+14
udm query
security_result.action = "BLOCK"
metadata.log_type = "OFFICE_365" AND
principal.user.email_addresses = "Example@gmail.COM" AND
principal.user.email_addresses = $email_address
match:
$email_address
outcome:
$c = count($email_address)
Note: This UDM query gives result in siem search but when i execute the same UDM query in soar action this gives an error
ALSO How to fetch event for 40 days ?
Best answer by dnehoda
Hello - This is not supported yet through the API. This is on the roadmap but does not yet have a landing date.
As for the 40 days are you talking SIEM or SOAR?
+16Hello - This is not supported yet through the API. This is on the roadmap but does not yet have a landing date.
As for the 40 days are you talking SIEM or SOAR?
+14Hello - This is not supported yet through the API. This is on the roadmap but does not yet have a landing date.
As for the 40 days are you talking SIEM or SOAR?
in SOAR 40 days i guess we should use custom
+14Yes…use that.
Thank you,
DN
Again to get Start time for the Udm query we need to write custom action to get date of 40 days back and stop time will alert generated time , [since there is no dropdown to select desired date]
+12You could just run the query
security_result.action = "BLOCK" AND
metadata.log_type = "OFFICE_365" AND
principal.user.email_addresses = "Example@gmail.COM"
And then use the picker within the UDM function to provide you a count.
+14if zero result i.e no json result den the udm query to count placeholder wont b resloved. just try with no udm events
+12if zero result i.e no json result den the udm query to count placeholder wont b resloved. just try with no udm events
correct. I take the output into the IF state and if you have the JSON response verbiage set it as 0 found in the IF statement for your logic. I do this with emails also for phishing. but I want to know for Not = Blocked. If JSON response then all are blocked and I can autoclose. If 1-5 found then I take X actions. if > 5 escalate.
+4Again to get Start time for the Udm query we need to write custom action to get date of 40 days back and stop time will alert generated time , [since there is no dropdown to select desired date]
@vanitharaj1208 As you say, you can develop the action in python yourself. But you can also create a playbook block to achieve it using the built-in soar functions. As input you have the number of days you want to see back (days_back).
You just have to pay attention to the correct time zones
+14@vanitharaj1208 As you say, you can develop the action in python yourself. But you can also create a playbook block to achieve it using the built-in soar functions. As input you have the number of days you want to see back (days_back).
You just have to pay attention to the correct time zones
Yes, i have created an custom action to get back time ... based on days
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
