Hello
I am using the rule below from the github repo for some time and recently a syntax error has popped up ( yellow line under the line with status_code )
What can be the issue with this line? Using it in SIEM search works OK, but inside the rule it doesn’t work and doesn’t give any results.
$gcp.security_result.detection_fields["status_code"] = "7"
Thank you.
Hi
The “detection_fields” field has not actually been deprecated. That warning will go away soon after a change is pushed out to customers.
Can you share the search query that returns results? Are you able to verify that these conditions are true in the events that you see after running the search? These conditions are in the community rule that you shared.
condition:
#gcp > 5 and #target_application > 1 and #product_event_type > 1
Hi
The “detection_fields” field has not actually been deprecated. That warning will go away soon after a change is pushed out to customers.
Can you share the search query that you’re using where results are returned? Are you able to verify that the following conditions are true in the events that you see. These conditions are in the community rule that you shared.
condition:
#gcp > 5 and #target_application > 1 and #product_event_type > 1
Thanks
Hi
Thanks for the confirmation that the warning will go away soon.
Glad you figured it out,
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.