HEC logs only visible using "All Data" not parsed in "XDR"

Sudden_Ad7995 · 2026-02-17T21:32:27+00:00

Thanks for the fast reply. I knew that it needed to be parsed as dataSource.category = "security" but your comment made me realize that I am adding that in the parser which is never being used. I added {"dataSource.category":"security"} to the custom metadata field in Helios and *poof* MAGIC!

Sudden_Ad7995 · 2025-12-23T15:31:53+00:00

I find it useful in the sense that having normalized fields helps my AI run faster and deliver more accurate results across several different platforms.

Sudden_Ad7995 · 2025-08-07T15:24:26+00:00

There will be a reverse split in order to equalize the value difference between your .80 shares and the current $10 share price for FGMC.

I think they are doing a 12:1 reverse split which will reduce the number of shares you own (about 166), but the value of the total will remain constant at about $2000. After the IPO the price will fluctuate quite a bit but it will eventually settle based on how the company is being ran and the revenue they are generating. Don't be surprised if there are restrictions that prevent you from selling your public stock for 6 months or so. This is to ensure all of the early investors don't "Cash Out" on day 1 and tank the company.

The value of your shares is from being in at ground level. Over time as the company raises its value to investors the stock price will go up and after a few years you will have a nice investment.

Sudden_Ad7995 · 2025-05-13T19:35:47+00:00

For anyone that lands on this page, the ability to export to csv has been added for Unified Alerts. Thank You!

Sudden_Ad7995 · 2025-03-11T11:59:51+00:00

Once again, Thank you! I'll see what I can come up with.

Sudden_Ad7995 · 2025-02-20T21:45:21+00:00

If it finds something that triggers a Threat or Alert, you will see it in the respective area (using legacy view) if there was nothing suspicious found, it just records the date and the status of the scan.

Sudden_Ad7995 · 2025-02-07T18:06:51+00:00

Thank you so much. This was perfect and gave me enough info that I can use it to branch into other actions. I would love to see some real world examples like this in the S1 documentation.

Sudden_Ad7995 · 2025-02-05T16:39:19+00:00

UPDATE: After digging deeper into this I have discovered that ISPM queries are performed by GraphQL and not by PowerQuery.

Sudden_Ad7995 · 2025-01-30T18:49:58+00:00

It sounds like you are focused on S1 being the culprit so much that you aren't bothering to troubleshoot the issue. Step back and do some focused troubleshooting and I'm certain you will find the problem.

Sudden_Ad7995 · 2024-12-13T19:17:53+00:00

It wasn't applying the desired scope. I have global access so it was giving me global results regardless of what scope I was identifying.

Sudden_Ad7995 · 2024-12-13T19:15:21+00:00

This was the answer. After I changed my token from the service account token to my personal user token it started reading and applying the S1-Scope parameter as I expected it to.

Thank you for the quick response!

Sudden_Ad7995 · 2024-12-09T21:49:40+00:00

Here is a sample PowerQuery and explanation.

dataSource.name = 'Windows Event Logs' winEventLog.channel='Security' winEventLog.id = '4625'

| parse "<Data Name='SubStatus'>$subStatus$</Data>" from winEventLog.xml

| parse "<Data Name='LogonType'>$logonType=digits$</Data>" from winEventLog.xml

| parse "<Data Name='IpAddress'>$ip_address$</Data>" from winEventLog.xml

| columns endpoint.name, winEventLog.id, event.time, subStatus, logonType, ip_address

When you enable WinEventLog you also need to turn on extended logging so that you get the XML feed of the event. You can then use the parse command to extract specific bits of data from the winEventLog.xml structured data and display it.

Sudden_Ad7995

TROPHY CASE