This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to retrieve data from reference list if matching with UDM

Posted on 12-12-2024 07:03 AM
skadav
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hello All,

I am looking to retrieve data from a Reference List in Chronicle if it matches a UDM value during a stat search query. For example, if my UDM value is username=suraj, I want to query the Reference List and retrieve any entries that match suraj.

Could you guide me on how to achieve this or provide an example of the appropriate query syntax?

 

0 6 401
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
nelsonlam
Staff
Reply posted on --/--/---- --:-- AM

can you try something like "principal.user.username = "username" AND principal.user.username IN reference_list"

0 Likes

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @skadav,

If you wanted to do something cooler (below is based on IP), you could do the below POC.

AymanC_0-1734047932387.png

AymanC_1-1734047976236.png

metadata.log_type = "EXTRAHOP_DNS"
principal.ip = $IP
match:
    $IP
outcome:
$In_Reference_List = array_distinct(if($IP in %AymanC_IP, "YES", "NO"))

Alternatively, the below will only show the events within the reference list

AymanC_2-1734048097950.png

 

 

metadata.log_type = "EXTRAHOP_DNS"
principal.ip = $IP
$IP in %AymanC_IP 
match:
    $IP

outcome:
$Event_Count = count_distinct(metadata.id)
$Max_Event_Timestamp = max(metadata.event_timestamp.seconds)
$Min_Event_Timestamp = min(metadata.event_timestamp.seconds)

 Kind Regards,

Ayman

0 Likes

Posted on --/--/---- --:-- AM
skadav
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Thank you for suggestions @nelsonlam  and @AymanC 

But, I am primarily looking to retrieve matching data from the reference list, rather than identifying data on the console that matches the reference set.

to elaborate more,

I am planning to store below in Reference list:
username=suraj kadav;designation=security platform engineer; location=remote;etc;etc 
username=demo test;designation=testing; location=remote;etc;etc 

and once I ran stat query:

user != "" and principal.user.userid in regex %Log_Source_Type
$user = principal.user.userid
match:
    $user
outcome:
    $info = (info from Reference List)
the output should look like:
skadav_0-1734078378809.png

 

0 Likes

Posted on --/--/---- --:-- AM
gkush
Staff
In response to skadav
Reply posted on --/--/---- --:-- AM

Hi skadav,

Reference Lists don't support multi-dimensions. Their upcoming replacements, Data Tables, do. You should be able to do what you want then. I'm not sure how the mechanics will work just yet?  Maybe your $info in the outcome field will work via a strings_concat function?  You might also be able to join on the data table in the Events section (up top). This is me guessing since I haven't played with it enough yet to know exactly I'd make that work.

Posted on --/--/---- --:-- AM
mwisener
Bronze 3
Bronze 3
In response to gkush
Reply posted on --/--/---- --:-- AM

Are there any docs written up on this yet or a pre-GA preview option available for those of us that would want to test "data tables" -- This is the first i've heard of a replacement for reference lists and I can't find anything in the API docs etc about them.

Thanks!

0 Likes

Posted on --/--/---- --:-- AM
gkush
Staff
Reply posted on --/--/---- --:-- AM

Nothing yet.  When it's put out in public preview there will be docs visible on this page: https://cloud.google.com/chronicle/docs/preview

I suggest you create an alert to monitor it.

0 Likes
Top Solution Authors
View all