Skip to main content
Question

How to define the same index array

  • April 6, 2026
  • 1 reply
  • 8 views
Alex3Lee5
Forum|alt.badge.img+2

I have an Azure log that contains multiple policy validations. Each validation generates an object inside an array with rule_name and result.

All this information is parsed in SecOps as security_result, so now I have a security_result field with two or more objects.

For example:

 

security_result: (2)

0:
rule_name: "rule_1"
result: "success"

1:
rule_name: "rule_2"
result: "notApplied"

How can I, in Search and YARA-L, perform a validation where rule_name = "rule_1" and the result of that policy is "notApplied", without using a predefined index? The position of rule_name = "rule_1" can change depending on the log.

1 reply

cmorris
Staff
Forum|alt.badge.img+12
  • cmorris
  • Staff
  • April 7, 2026

How is the result key value pair being mapped to UDM? Is it something like security_result.rule_labels["result"]  = "notApplied"? Will the rule_name always be rule_1 in this example or does that change with the index?

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.