SecOps Dashboards - replace IDs with custom text

Question

Hi, I’m building a dashboard (v2) but the fields I want to dashboard use IDs instead of names. I want some of the IDs to point to the same name too. I’m not sure what feature of YARA-L to use to achieve this.

Here’s an example with dummy data:

I want IDs 52a11631-8a6d-42be-aeb9-a6f8754e186c and 9a50ae9f-11e5-4475-88de-0ba55d8d6745 to be displayed as a single item named “XSS” while fcfc4231-21cf-4eec-b542-14687225b1b4 and 106886e1-e52d-4254-b57a-54b550db1602 to be displayed as a single item named “SQLi” in a bar chart in the dashboard

It doesn’t look like the dashboard interface is capable of doing this so I’m thinking I need to build out a YARA-L query.

I want to create query that looks similar to the following but I’m not sure how to do it within the constraints of the YARA-L syntax supported by the new dashboards engine:

metadata.product_name = "WAF" AND security_result.action = "BLOCK"



$Rule_ID = security_result.rule_id

if($Rule_ID = ((“ID-string-1”,”ID-string-2”),$Rule_name = “XSS”)

if($Rule_ID = ((“ID-string-3”,”ID-string-4”),$Rule_name = “SQLi”)


match:

$Rule_Name



outcome:

$count = count(metadata.id)

Any pointers would be much appreciated!

cmorris · Answer

I would try creating a data table where each row includes two columns - one for the ID and one for the name you want displayed.

From there, in the events section, add in security_result.rule_id = %my_data_table.id and then in the outcome section $rule_id = array_distinct(%my_data_table.rule_name). That should display both the ID and the text. If you wanted to just display the text and not the ID value, you could use unselect -

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded