This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Rule detection search

Posted on 04-04-2025 08:19 AM
Tonio
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello everyone!

Looking at the detections for a specific rule, it gives you back only a specific timeframe, like last months or so.

I cannot set any other specific time window for the search, nor filters on other fields.

A couple of examples:

-  I see a rule has been triggered like 100 times in January (3 months ago), I see notghing at all.

- I am checking a draft rule with more than 10.000 detection, need to focus on a specific day. I can't, because that day is outside the first 10.000 shown in the panel

Is it just me missing some peculiar button or function? Shouldn't be possible to "search" on the detections as we do on the events?

 

A

Solved Solved
0 11 221
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to cmorris
Reply posted on --/--/---- --:-- AM

An example:

$rule_name = detection.detection.rule_name

match:
    $rule_name

outcome:
    $log_types = array_distinct(detection.collection_elements.references.event.metadata.log_type)
    $count = count(detection.id)

order:
    $count desc

 

cmorris_1-1743787055564.png

View solution in original post

Jump to Solution
11 REPLIES 11
Top Solution Authors
View all