This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Obtaining byte size by event type and ingestion labels

Posted on 04-17-2025 04:54 PM
AJMSecOps
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

I run YARA-L queries in the SecOps Native Dashboards to obtain variety of metrics. In this case, I am trying run a query that returns byte size for Defender logs, but broken down by product event type (e.g. DeviceProcessEvents) and ingestion label; since we have multiple feeds for certain event types and I'd like to check on a per feed basis. Is there any guidance on what syntax I could use for bytes?

Thank you

Solved Solved
1 2 194
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

You could use ingestion.log_volume (https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema), but the capability to join two separate data sources - ingestion and event - in native dashboards does not exist today, so I don't think you will be able to break this down by product event types.

I used this query in the native dashboards to generate the below screenshot:

ingestion.log_type = /DEFENDER/

match:
    ingestion.log_type, ingestion.collector_id 

outcome:
    $bytes = sum(ingestion.log_volume)

cmorris_0-1744993905416.png

If you are not ingesting Defender via the collector, like I am in this example, you'll want to update ingestion.collector_id in the match section. Ex. use ingestion.feed_id

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

You could use ingestion.log_volume (https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema), but the capability to join two separate data sources - ingestion and event - in native dashboards does not exist today, so I don't think you will be able to break this down by product event types.

I used this query in the native dashboards to generate the below screenshot:

ingestion.log_type = /DEFENDER/

match:
    ingestion.log_type, ingestion.collector_id 

outcome:
    $bytes = sum(ingestion.log_volume)

cmorris_0-1744993905416.png

If you are not ingesting Defender via the collector, like I am in this example, you'll want to update ingestion.collector_id in the match section. Ex. use ingestion.feed_id

Jump to Solution

Posted on --/--/---- --:-- AM
AJMSecOps
Bronze 1
Bronze 1
In response to cmorris
Reply posted on --/--/---- --:-- AM

Thank you; this worked very well.

Jump to Solution
Top Solution Authors
View all