Skip to main content
Solved

YARA Help To identify the total low volume dip or increase

  • October 23, 2024
  • 4 replies
  • 38 views
V
Forum|alt.badge.img+1

Hi all,

I'm looking for a way to calculate the total log volume for the last 7 days and compare it with the previous 7 days to identify any anomalies in the total log volume ingested into the SIEM.

Any recommendation is much appreciated. 

Thank you in advance.

Best answer by jstoner

We had a recent question about this and arrived at this as a potential way to address this. We could run the search against 2 weeks to get a total for the 2 weeks and then have a separate column for the most recent week (and day) and then calculate a percentage of the logs in the second week against the total returned.

 

events:
 metadata.event_type > 0
outcome:
 $total_events_count = count_distinct(metadata.id)
 $last_24_hrs = sum(if(metadata.event_timestamp.seconds > timestamp.current_seconds() - 86400, 1, 0))
 $last_7_days = sum(if(metadata.event_timestamp.seconds > timestamp.current_seconds() - 604800, 1, 0))
 $last_7_percent_of_total = $last_7_days / $total_events_count

4 replies

matthewnichols
Community Manager
Forum|alt.badge.img+16
  • matthewnicholsCommunity Manager
  • Community Manager
  • October 23, 2024

Hi @vivekramrs check out this previous post Aggregate functions in metrics. It should help answer your question. 

V
Forum|alt.badge.img+1
  • vivekramrsBronze 1
  • Author
  • Bronze 1
  • October 24, 2024

Thank you, @matthewnichols . I will use the logic in the link; it looks similar to what I’m looking for.

    V
    Forum|alt.badge.img+1
    • vivekramrsBronze 1
    • Author
    • Bronze 1
    • October 24, 2024

    Hi @matthewnichols , I tried and stuck after this, I was able to get the total log count per day but I wasn't able to get the averages and how to compare this average with another average to determine the count increases or decreases. 

    events: $e.metadata.log_type = /./ $e.metadata.log_type = $logtype timestamp.get_date($e.metadata.event_timestamp.seconds) = $date match: $date outcome: $count = count($e.metadata.event_timestamp.seconds)

     




    jstoner
    Staff
    Forum|alt.badge.img+22
    • jstoner
    • Staff
    • Answer
    • October 24, 2024

    We had a recent question about this and arrived at this as a potential way to address this. We could run the search against 2 weeks to get a total for the 2 weeks and then have a separate column for the most recent week (and day) and then calculate a percentage of the logs in the second week against the total returned.

     

    events:
     metadata.event_type > 0
    outcome:
     $total_events_count = count_distinct(metadata.id)
     $last_24_hrs = sum(if(metadata.event_timestamp.seconds > timestamp.current_seconds() - 86400, 1, 0))
     $last_7_days = sum(if(metadata.event_timestamp.seconds > timestamp.current_seconds() - 604800, 1, 0))
     $last_7_percent_of_total = $last_7_days / $total_events_count
      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.