Skip to main content

Good morning,

Our firm is interested in coming up with some metrics around AI application adoption. We’re curious to see trends over the past 6 months or so including what specific AI applications users are working with the most (Copilot, ChatGPT, AI for Power BI etc.)

We have come up with the following query:

metadata.log_type = "OUR_LOG_TYPE"
security_result.category_details = "Generative AI"
$data_pair = strings.concat(security_result.category_details, " | ", target.application, " | ", principal.user.email_addresses, " | ", network.http.referral_url, " | ", target.url )
$event_id = security_result.category_details
match:
$data_pair
outcome:
$EventCount = count(security_result.category_details)

This works but is bit clunky. Does anyone have any suggestions of how we might better pull this data using search? Anyone else using SecOps to pull data of this kind?

Thanks in advance for any help you’re able to provide!

 

Regards

Good morning, I have few suggestions that could be helpful ;

  1. If the traffic passes through a WAF/Reverse Proxy then your metrics could be more accurate, in that case you could also add the session duration for the “Close Connection” type of events to estimate even the access time not just the number of hits.
  2. You could collect the extract month from timestamp function and add it to the match variable to collect the utilization for the objects key user-date-url (e.g: timestamp.get_timestamp(1708598631, "MONTH", "GMT") = "2024-02" )
  3. There is really no need to include security_result.category_details in your concat object if you are already filtering for a single value in Lines 3-4. Also we usually count the metadata.id but that is more of an aesthetics consideration.
  4. The network.http.referral_url  seems redundant since you have the target.url , unless you have a unique value there. You could also extract the required hosts/urls from strings.extract_domain(url_string) , strings.extract_hostname(string)  instead of the fully URL that migh have redirects or additional unnecessary parameters.
  5. If you have BigQuery, you could use a BigQuery search to generate them instead of relying on the UI part, similarily you could use the dashboards to have the data visualized in tables and updated periodically or you could script the search API periodically to collect the data daily in a CSV if you need the freedom to export the data elsewhere.
  6. The 3 platforms you mentioned have utilization metrics that you could collect from the source for more accurate data ; (ChatGPT enterprise have a paid Compliance API,  MSCopilot through a beta Graph API call exportable to BigQuery or CSV , PowerBI through a Get Request to activityEvents) , all could be unified into a buckets or a BigQuery table or a CSV table and ingested into SecOps, but writing a single parser to accommodate all will be tricky.
  7. You could instead use a run-daily rule (or the same query) to write the outcomes into a datatable (e.g. https://cloud.google.com/chronicle/docs/investigation/data-tables#example_use_write_row_to_write_query_output_to_a_data_table ) and use the generated analytics from the data tables later on for the trends analysis or visualizations in the dashboard.

Hope these ideas help.

@AbdElHafez great ideas -- thank you!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.