Create a New Field by Summing Two Fields in Google SecOps

Question

Hi there,I am trying to create a new field by summing two existing fields in Google SecOps SIEM but encountering an error. For example, I have the fields source_bytes and response_bytes, and I want to create a new field total_bytes, calculated as:  total_bytes = source_bytes + response_bytesI wrote the query as follows:metadata.event_type="xyz"$total_bytes = $source_bytes + $response_bytesmatch:        $total_bytesHowever, I receive the following error:> Compilation error validating query: missing type info for placeholder $total_bytesHow can I correctly define a new field by summing two existing fields in Google SecOps?Any guidance would be appreciated!Regards,Prashant Nakum

AymanC · Accepted Answer

Hi @prashant_nakum,Does the below help solve your use case? rule Ayman_C_network_bytes {  meta:    author = "Ayman C"  events:    $test.principal.hostname = $Host    $test.metadata.event_type = "NETWORK_CONNECTION"    $test.network.received_bytes  = $source_bytes    $test.network.sent_bytes  = $response_bytes    match:        $Host over 1h  outcome:    $TotalBytes = sum($source_bytes + $response_bytes)   condition:    $test    }Kind Regards,Ayman

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded