Hello All,
I am looking to retrieve data from a Reference List in Chronicle if it matches a UDM value during a stat search query. For example, if my UDM value is username=suraj, I want to query the Reference List and retrieve any entries that match suraj.
Could you guide me on how to achieve this or provide an example of the appropriate query syntax?
can you try something like "principal.user.username = "username" AND principal.user.username IN reference_list"
Hi @skadav,
If you wanted to do something cooler (below is based on IP), you could do the below POC.
metadata.log_type = "EXTRAHOP_DNS"
principal.ip = $IP
match:
$IP
outcome:
$In_Reference_List = array_distinct(if($IP in %AymanC_IP, "YES", "NO"))Alternatively, the below will only show the events within the reference list
metadata.log_type = "EXTRAHOP_DNS"
principal.ip = $IP
$IP in %AymanC_IP
match:
$IP
outcome:
$Event_Count = count_distinct(metadata.id)
$Max_Event_Timestamp = max(metadata.event_timestamp.seconds)
$Min_Event_Timestamp = min(metadata.event_timestamp.seconds)Kind Regards,
Ayman
Thank you for suggestions @nelsonlam and @AymanC
But, I am primarily looking to retrieve matching data from the reference list, rather than identifying data on the console that matches the reference set.
to elaborate more,
I am planning to store below in Reference list:
username=suraj kadav;designation=security platform engineer; location=remote;etc;etc
username=demo test;designation=testing; location=remote;etc;etc
and once I ran stat query:
Thank you for suggestions @nelsonlam and @AymanC
But, I am primarily looking to retrieve matching data from the reference list, rather than identifying data on the console that matches the reference set.
to elaborate more,
I am planning to store below in Reference list:
username=suraj kadav;designation=security platform engineer; location=remote;etc;etc
username=demo test;designation=testing; location=remote;etc;etc
and once I ran stat query:
Hi skadav,
Reference Lists don't support multi-dimensions. Their upcoming replacements, Data Tables, do. You should be able to do what you want then. I'm not sure how the mechanics will work just yet? Maybe your $info in the outcome field will work via a strings_concat function? You might also be able to join on the data table in the Events section (up top). This is me guessing since I haven't played with it enough yet to know exactly I'd make that work.
Hi skadav,
Reference Lists don't support multi-dimensions. Their upcoming replacements, Data Tables, do. You should be able to do what you want then. I'm not sure how the mechanics will work just yet? Maybe your $info in the outcome field will work via a strings_concat function? You might also be able to join on the data table in the Events section (up top). This is me guessing since I haven't played with it enough yet to know exactly I'd make that work.
Are there any docs written up on this yet or a pre-GA preview option available for those of us that would want to test "data tables" -- This is the first i've heard of a replacement for reference lists and I can't find anything in the API docs etc about them.
Thanks!
Nothing yet. When it's put out in public preview there will be docs visible on this page: https://cloud.google.com/chronicle/docs/preview
I suggest you create an alert to monitor it.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.