Hi
I am trying to run a stats command to know the name of alerts triggered under product name "
but its not giving any results , what am i doing wrong here ?
$product_name = $e.metadata.product_name
$product_name = "Office 365 Security and Compliance"
$alert_name = $e.security_result.rule_name
match:
$alert_name
outcome:
$count = count($e.metadata.id)
order:
$alert_name asc
limit:
10
Your syntax is fine, I'd start with troubleshooting the fields you are using in the search, specifically the metadata.product_name and security_result.rule_name and ensure those are the proper fields and values. My O365 data does not include that product name so I can't validate that and searching O365 with re2 gave me no values in that alert field but an event count of all values, so I know your search at the syntax level works.
Your syntax is fine, I'd start with troubleshooting the fields you are using in the search, specifically the metadata.product_name and security_result.rule_name and ensure those are the proper fields and values. My O365 data does not include that product name so I can't validate that and searching O365 with re2 gave me no values in that alert field but an event count of all values, so I know your search at the syntax level works.
@jstoner : Yeah those 2 fields exists, i verified again ,Sharing screenshot for confirmation
Thanks for the samples. The issue appears to be that the UDM field needs to be tied to the value you are filtering on and not a placeholder variable. If you look at my example below, I have the product name tied to the GCP firewall data and then since I am using a placeholder variable, I am also tying that to the field.
$e.metadata.product_name = "GCP Firewall"
$product_name = $e.metadata.product_name
//$product_name = "Office 365 Security and Compliance"
$alert_name = $e.security_result.rule_name
match:
$alert_name
outcome:
$count = count($e.metadata.id)
order:
$alert_name asc
limit:
10
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.