Best Practice: Omit _decimal and _readable dangling modifiers

When viewing Falcon data in Event Search, fields can sometimes end with strings like _decimal and _readable.

An example of this would look like ProcessStartTime_decimal, TargetProcessId_decimal, UserSid_readable, etc.

The sensor doesn't actually send this data- these strings are appended to the target field after the event reaches the CrowdStrike Security Cloud. We now do away with these now-extraneous bits in LTR. If you have searches that include _decimal or _readable field names in Event Search, you can just omit those dangling modifiers when using LogScale.

#event_simpleName=ProcessRollup2 UserSid="S-1-5-18" TargetProcessId=8619187594

Knowledge Base

Best Practice: Omit _decimal and _readable dangling modifiers

Enter search term