Issue Using One Placeholder Inside Another in Google SecOps Preview Dashboards

Hi everyone,I’m currently working on preview dashboards in Google SecOps and facing an issue when trying to use one placeholder within another in the meta (upper) section of a query.

Here’s an example of my query:

event_type="xyz"
$version = if(version != "", version, "Unknown")
$version_status = if($version = "v1", "vs1", "vs2")
match:
$version_status
outcome:
$count = count(id)

The issue arises when I reference $version inside the calculation for $version_status. This results in an error, which I have attached as a screenshot.

Is there any guidance or documentation available on how to handle such cases? Any help would be greatly appreciated!

Thanks,
Prashant

Page 1 / 1

The short answer is that you can't take a placeholder variable and then derive another placeholder variable from it. That said, based on what you have, I'm not sure if you really need both.

Based on the example you have, we are going to end up with the non-null values being whatever the version is and everything else will be unknown. From there, we are going to take all those unknown strings and non-null values and return vs1 or vs2 where vs1 is the v1 stuff and everything else non-null and null are vs2. If I read that correctly, then I think the below may work nicely.

I adapted this to network connection logs with the version being swapped out for the principal.user.userid because that way I get fields that have null values in them for this example. If I write a query based on just the conditional logic that handles null values with an unknown string, my query looks like this and below are the results in a tabular view.

metadata.event_type = "NETWORK_CONNECTION"
$version_status = if(principal.user.userid != "", principal.user.userid, "Unknown")
//$version_status = if(principal.user.userid = "NETWORK SERVICE", "vs1", "vs2")
match:
 $version_status
outcome:
 $count = count(metadata.id)

Now let's comment out that line where we handled the null values and mapped them to unknown and look at the second line of criteria you had which classified data as vs1 or vs2.

metadata.event_type = "NETWORK_CONNECTION"
//$version_status = if(principal.user.userid != "", principal.user.userid, "Unknown")
$version_status = if(principal.user.userid = "NETWORK SERVICE", "vs1", "vs2")
match:
 $version_status
outcome:
 $count = count(metadata.id)

Changing out the if statement like I have in bold results in the following result set. Notice that this encompasses anything including the null fields in that vs2 value so from the first example to this one, we have local service, system and unknown, basically everything except the network service value.

Hope this helps!

The short answer is that you can't take a placeholder variable and then derive another placeholder variable from it. That said, based on what you have, I'm not sure if you really need both.

Based on the example you have, we are going to end up with the non-null values being whatever the version is and everything else will be unknown. From there, we are going to take all those unknown strings and non-null values and return vs1 or vs2 where vs1 is the v1 stuff and everything else non-null and null are vs2. If I read that correctly, then I think the below may work nicely.

I adapted this to network connection logs with the version being swapped out for the principal.user.userid because that way I get fields that have null values in them for this example. If I write a query based on just the conditional logic that handles null values with an unknown string, my query looks like this and below are the results in a tabular view.

metadata.event_type = "NETWORK_CONNECTION"
$version_status = if(principal.user.userid != "", principal.user.userid, "Unknown")
//$version_status = if(principal.user.userid = "NETWORK SERVICE", "vs1", "vs2")
match:
 $version_status
outcome:
 $count = count(metadata.id)

Now let's comment out that line where we handled the null values and mapped them to unknown and look at the second line of criteria you had which classified data as vs1 or vs2.

metadata.event_type = "NETWORK_CONNECTION"
//$version_status = if(principal.user.userid != "", principal.user.userid, "Unknown")
$version_status = if(principal.user.userid = "NETWORK SERVICE", "vs1", "vs2")
match:
 $version_status
outcome:
 $count = count(metadata.id)

Changing out the if statement like I have in bold results in the following result set. Notice that this encompasses anything including the null fields in that vs2 value so from the first example to this one, we have local service, system and unknown, basically everything except the network service value.

Hope this helps!

Thanks for your prompt response!

I understand your explanation, but I have another scenario while creating panels in the preview dashboard where I need to explicitly use a placeholder inside another placeholder. Here’s an example query:

metadata.event_type="xyz"

$is_src_internal = if(principal.ip in cidr %is_internal_external, "true", "false")

$is_dest_internal = if(target.ip in cidr %is_internal_external, "true", "false")



$direction = if($is_src_internal="true" AND $is_dest_internal="true", "Internal",

if($is_src_internal="false" AND $is_dest_internal="false", "External",

if($is_src_internal="false" AND $is_dest_internal="true", "Inbound",

if($is_src_internal="true" AND $is_dest_internal="false", "Outbound", "Unknown"))))



match:

metadata.uid, $direction



outcome:

$count = count_distinct(metadata.uid)

$dest_host_type = array_distinct($is_dest_internal = "true", "Internal", "External")

However, in the preview dashboard, it restricts the use of in cidr to a maximum of two times. Since I need to use the $direction field inside the match section, but $direction is derived using $is_src_internal and $is_dest_internal, I encounter an error(which I mentioned above) due to this limitation.

Is there any workaround or alternative approach to handle this scenario?

Thanks,
Prashant

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded