Skip to main content

Hello everyone i have a question regarding the combination of 2 fields (principal.asset.hostname & target.asset.hostname) is there any way to make the outcome show principal.asset.hostname OR target.asset.hostname instead of combine?

 

 

$index = strings.to_upper(metadata.vendor_name
$ips = strings.concat(principal.ip, intermediary.ip) 
$hostnames = strings.concat(principal.asset.hostname "" target.asset.hostname)  <--- HERE
$users = strings.concat(principal.user.userid , target.user.userid) 
$date = timestamp.get_timestamp(metadata.event_timestamp.seconds)


match: 

    $index, $date, $users, $hostnames, extensions.auth.mechanism, metadata.product_event_type, security_result.summary

outcome:

    $ip = array_distinct($ips)

order:

    $date, $users, $hostnames asc

Can you provide some context on the use case for the query?


If you want to show the fields separately, could replace $hostnames and adjust match and order sections:


$principal_hosts = principal.asset.hostname

$target_hosts = target.asset.hostname

 

Hi @blitzcrieg,

You should be able to achieve this using an IF statement, like so:

 

array_distinct(if(metadata.log_type = "EXAMPLE_LOGTYPE1", principal.hostname, if(metadata.log_type = "EXAMPLE_LOGTYPE2", target.asset.hostname, "N/A")))

Kind Regards,

Ayman

 

Can you provide some context on the use case for the query?


If you want to show the fields separately, could replace $hostnames and adjust match and order sections:


$principal_hosts = principal.asset.hostname

$target_hosts = target.asset.hostname

 


Hello @cmorris 
As you can see here i am trying to create a query where it catches user logins, but the issue here is that i need to use both fields to generate the workstation name because if i use only one the result for most of them will be blank.
What i am trying to understand is if i can use something related to OR so it can display either principal.asset.hostname OR target.asset.hostname.

 

If you know that you must using principal.hostname if it exists and then only roll to target.hostname if the principal doesn't exist, you could also consider using strings.coalesce.


https://www.googlecloudcommunity.com/gc/Google-Security-Operations/Getting-to-Know-Google-SecOps-Functions-strings-coalesce/ta-p/726303


 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.