Unable to find MAC addresses' entity.asset.first_seen_time
I'm trying to get a first_seen_time for MAC address assets in a rule, but finding that a majority of the derived_context asset entities have entity.asset.first_seen_time set as 1 second after epoch. Motivation being to create a rule similar to the one in John Stoner's blog here, except using mac instead of hostname.Using something like this to just look at MAC assets' entity info. rule testing_first_seen_mac {
meta:
description = "test"
events:
$connection.metadata.event_type = "NETWORK_CONNECTION"
$connection.principal.mac = $mac
$entity.graph.metadata.source_type = "DERIVED_CONTEXT"
$entity.graph.entity.asset.mac = $mac
match:
$mac over 24h
outcome:
$entity_first_seen = array_distinct($entity.graph.entity.asset.first_seen_time.seconds)
condition:
$connection and $entity
} Nearly all of the mac assets I look at have entity information identical to below:metadata.collected_timestamp: "1970-01-01T00:00:01Z"metadata.entity_type: "ASSET"metadata.interval.start_time: "1970-01-01T00:00:01Z"metadata.interval.end_time: "9999-12-31T00:00:00Z"metadata.source_type: "DERIVED_CONTEXT"entity.mac[0]: "xx:xx:xx:xx:xx:xx"entity.asset.mac[0]: "xx:xx:xx:xx:xx:xx"entity.asset.first_seen_time: "1970-01-01T00:00:01Z"I have seen a few rare occasions where it actually has a real date, but most of the time it looks like the above. Same results across multiple tenants.Documentation here makes it sound like entities describing assets such as a MAC address should have first_seen_time populated. Am I looking at the wrong place or is there a reason for this almost always being inaccurate?
100
Reference Lists and Visualizations
Hello,Does anyone know if the functionality exists to incorporate a reference list into a dashboard visualization? Specifically for a UDM Events visualization?If that is not currently possible does anyone know if it is on a future roadmap?
102
Want to Modernize Your Security Operations? Don't Miss This Webinar! 🚀
Ready to embrace the power of Detection-as-Code and take your SecOps to the next level?
Join David French and the Google SecOps (formerly known as Chronicle) team on May 29th at 9 AM PST for our Security Spotlight: "Modernizing SecOps with Detection-as-Code and Chronicle."
Register now and secure your spot!
Get a head start by diving into our two-part blog series on Getting Started with Detection-as-Code and Chronicle Security Operations:
Part 1:Getting Started with Detection-as-Code and Chronicle Security Operations (Part 1 of 2)
Part 2: Getting Started with Detection-as-Code and Chronicle Security Operations (Part 2 of 2)
In the webinar, you'll discover:
The fundamentals of Detection-as-Code and its key benefits
How to manage detection rules using Chronicle's REST API, code, and CI/CD tools
Real-world strategies for implementing Detection-as-Code in your organization
Am using the last version of EVE-NG Community edition.I have added Fortigate's Iso and fix permissions without errors but when I try to start the Fortigate Object nothing happenHow could I solve this issue ?
What is the utility of a group function in YARA-L?
I am reaching out in relation to the group function:https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#groupNow i understand what it says:> Group fields of a similar type into a placeholder variable.But i am unable to visualize it.Does the `$ip` group variable contain all the unique IP addresses found across `principal.ip`, `about.ip`, and `target.ip`. If yes, then why do we need the `match` section. Isn't match like a GROUP BY in SQL.Also, why do we need a group() function. Can't just a match section suffice?Could you please help me connect the dots.Thank you.
Dear All,Could anyone please give a documentation for how to use "BindPlane OpenTelemetry collector" for syslog collection and how to collect metric logs with the collector?Thanks,
