Skip to main content
Solved

looking for the OR option if available

  • February 27, 2025
  • 4 replies
  • 22 views
B
Forum|alt.badge.img+1

Hello everyone i have a question regarding the combination of 2 fields (principal.asset.hostname & target.asset.hostname) is there any way to make the outcome show principal.asset.hostname OR target.asset.hostname instead of combine?

 

 

$index = strings.to_upper(metadata.vendor_name
$ips = strings.concat(principal.ip, intermediary.ip) 
$hostnames = strings.concat(principal.asset.hostname "" target.asset.hostname)  <--- HERE
$users = strings.concat(principal.user.userid , target.user.userid) 
$date = timestamp.get_timestamp(metadata.event_timestamp.seconds)


match: 

    $index, $date, $users, $hostnames, extensions.auth.mechanism, metadata.product_event_type, security_result.summary

outcome:

    $ip = array_distinct($ips)

order:

    $date, $users, $hostnames asc

Best answer by jstoner

If you know that you must using principal.hostname if it exists and then only roll to target.hostname if the principal doesn't exist, you could also consider using strings.coalesce.

https://www.googlecloudcommunity.com/gc/Google-Security-Operations/Getting-to-Know-Google-SecOps-Functions-strings-coalesce/ta-p/726303

 

4 replies

cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • February 28, 2025

Can you provide some context on the use case for the query?

If you want to show the fields separately, could replace $hostnames and adjust match and order sections:

$principal_hosts = principal.asset.hostname $target_hosts = target.asset.hostname

 

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • February 28, 2025

Hi @blitzcrieg,

You should be able to achieve this using an IF statement, like so:

 

array_distinct(if(metadata.log_type = "EXAMPLE_LOGTYPE1", principal.hostname, if(metadata.log_type = "EXAMPLE_LOGTYPE2", target.asset.hostname, "N/A")))

Kind Regards,

Ayman

 

B
Forum|alt.badge.img+1
  • blitzcrieg
  • Author
  • New Member
  • March 1, 2025

Can you provide some context on the use case for the query?

If you want to show the fields separately, could replace $hostnames and adjust match and order sections:

$principal_hosts = principal.asset.hostname $target_hosts = target.asset.hostname

 


Hello @cmorris 
As you can see here i am trying to create a query where it catches user logins, but the issue here is that i need to use both fields to generate the workstation name because if i use only one the result for most of them will be blank.
What i am trying to understand is if i can use something related to OR so it can display either principal.asset.hostname OR target.asset.hostname.

 

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • Answer
  • March 3, 2025

If you know that you must using principal.hostname if it exists and then only roll to target.hostname if the principal doesn't exist, you could also consider using strings.coalesce.

https://www.googlecloudcommunity.com/gc/Google-Security-Operations/Getting-to-Know-Google-SecOps-Functions-strings-coalesce/ta-p/726303

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.