Skip to main content

Hello Everyone!

 

I trying to build some widgets in my dashboard, but I’ve some problems with my query. I trying to show severity for my custom rule detections and the curated detections in just one field.

 

My problem resume to can’t use field detection.detection.severity in my if condition, because this field is “enum” data type, and another field is string data type.

 

Query → $dynamic_severity = if(detection.detection.severity = “UNKNOWN_SEVERITY”, detection.detection.outcomes["severity"], detection.detection.severity)

 

detection.detection.outcomes["severity"] → This is severity of my custom rules (string data).

 

Feel free to send me another logics for this query!

Hi ​@Noxurge , in this scenario I believe the root issue is that you are referencing the enumerated value “UNKNOWN_SEVERITY” as a string rather than as an enumerated constant. 

 

While I’m not personally sure what the best constant is to fit your use case, an example of what it might look like instead is:

$dynamic_severity = if(detection.detection.severity = SecurityResult.ProductSeverity.UNKNOWN_SEVERITY

 

https://cloud.google.com/chronicle/docs/reference/udm-field-list#securityresultproductseverity

Hi ​@Noxurge , in this scenario I believe the root issue is that you are referencing the enumerated value “UNKNOWN_SEVERITY” as a string rather than as an enumerated constant. 

 

While I’m not personally sure what the best constant is to fit your use case, an example of what it might look like instead is:

$dynamic_severity = if(detection.detection.severity = SecurityResult.ProductSeverity.UNKNOWN_SEVERITY

 

https://cloud.google.com/chronicle/docs/reference/udm-field-list#securityresultproductseverity

Thanks for reply! But the real problem is the else clause: “detection.detection.severity
Here is an example that works:
 

$dynamic_severity = if(detection.detection.severity = "UNKNOWN_SEVERITY", detection.detection.outcomes["severity"], "STRING_VALUE")

This logic can interpret “BOOL_CLAUSE” correct, THEN_CLAUSE correct, but when I put detection.detection.severity in ELSE_CLAUSE, I got this error: 
 

// Logic that I want:
$dynamic_severity = if(detection.detection.severity = "UNKNOWN_SEVERITY", detection.detection.outcomes["severity"], detection.detection.severity)

// Error
compilation error compiling query: validating query: got an invalid value for enum field "backstory.SecurityResult.ProductSeverity" line: 5 column: 75-115 : invalid argument

So I solved this problem with nested “if” conditions, even though I didn’t liked the way I used because is too verbose, but this works for now:
 

$dynamic_severity = if(detection.detection.severity = "UNKNOWN_SEVERITY", strings.to_upper(detection.detection.outcomes["severity"]),
    if(detection.detection.severity = "CRITICAL", "CRITICAL",
        if(detection.detection.severity = "HIGH", "HIGH",
            if(detection.detection.severity = "MEDIUM", "MEDIUM",
                if(detection.detection.severity = "LOW", "LOW",
                    if(detection.detection.severity = "NONE", "NONE",
                        if(detection.detection.severity = "ERROR", "ERROR",
                            if(detection.detection.severity = "INFORMATIONAL", "INFORMATIONAL", "UNKNOWN")
                        )
                    )
                )
            )
        )
    )
)

 

Great work ​@Noxurge and thank you for sharing the solution.  Feel free to mark your own post as the solution so that others who run into this can reference your example.  Regards!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.