About jstoner

jstoner

"New to Google SecOps" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Pl...

jstoner

New to Google SecOps" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Pla...

jstoner

"New to Google SecOps" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Pl...

jstoner

Our previous blogs on metrics (Part 1), (Part 2), (Part 3) have taken us step by step deeper into metrics and the function that unlocks its capabilities within a YARA-L rule. Today, we are going to cover the final portions of the metrics function and...

jstoner

"New to Google SecOps" is a deep-dive series by Google Cloud Principal Security Strategist John Stoner which provides practical guidance for security teams that are either new to Security Operations Platforms or replacing their Security Operations Pl...

jstoner

To put together the example in the blog, I used the test rule function. However that only allows me to run 2 weeks worth of data to test my rule. In the example shown, I am showing a detection each day with a metric of max byte count for the previous...

jstoner

The metrics syntax currently supports two different windows, 30 days and today. Perhaps down the road other windows may become available. The 30 day window is calculated based on the whichever day the metric ran and went back 30 days. That set of val...

jstoner

> For all rules that contain a match section, we need to aggregate each of the non-constant outcome variable statements, which is why we need to have the aggregation function of max (or min) on the front of the metric. - Do you mean, for all the rule...

jstoner

The metric period of 1 day and window of 30 days means that a metric, in the example in the blog, of the maximum sum of the outbound network bytes is calculated for that day n - 30 days. Then the next day, the calculation is performed on that day bac...

jstoner

One more thing, having gone back and looked at a few other examples in the other blogs in this series, the metrics that do not require the aggregation function prepended are the ones that contain metric: value_sum and do not contain an additional fil...

My Stats

gonzalezruben's Bio

Badges jstoner Earned

Recent Activity

New to Google SecOps: Formatting, Filtering and Sharing Dashboards

New to Google SecOps: Building Dashboards Using Custom Fields

New to Google SecOps: Dashboarding - Using Pivot to Create a Time Chart

New to Google SecOps: Using Metrics in YARA-L Rules (Part 4)

New to Google SecOps: Dashboarding - Tabular Summary of Detections

Re: metrics - data is being bucketed on a daily basis across a window of 30 days.

Re: metrics - data is being bucketed on a daily basis across a window of 30 days.

Re: Aggregate functions in metrics

Re: metrics - data is being bucketed on a daily basis across a window of 30 days.

Re: Aggregate functions in metrics