+3Hello,
I run YARA-L queries in the SecOps Native Dashboards to obtain variety of metrics. In this case, I am trying run a query that returns byte size for Defender logs, but broken down by product event type (e.g. DeviceProcessEvents) and ingestion label; since we have multiple feeds for certain event types and I'd like to check on a per feed basis. Is there any guidance on what syntax I could use for bytes?
Thank you
Best answer by cmorris
You could use ingestion.log_volume (https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema), but the capability to join two separate data sources - ingestion and event - in native dashboards does not exist today, so I don't think you will be able to break this down by product event types.
I used this query in the native dashboards to generate the below screenshot:
ingestion.log_type = /DEFENDER/
match:
ingestion.log_type, ingestion.collector_id
outcome:
$bytes = sum(ingestion.log_volume)
If you are not ingesting Defender via the collector, like I am in this example, you'll want to update ingestion.collector_id in the match section. Ex. use ingestion.feed_id
+11You could use ingestion.log_volume (https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema), but the capability to join two separate data sources - ingestion and event - in native dashboards does not exist today, so I don't think you will be able to break this down by product event types.
I used this query in the native dashboards to generate the below screenshot:
ingestion.log_type = /DEFENDER/
match:
ingestion.log_type, ingestion.collector_id
outcome:
$bytes = sum(ingestion.log_volume)
If you are not ingesting Defender via the collector, like I am in this example, you'll want to update ingestion.collector_id in the match section. Ex. use ingestion.feed_id
+3You could use ingestion.log_volume (https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema), but the capability to join two separate data sources - ingestion and event - in native dashboards does not exist today, so I don't think you will be able to break this down by product event types.
I used this query in the native dashboards to generate the below screenshot:
ingestion.log_type = /DEFENDER/
match:
ingestion.log_type, ingestion.collector_id
outcome:
$bytes = sum(ingestion.log_volume)
If you are not ingesting Defender via the collector, like I am in this example, you'll want to update ingestion.collector_id in the match section. Ex. use ingestion.feed_id
Thank you; this worked very well.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.