Hi Team,
So there is a requirement.
Can we have a rule in SecOps SIEM that will trigger whenever there is a log stoppage from that particular log source (product & vendor) for a period of 1 or 2 hours?
Page 1 / 1
Here's a way to pull the latest event and see how old it is.
rule LatestEventComparison {
meta:
description = "Detects if the latest event from a datasource is older than a specified threshold."
author = "Your Name"
version = "1.0"
events:
$event.metadata.product_event_type = "<YOUR_DATASOURCE_NAME>" // Replace with your datasource
$event.metadata.event_timestamp.seconds = max($event.metadata.event_timestamp.seconds)
$current_time = now()
$time_difference = $current_time.seconds - $event.metadata.event_timestamp.seconds
$threshold = 3600 // Example: 1 hour threshold (adjust as needed)
condition:
$time_difference > $threshold
outcome:
$outcome.event = $event
$outcome.current_time = $current_time
$outcome.time_difference = $time_difference
$outcome.threshold = $threshold
$outcome.message = "Latest event from <YOUR_DATASOURCE_NAME> is older than the threshold."
}
This is throwing an error :
parsing: error with token: ")"
unexpected token
line: 9
column: 25-26
The best option for this is Cloud Monitoring - https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.