About TomAtGoogle

TomAtGoogle · 09-30-2024

Many customers have used various API scripts to extract job results from MSV to facilitate results reporting. One method that is much quicker than using the jobs API is the search API. The search API is what is used by Report Builder and it pulls bac...

TomAtGoogle · 09-30-2024

New content is constantly being added to MSV as new malware, attack methods, etc. are discovered by Google. As such, customers would like to be able to quickly get information on the new content without having to go to the library and filter down to ...

TomAtGoogle · 09-30-2024

One common use case that I have seen at several customers is that they want their SecOps or Operations folks have the ability to monitor that MSV Actors are up and available. To prevent false alarms, a script was created to "ping" the actors. The scr...

TomAtGoogle · 06-28-2024

Probably the most asked question in all of Mandiant Security Validation. In over 4 years, this question has been asked by customers I work with hundreds of times. While there's a hundred possible reasons the log wasn't matched to the action, there's ...

TomAtGoogle · 06-28-2024

Shells, shells and more shells! Do’s and don’t for creating Host CLI Actions The Mandiant Security Validation(MSV) platform is distinctly different from attack simulation technologies. Security validation includes vast integrations with defensive t...

TomAtGoogle

This one is actually pretty simple. Just iterate through the IP list and add them to the UDM field one at a time. if [IP] != "" { for myIP in AUDIT_SOURCE_IP { mutate { merge => { "event.idm.read_only_udm.principal.ip" => "%[myIP]" } on_error => "zer...

TomAtGoogle · 03-26-2025

This is a good way to walk through an array of values. rule check_array_values { meta: author = "Your Name/Organization" description = "Checks if all values in a specific array field match expected values." severity = "LOW" # Adjust severity as neede...

TomAtGoogle · 02-14-2025

Here's a way to pull the latest event and see how old it is. rule LatestEventComparison { meta: description = "Detects if the latest event from a datasource is older than a specified threshold." author = "Your Name" version = "1.0" events: $event.met...

TomAtGoogle · 02-07-2025

There's also a community article that goes into some detail about this. Everything you need to know about Predefined Widgets

TomAtGoogle · 10-09-2024

I usually go into Report Builder and just create a data table to show me what fields are available and/or what fields I want. Check out this screenshot: The request data is the what I need to get those fields back.

Google Workspace for Admins Community

My Stats

spsingh_jmd's Bio

Badges TomAtGoogle Earned

Recent Activity

Alternative ways to get job results with the "search" API

Using the API to pull a list of all the new Actions added to MSV

Helping SecOps with monitoring Actors

Where are my logs?

Advanced Host CLI Usage

Re: Parsing two IP in single field

Re: YARA-L rule to loop through specific additional_fields keys

Re: Custom Use Case

Re: How to create an action with predefined widget attached to it.

Re: Alternative ways to get job results with the "search" API