Query trying to run is :
$e.metadata.event_type = "USER_LOGIN"
$e.security_result.action = "BLOCK"
$e.security_result.summary = "LogonFailed"
$principaluser = $e.principal.user.userid
$principalip = $e.principal.ip
match:
$principaluser over 10m
outcome:
$count=count($e.principal.user.userid)
This seems to be a limitation on the API and not something within the Execute UDM Query integration. A simple Yara-L query like below will execute, but not a "detection" based yara-l statement(s) as it does in the Search UI. You should open a support case for this.
metadata.event_type = "USER_LOGIN"
security_result.action = "BLOCK"
security_result.summary = "LogonFailed"
Hello,
I can confirm the same behavior in our test instance in SOAR but trying the same query directly in SIEM does not give me any error. As mentioned please open support case to investigate.
Hi @Vaishnoodevi,
The reason this is failing, is because you are using a Pre-GA feature, known as 'Statistics and Aggregations'[1] which is not currently supported in that action, nor is available as an API endpoint.
[1] - https://cloud.google.com/chronicle/docs/investigation/statistics-aggregations-in-udm-search
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.