Chronicle join tables

Hello,

I have two logs that share a common field: ID

I need to create a single table with the following columns:

The ID field
Field X from the first log
Field Y from the second log

Here's what I have so far:

From the first log, I ran a search that produced a table containing the ID and X fields.
From the second log, I ran a different search that produced a table containing the ID and Y fields.

Now, I want to combine these results into one table that includes all three fields (ID, X, and Y).

How can I achieve this in Chronicle?

Thank you!

Page 1 / 1

At present Joins are not supported in UDM Search, but this is on the roadmap for later on in the year.

A potential workaround, and depending on the number of results you need, is to use Detection Engine and write a multi-event detection (not a detection alert), and then you can use outcome variables to output a table of values that you need. You can then view the results in Detection View, or else create a Dashboard of the results.

Alternatively, if you have an export of your event data into BigQuery, you can use SQL with a Join statement.

HI,

Could you clarify what you meant by use Detection Engine and write a multi-event detection (not a detection alert)?

What actions should I undertake to achieve this?

Thanks

If you use the rules editor and write a rule, you can build a detection. Below is a quick primer on how to write a multi-event rule. The detection v alert is a toggle in the rule editor that provides a method to not generate an alert in queue that someone might triage and just have a detection that can be viewed in the UI. I liken detection v alert to running a rule in an evaluation mode prior to deploying it to the the team who is tasked with triage and responding to alerts.

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Multi-Event-Rules/ba-p/722663

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded