We've talked about counting substrings previously but suppose we want to count the number of characters in a string. Perhaps we want to analyze the length of a user agent or a command line and inspect excessively long (or short) values. Let's take a look at the strings.length function to learn how we can generate a value that can be used with rules and searches in Google SecOps!

The function strings.length counts the number of characters in a string field and outputs an integer value. The syntax is very straightforward, just provide a field or variable that needs to be counted. This function can be used in a search or rule to reduce our data set by using it in the filtering statement of a search or in the events section of a rule, or it can be used in the outcome section to perform a statistical function based on the integer output. Common use cases that the length function can be applied to include measuring command lines, user agent strings and DNS queries for anomalous values, based on their string length.

Follow along in the video to see how we can apply this function to our searches and rules. 

strings.length provides us the ability to generate an integer value based on the number of characters in a string and then apply additional criteria to this value. Just remember that depending where the function is used, it may require an aggregation function like max or min to be prepended to it along with an outcome variable or it could be used as a threshold value in the condition section of a rule. 

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events