SIEM search query on key:value

keso · 11-27-2024 03:24 AM

Hello, when searching for an event, how can I join the value of the key and its value? For example, I have the next two events, but I'd like to search only those that are res_kind = Deployment

Event 1:

...

about[0].labels[1].key: "res_kind"

about[0].labels[1].value: "Deployment"

about[0].labels[2].key: "operation_first"

about[0].labels[2].value: "true"

...

Event2:

...

about[0].labels[1].key: "res_kind"

about[0].labels[1].value: "Service"

about[0].labels[2].key: "operation_first"

about[0].labels[2].value: "true"

...

When running with the same value, it does not work:

It should be generic, so it would be something like:

about.labels.key = "res_kind" and about.labels.value = "Deployment"

but then any of the about.labels.value would have "Deployment" and not the one with the res_kind in the key

Thank you!

AymanC

Hi @keso,

Does the below work for you:

about.labels["res_kind"] = "Deployment"

Kind Regards,

Ayman

RanjithHegdeK

Hello,

You can search for key-value pairs using the syntax, fields["key"]="value". This approach is applicable for crafting SIEM searches and detection rules.

example:

1. additional.fields["pod_name"] = "kube-scheduler"
2. metadata.ingestion_labels["MetadataKeyDeletion"] = "startup-script"

3. principal.labels["SubjectLogonId"] = $subject

Reference: https://cloud.google.com/chronicle/docs/investigation/udm-search

Thanks

jstoner

Be mindful that the case of the the key is sensitive so with a key of Task, you will need a capital T otherwise you won't get results.

metadata.event_type = "PROCESS_LAUNCH" and about.labels["Task"] = "13312"

If you extend it to a rule, a join on like key/value pairs would look like this...

$e.metadata.event_type = "PROCESS_LAUNCH"
$e.about.labels["Task"] = $task
$e.principal.hostname = $hostname

$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.about.labels["Task"] = $task
$e1.principal.hostname = $hostname