Check the number of detections for a specific custom rule on the native dashboard.

I want to check the number of detections for a specific custom rule on the native dashboard.

I was able to create a dashboard that shows the number of detections for all rules for each user, but I am unable to create a dashboard that shows the number of detections for only a specific rule for each user.

Could anyone tell me how to fix this dashboard?

$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $user
outcome:
  $count = count(detection.id)
order:
  $count desc

Page 1 / 1

Hi,
You can run the following query :

$rule_name = detection.detection.rule_name
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

Hello Team,

Is there something that needs activation in order to use detection.detection.* and detection.collection_elements.references.* values in order to gather info about custom rules using siem search?
i am not able to find an equivalent on my instance.

@PanosMtln

Hello Team,

Even i found this issue when i wanted to search through detection.* data using SIEM search interface.

Thank you for your reply.

Your answer is helpful.

I have one question.

What if I want to only see results for certain rules on the dashboard?

Thank you for your reply.

Your answer is helpful.

I have one question.

What if I want to only see results for certain rules on the dashboard?

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

$rule_name = detection.detection.rule_name

You could also create a filter for the dashboard based on rule name.

Thank you for your response.

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

If the rule name is test, does this mean that the code is like this?

$rule_name = test
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

Thank you for your response.

In the dashboard sample above, change this line, to the rule(s) of interest (can also use a list):

If the rule name is test, does this mean that the code is like this?

$rule_name = test
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  $rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

In that example, you’re creating a variable called rule_name and setting that to test. You would want instead to set detection.detection.rule_name = “test”.

So for example, using this:

detection.detection.rule_name = /SCC/
$user = group(
  detection.collection_elements.references.event.src.user.userid,
  detection.collection_elements.references.event.principal.user.userid,
  detection.collection_elements.references.event.target.user.userid
  )
$user != ""
match:
  detection.detection.rule_name,$user 
outcome:
  $count = count(detection.id)
order:
  $count desc

Returns this:

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded