This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

help with Query

Posted on 10-09-2024 03:42 AM
rahul7514
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi 

Has anyone experience this issue this field when copied or exported will show as security_result.action 

rahul7514_0-1728470341887.png

The challenge as a result is when i am writing the query in SIEM search  

security_result.action != "QUARANTINE" the above logs (security_result[1].action[0]:"QUARANTINE") are not getting captured . If I type security_result[1].action[0] != "QUARANTINE" in SIEM search it throws error message .
 
What should be the query in such cases ?
Solved Solved
0 11 500
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @rahul7514,

This is a repeated field[1], a field type within the Unified Data Model (UDM) that can store multiple values in a key (array). What you can do is use key words to satisfy a condition for a value within a repeated field. These two key words are 'any' and 'all'. And you would call it using the UDM field like so: 

 

any security_result.action = "QUARANTINE"

 

[1] -  https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#repeated_fields

Kind Regards,

Ayman

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Some additional context on top of @AymanC comment above...The concept of ANY/ALL is now available within UDM search like it previously was in rules. Until recently, there was an offset between the search behavior on repeated fields from rules so this capability was aligned.

We have had a recent ticket opened about this behavior with enum fields (like action) that our team is looking into, but the general rule of thumb here is that you would use ANY with = and ALL with != for folks who have not used this before.

View solution in original post

Jump to Solution
11 REPLIES 11
Top Solution Authors
View all