Skip to main content

Variable in the Meta Section

  • February 4, 2025
  • 1 reply
  • 3 views
M
Forum|alt.badge.img

New to SecOps and I am creating a detection rule based on MS Defender events.  I'd like to set the severity of the detection based on the severity from Defender.  Can a variable be used in the meta section?

 
meta:
author = "JAB"
id = "asdfasdfasdf"
severity = "$Severity"
 
I created the $Severity variable in the outcomes section.  Any ideas or suggestions?

1 reply

rajukg11
Staff
Forum|alt.badge.img+6
  • rajukg11
  • Staff
  • February 4, 2025

Unfortunately, this is not possible today.  There is a feature request for it already but I don't know when it will be implemented.  The only thing you can do today is set a variable (say severity_outcome)  in the outcome section and use that in your downstream processing.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.