Assistance Needed for SIEM Dashboard to show if logs have been down for a host for longer than 30 days

Question

Hi Everyone,

I am looking for a way to create a dashboard that shows when a host event count hits 0. I was using the following query I took from another dashboard and tweaked a little bit:

“

$Event_Type = principal.hostname

$Date = timestamp.get_date(metadata.event_timestamp.seconds)

metadata.log_type = "WINEVTLOG"

match:

$Date, $Event_Type

outcome:

$Count = count(metadata.id)

condition:

$Count <= 1

order:

$Date asc

“

This give me values that shows when a value is less than or equal to 1. It shows over the last 7 days that there were day when the value was 0 but when I attempt to have it search for when $Count = 0 I dont get a result. I understand that is probably because the value does not exist so it cant pull back a null value, but is there a way to get this to pull when there is no value?

NotMarcus · Answer

Hi,I was able to find a solution with the following editing of the dashboard that shows last 7 days of no events:$host = principal.hostname$event_time = metadata.event_timestamp.seconds$log_type = metadata.log_typematch:$host, $log_typeoutcome:$last_seen_timestamp = timestamp.get_timestamp(max($event_time))$days_since_last_seen = math.round((timestamp.current_seconds() - max($event_time)) / 86400, 0)condition:$days_since_last_seen >= 30order:$days_since_last_seen desclimit:10000This gives me events greater than 30 days on the table and also provides the log type that stopped sending in from their respectivehosts. Putting here if someone else needs a dashboard like this.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded