Skip to main content
Solved

Check the number of detections for a specific custom rule on the native dashboard.

  • August 12, 2025
  • 7 replies
  • 131 views
hmd
Forum|alt.badge.img+1

I want to check the number of detections for a specific custom rule on the native dashboard.

I was able to create a dashboard that shows the number of detections for all rules for each user, but I am unable to create a dashboard that shows the number of detections for only a specific rule for each user.

Could anyone tell me how to fix this dashboard?

 

$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $user
outcome:
  $count = count(detection.id)
order:
  $count desc

 

Best answer by cmorris

Thank you for your response.
​​​​

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

If the rule name is test, does this mean that the code is like this?

$rule_name = test
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

 

In that example, you’re creating a variable called  rule_name and setting that to test. You would want instead to set detection.detection.rule_name = “test”.

So for example, using this:

detection.detection.rule_name = /SCC/
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  detection.detection.rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

Returns this:

 

7 replies

Eoved
Forum|alt.badge.img+8
  • EovedBronze 1
  • Bronze 1
  • August 12, 2025

Hi,
You can run the following query :

$rule_name = detection.detection.rule_name
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

 

cmorris
chrisd2
hmd
PanosMtln
Forum|alt.badge.img+2
  • PanosMtlnBronze 2
  • Bronze 2
  • August 13, 2025

Hello Team,

Is there something that needs activation in order to use detection.detection.* and  detection.collection_elements.references.* values in order to gather info about custom rules using siem search?
i am not able to find an equivalent on my instance.

babu_k
Staff
Forum|alt.badge.img
  • babu_k
  • Staff
  • August 14, 2025

@PanosMtln 

Hello Team,

Is there something that needs activation in order to use detection.detection.* and  detection.collection_elements.references.* values in order to gather info about custom rules using siem search?
i am not able to find an equivalent on my instance.

Even i found this issue when i wanted to search through detection.* data using SIEM search interface. 

 

hmd
Forum|alt.badge.img+1
  • hmdBronze 1
  • Author
  • Bronze 1
  • August 20, 2025

Thank you for your reply.

Your answer is helpful.

 

I have one question.

What if I want to only see results for certain rules on the dashboard?

 

 

cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • August 20, 2025

Thank you for your reply.

Your answer is helpful.

 

I have one question.

What if I want to only see results for certain rules on the dashboard?

 

 

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

$rule_name = detection.detection.rule_name

You could also create a filter for the dashboard based on rule name.

hmd
hmd
Forum|alt.badge.img+1
  • hmdBronze 1
  • Author
  • Bronze 1
  • August 21, 2025

Thank you for your response.
​​​​

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

If the rule name is test, does this mean that the code is like this?

$rule_name = test
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

 

cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • Answer
  • August 21, 2025

Thank you for your response.
​​​​

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

If the rule name is test, does this mean that the code is like this?

$rule_name = test
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

 

In that example, you’re creating a variable called  rule_name and setting that to test. You would want instead to set detection.detection.rule_name = “test”.

So for example, using this:

detection.detection.rule_name = /SCC/
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  detection.detection.rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

Returns this:

 

hmd
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.