This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

UDM Querry Function for Chronicle

Posted on 02-19-2023 01:29 AM
mccrilb
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I have been working with the new UDM Querry Function for Chronicle. It doesn't look like the NOCASE statement works.

0 2 92
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
mccrilb
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

It looks like that our system had an issue. Shortly after I posted this we needed to have a reboot. After the reboot not only does nocase work, but so does regex.


We added this to our phishing playbooks. We take the sender, regex the subject and return all users (this includes the BCC) that received the email. We use the output to search exchange and move all copies of the email to the users deleted folder

0 Likes

Posted on --/--/---- --:-- AM
shakedtal
Staff
Reply posted on --/--/---- --:-- AM

Thank you so much for sharing @mccrilb ๐Ÿ™

0 Likes
Top Solution Authors
View all