diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 7cd3ddf..baccf76 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-06-30
+updated: 2025-07-11
 ---
 
 Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@@ -535,7 +535,8 @@ index="defender" sourcetype="ms365:defender:incident:alerts"
 | eval created=strptime(createdDateTime." +0000", "%Y-%m-%dT%H:%M:%S.%QZ %z")
 ```today```
 | where created>=relative_time(now(), "@d")
-| rename evidence{}.* AS *, fileDetails.* AS *, userAccount.* AS *
+| rename evidence{}.* AS *, fileDetails.* AS *, userAccount.* AS *, loggedOnUsers{}.accountName AS loggedOnUser
+| eval accountName=coalesce(accountName, loggedOnUser)
 | lookup ad_users sAMAccountName AS accountName OUTPUT displayName AS accountUser
 | lookup cmdb_ci_list_lookup dv_name AS hostName OUTPUT dv_assigned_to AS lastActiveUser
 | eval Time=strftime(created, "%Y-%m-%d %H:%M:%S %z"), "Last Updated"=strftime(_time, "%Y-%m-%d %H:%M:%S %z"), evidence=if(isnotnull(sha1), mvindex(filePath,0)."\\".mvindex(fileName,0), coalesce(url, processCommandLine, "")), hostName=if(hostName=="null", deviceDnsName, hostName), evidenceType=if(isnotnull(url), "#microsoft.graph.security.urlEvidence", "#microsoft.graph.security.fileEvidence"), remediationStatus=mvindex(remediationStatus, mvfind('@odata.type', evidenceType))