=* AND ComputerName!=*
//
// Grab the ComputerName from the aidmaster file.
//
| match(file="fdr_aidmaster.csv", field=aid, include=ComputerName, ignoreCase=true, strict=true);
//
// Assign the value NotMatched to anything else.
//
* | default(field=ComputerName, value=NotMatched);
  }

If that were saved as AddComputerName, then it could be called in a query by using $"AddComputerName"().

Adding the `UserName`

The UserName field can be added via a join() query:

logscale

| join({#event_simpleName=UserLogon}, field=aid, include=UserName, mode=left)

This also shows the last known user on the aid in question - keep this in mind if there are multiple users over an extended timeframe, as it will only be reporting the last user.

It can also be called as a function, and is included in several of the example queries.

logscale

// Grab the UserName. This also excludes any of the generic Windows usernames.
//
default(field=UserName, value="NotMatched")
//
//
| join({#event_simpleName=UserLogon | UserName!=/(\$$|^DWM-|LOCAL\sSERVICE|^UMFD-|^$)/}, field=aid, include=UserName, mode=left)

Knowledge Base