+10Hi
I am trying to run a stats command to know the name of alerts triggered under product name "
but its not giving any results , what am i doing wrong here ?
$product_name = $e.metadata.product_name
$product_name = "Office 365 Security and Compliance"
$alert_name = $e.security_result.rule_name
match:
$alert_name
outcome:
$count = count($e.metadata.id)
order:
$alert_name asc
limit:
10
+22Your syntax is fine, I'd start with troubleshooting the fields you are using in the search, specifically the metadata.product_name and security_result.rule_name and ensure those are the proper fields and values. My O365 data does not include that product name so I can't validate that and searching O365 with re2 gave me no values in that alert field but an event count of all values, so I know your search at the syntax level works.
+10Your syntax is fine, I'd start with troubleshooting the fields you are using in the search, specifically the metadata.product_name and security_result.rule_name and ensure those are the proper fields and values. My O365 data does not include that product name so I can't validate that and searching O365 with re2 gave me no values in that alert field but an event count of all values, so I know your search at the syntax level works.
@jstoner : Yeah those 2 fields exists, i verified again ,Sharing screenshot for confirmation
+22Thanks for the samples. The issue appears to be that the UDM field needs to be tied to the value you are filtering on and not a placeholder variable. If you look at my example below, I have the product name tied to the GCP firewall data and then since I am using a placeholder variable, I am also tying that to the field.
$e.metadata.product_name = "GCP Firewall"
$product_name = $e.metadata.product_name
//$product_name = "Office 365 Security and Compliance"
$alert_name = $e.security_result.rule_name
match:
$alert_name
outcome:
$count = count($e.metadata.id)
order:
$alert_name asc
limit:
10
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.