This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Counting the number of occurrences of a specific string

Posted on 12-06-2024 08:51 AM
russell_pfeifer
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I'm trying to generate a search on the number of times a credential has been automatically rotated using our password vaulting solution (Thycotic). I need to generate a column with a count of this specific string:

metadata.description = "SECRET - SECRETPASSWORDCHANGED"

I've tried adding it to the outcome section in this format:

outcome:
$use_count = count($secret_accessed)
$reset_count = count(metadata.description = "SECRET - SECRETPASSWORDCHANGED")

But it throws an error. I tried using the strings.count_substrings function but the results seem to be innacurate:

outcome:
$use_count = count($secret_accessed)
$reset_count = count(strings.count_substrings(strings.to_lower(metadata.product_event_type), "/SECRETPASSWORDCHANGE"))

I'm guessing I'm missing something obvious but any help would be greatly appreciated, below is the full string.

events:
metadata.log_type = "thycotic" AND (metadata.product_event_type = "SECRET - COPY" OR metadata.product_event_type = "SECRET - LAUNCH" OR metadata.product_event_type = "SECRET - VIEW" OR metadata.product_event_type = "SECRET - PASSWORD_DISPLAYED")
target.file.full_path = $secret_accessed

match:
$secret_accessed

outcome:
$use_count = count($secret_accessed)
$reset_count = count(strings.count_substrings(strings.to_lower(metadata.product_event_type), "/SECRETPASSWORDCHANGE"))
$reset_count = count(metadata.description = "SECRET - SECRETPASSWORDCHANGED")

order:
$reset_count desc
Solved Solved
0 8 293
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I don't have your dataset to replicate but I think this method might solve what you are shooting for. The concept of searching within a field/variable for a string would be handled with a if/then statement, so if we do that with an output of 0 or 1, we can then go ahead and sum those values to get the number of rows that match the string specified...

 

metadata.event_type = "PROCESS_LAUNCH"
match:
 metadata.event_type
outcome:
  $ev = count(metadata.event_type)
  $wmi_count = sum(if(target.process.command_line = /wmiprvse/, 1, 0))

View solution in original post

Jump to Solution
8 REPLIES 8
Top Solution Authors
View all