have you considered using Coalesce?$execution.metadata.vendor_name = "some-vendor"//good practice$sha256 = strings.coalesce( $execution.target.process.parent_process.file.sha256, $execution.target.process.file.sha256, $execution.target.file.sha256 )$...

Hey Emmie,Ingestion related alerting is done from the Google Cloud console using Cloud Monitoring. More info can be found here at Set up ingestion notification for health metrics.

Hey @asinghz297 You can try a combination of Lists and If() statements in the `Outcome:` section. Create a List of all High priority Security groups. Then, make your $risk_score dynamic by adding the following in the Outcome section: $risk_score = su...

Greetings Aravind, Can you provide some relevant logs/detections for the issue your having? Your logic looks good and I ran your logic in a demo environment and I am not seeing any issue.Also, as a note: Please consider using a state aswell as a coun...

I believe that the UDM field target.ip is limited to metadata.event_type = *_NETWORK, NETWORK_*, STATUS_UPDATE or similiar. Per your YARA-l rule the UDM field target.process.file.full_path = /\/bin\/bash/ would be specific to event type 'PROCESS_LAUN...