Hi Team we have two queries as mentioned below:
eventtype=cppm-fail-authentication cphost=* -->This gives me the list of failed authentication of users.
eventtype=cppm CPPM_Endpoint_Profile cphost=* hostname="*" * | table hostname,device_category, device_family, device_name, mac_vendor, mac_address, fingerprint, static_ip -->This gives me the profiling details of the device like, mac, ip, os type etc.
My requirement is that I want to combine both the queries so that we can get the device fingerprint details for failed authentication.
Try this:
(eventtype=cppm-fail-authentication OR eventtype=CPPM_Endpoint_Profile) cphost=* | table eventtype,hostname,device_category, device_family, device_name, mac_vendor, mac_address, fingerprint, static_ip