Stats Search - Blocked or Allowed?

Question

I am trying to build a threat hunting query that searches for the presence of IOCs in a reference list within our logs, whether email addresses, IPs, hashes etc.

I can easily answer the question on how many times a particular IOC shows up in the logs by using a stats query. What is proving trickier for me to wrap my ahead around is answering the question on how many were blocked and allowed within one stats query - I would like to group everything that's not "BLOCK" into "ALLOW" but the enum data type gives me errors when using re.replace with security_result.action. Using something like security_result.action_details is not present for every email event log and can also consist of multiple values.

chrisd2 · Accepted Answer

Hello, you can create a placeholder for your "custom action" and define it following your logic : "If it's not explicitly BLOCK, let's consider it as ALLOW" with a `if`statement.
Example query :

metadata.event_type = "NETWORK_CONNECTION"
$logtype = metadata.log_type
$orig_action = security_result.action
$custom_action = if(security_result.action != "BLOCK", "ALLOW", "BLOCK")

match:
    $logtype, $custom_action

outcome:
    $evt_count = count_distinct(metadata.id)
    $original_action = array_distinct($orig_action)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded