Skip to main content

I am trying to build a threat hunting query that searches for the presence of IOCs in a reference list within our logs, whether email addresses, IPs, hashes etc.

I can easily answer the question on how many times a particular IOC shows up in the logs by using a stats query. What is proving trickier for me to wrap my ahead around is answering the question on how many were blocked and allowed within one stats query - I would like to group everything that's not "BLOCK" into "ALLOW" but the enum data type gives me errors when using re.replace with security_result.action. Using something like security_result.action_details is not present for every email event log and can also consist of multiple values. 

Hello, you can create a placeholder for your "custom action" and define it following your logic : "If it's not explicitly BLOCK, let's consider it as ALLOW" with a `if`statement.
Example query :

metadata.event_type = "NETWORK_CONNECTION"
$logtype = metadata.log_type
$orig_action = security_result.action
$custom_action = if(security_result.action != "BLOCK", "ALLOW", "BLOCK")

match:
$logtype, $custom_action

outcome:
$evt_count = count_distinct(metadata.id)
$original_action = array_distinct($orig_action)

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.