This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Dashboard Regex

Posted on 09-26-2024 08:38 AM
JaredBloomberg
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

Does anyone know if there is a way to use regex within visualizations in the SIEM dashboards? Looker Studio has the 'REGEXP_EXTRACT' function which is exactly what I need but I gather that that is not what the SIEM dashboards are based off of? 

Solved Solved
0 2 303
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

the Native SIEM dashboards use looker embedded, whereby a lot of the functions do exist, unfortunately REGEXP_EXTRACT doesn't. Depends on your use case, if it's for filtering you can use a 'matches advanced' and refer to the following reference ->  https://cloud.google.com/looker/docs/filter-expressions

For example, in the below i've got an advanced filter for within the Rule Detections explore, the column 'rule_name' with the expression 'G%' indicating that it filters out rule_name's that don't start with 'G'.

Without Advanced Filter:

AymanC_1-1727374459405.png

 

With Advanced Filter:

AymanC_0-1727374426071.png

However, if it's more to do with table calculations, the closest i've come across to achieving regex is the below example use case. use a combination of 'if' and 'contains'.

if(contains(${rule_detections__detection.rule_name}, "gct"), ${rule_detections__detection.rule_name}, "Doesn't contain gct")

AymanC_2-1727374593741.png

 



If the rule name contains (wide regex search) 'gct' to populate the column with the rule name, else populate it with 'Doesn't contain gct'

AymanC_3-1727374618665.png


Depending on your use case, if you're trying to extract certain text that are of a certain length you can look into using the likes of substring and position, with length for more complicated use cases.

Hope this helps!

Kind Regards,

Ayman C

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

the Native SIEM dashboards use looker embedded, whereby a lot of the functions do exist, unfortunately REGEXP_EXTRACT doesn't. Depends on your use case, if it's for filtering you can use a 'matches advanced' and refer to the following reference ->  https://cloud.google.com/looker/docs/filter-expressions

For example, in the below i've got an advanced filter for within the Rule Detections explore, the column 'rule_name' with the expression 'G%' indicating that it filters out rule_name's that don't start with 'G'.

Without Advanced Filter:

AymanC_1-1727374459405.png

 

With Advanced Filter:

AymanC_0-1727374426071.png

However, if it's more to do with table calculations, the closest i've come across to achieving regex is the below example use case. use a combination of 'if' and 'contains'.

if(contains(${rule_detections__detection.rule_name}, "gct"), ${rule_detections__detection.rule_name}, "Doesn't contain gct")

AymanC_2-1727374593741.png

 



If the rule name contains (wide regex search) 'gct' to populate the column with the rule name, else populate it with 'Doesn't contain gct'

AymanC_3-1727374618665.png


Depending on your use case, if you're trying to extract certain text that are of a certain length you can look into using the likes of substring and position, with length for more complicated use cases.

Hope this helps!

Kind Regards,

Ayman C

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
JaredBloomberg
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

It's not exactly what I was looking for but should be close enough for me to make it work, thank you very much!

Jump to Solution
Top Solution Authors
View all