This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

UDM Search Returning $event_count > 3

Posted on 09-23-2024 10:21 AM
Fr4n2pirit
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Not sure why I am having such a difficult time trying to figure this out, but if I'm running a particular UDM Search and I want to set the results to return values greater than a minimum number (say 3), how would you go about this? 

Example: Return results when $event_count > 3

 

metadata.vendor_name = "Okta" nocase 
metadata.product_event_type = "user.authentication.auth_via_richclient"
principal.user.userid = $userId

match:
  $userId 

outcome:
  $event_count = count($userId) 
  $application = array_distinct(target.application)
  $summary = array_distinct(security_result[0].summary)
  $user_ip = array_distinct(principal.asset.ip[0])
  $threat_result = array_distinct(security_result[0].action[0])

order: $event_count desc

 

 

0 1 137
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @Fr4n2pirit 

It appears you are trying to do a statistics and aggregates search. Within this search there is no “condition” like capabilities. Therefore for this use case you could create a variable and  do a “count_distinct” based on metadata.id and then order the variable descending, ensuring your matching over a value.

0 Likes
Top Solution Authors
View all