Weird behavior when filtering on a re.capture'd value ?

Question

Hello guys,I’m working on SecOps Audit events for MOC purposes.I wrote a query to identify modifications on Parsers & Extensions.Here’s my query :events:   metadata.log_type = "GCP_CLOUDAUDIT"   target.application = "chronicle.googleapis.com"   // Filter on Parser Mgmt events  metadata.product_event_type = /\.ParserService\./  $action = re.capture(metadata.product_event_type, `ParserService\.(.*)$`)  // Exclude 'Read' events  not $action = "GetParser"  not $action = "ListParsers"  not $action = "ListParserExtensions"  not $action = "GetParserExtension"  $evtid = metadata.id match:  $evtidoutcome:  $timestamp = array(timestamp.get_timestamp(metadata.event_timestamp.seconds, "SECOND", "Europe/Paris"))  $audit_action = array_distinct($action)  $log_type = array_distinct(re.capture(target.resource.name, `logTypes/([^/]+)`))  $actor = array_distinct(principal.user.email_addresses)order:  $timestamp descunselect:  $evtidUnfortunately, my filters to remove ‘Read’ events seem to be not working, these events being included in the stats table...I don’t understand the issue because in the output table I see those exact strings that I’m trying to exclude… Note that when trying to filter out these events via regex (e.g. not $action = /GetParser/) it works as expected. This leads me to think there must be an invisible character or something but it does not make any sense. Any idea on what I may be missing here ?Regards,

chrisd2 · Accepted Answer

OK lmao I found the root cause I think. I had “Case Sensitivity” setting to OFF in the Search Settings just below the query.

Setting it to ON solved the issue, the filtering is working as expected now, and breaks again if I turn OFF case sensitivity again.

So, problem solved, not sure why, I’d fancy having technical details (I don’t see why it causes problems since I used the exact casing in my filters), but problem solved :)

jstoner · Answer

I wish I had a nice crisp answer for you on this but let me throw a few things out there that may be helpful so that you don’t need to toggle that case sensitivity for specific searches.

I replicated what you are talking about (using rule service) and I tried a few different combination of tools to see if I could shake it loose. That said I didn’t have the combinations of parser examples in the instance I tested this on so I focused on equality v inequality but I think the concepts should carry over.

Something like this would work to return values but the downside to this approach is the number of re.captures you need to do for each combination that you want to evaluate so while it works it isn’t ideal.

$action = re.capture(metadata.product_event_type, `RuleService\.(.*)$`)
re.capture(metadata.product_event_type, `RuleService\.(.*)$`) = "UpdateRule"

What I found that works would be to use the strings.to_lower (or upper) for the comparison

  $action = re.capture(metadata.product_event_type, `RuleService\.(.*)$`)
  strings.to_lower($action) = "updaterule"

I am curious what we have going on behind the scenes to cause this behavior but in the near term, the above could (please test and validate) work as a way to get the desired results without the concern of toggling the case sensitivity button.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded