Describe the bug

In the following search Batch File Write to System32 it's defined a join on process_guid, _time, however process_guid is not a defined field in either of the subsearches.

Expected behavior

process_guid needs to be added to the by part of both the Filesystem search and Processes search

Looks like the bulk update I did for proc_guid -> process_guid a few months ago missed this one.

My local search is configured as you suggest already, I'll probably make a pull request to correct the issue.

Standby