Today, we are going to start going into statistical functions that can be used in search and rules with Google SecOps. This one will cover mean and mode!
The function for average, called window.avg, accepts two arguments, the numeric field or variable that is going to be used to calculate the average as well as an optional boolean argument to ignore zero values. If it is not included, it defaults to false and includes all values including zero values.
Mode returns the value that is most frequently seen in the data set. The function window.mode accepts a single argument, the field or variable it is observing. Unlike average, mode works with numeric fields as well as string fields.
Both functions assumes that the the data in the rule or search is being aggregated which means that there is a match section and these function will be used in the outcome section.
Follow along in the video below to see how we can apply these functions to our searches and rules.
window.avg and window.mode provide a method to generate statistical measures by aggregating a dataset to find the average or most frequently seen values. Remember that average does provide an extra boolean argument that allows us to take into account zero value fields. Also, functions that start with the word window are viewed as aggregation functions, so like max, sum and count, additional aggregation functionsare not needed to be prepended to it in the outcome section.
Check out these additional resources with more information and learning opportunities:
- New to Google SecOps blog series
- Google SecOps Learning Path on Google Cloud Skills Boost
- Google SecOps documentation
- Google Cloud Security Community Events