Sometimes we find that we have values in our fields that we just want to count. For instance, perhaps we have a bunch of commands anded together and we want to figure out how many of them there are. Let's take a look at the strings.count_substrings function to learn how we can generate a value that can be used with rules and searches in Google SecOps!

strings.count_substrings counts the number of substrings within a specified field or variable using the pattern provided. The result is an integer output value. The syntax requires two arguments, the field or variable that needs to be observed, followed by the pattern that is being matched.

This function can be used in a search or rule to narrow the dataset by placing it in the filtering statement of a search or in the events section of a rule, or it can be used in the outcome section. One example use case for counting substrings is to focus on command switches that may be used by an adversary when multiple commands are being stitched together into a single process launch and using this to identify anomalous activity.

Follow along in the video to see how we can apply this function in our searches and rules. 

The strings.count_substrings function provides us the ability to generate an integer value based on the number of substrings found within a string based on a provided pattern. The syntax requires both the field or variable as well as the pattern. Depending where the function is used, it may require an aggregation function like max or sum to be prepend to it along with an outcome variable or it could be used in the condition section of a rule as a threshold value.

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events