Hi,
I am trying to make a use-case which triggers when any particular device's log is not seen for a period of time. I tried to use leverage the timestamp.get_minute() function but it won't let me use it in the events section.
Here is the query I used:
$e.metadata.log_type = "WINEVTLOG"
$e.intermediary.hostname = $host
timestamp.get_minute(metadata.event_timestamp.seconds) - timestamp.get_minute(timestamp.current_seconds()) > 30.
For more info : the query is for windows event. I want to use match against the $host variable.
Since this is not doable, is there any other way to specifically make a use-case in SIEM for devices not sending logs?
For more info : the query is for windows event. I want to use match against the $host variable.
Since this is not doable, is there any other way to specifically make a use-case in SIEM for devices not sending logs?