About chrisd2

chrisd2 · 05-20-2025

Hello everyone,I have setup a Windows log collection via the Bindplane agent, everything is working fine. I just have one small issue with the logs : rawlog format is XML, it contains a key "RenderingInfo", that is useless and very verbose & that I w...

chrisd2 · 04-09-2025

Hello guys,I'm trying to use the AS a given public IP is part of in the detection logic of a rule.I can see the metadata in the "Overview" results of the UDM search for a public IP (see entity.artifact.network.asn) :Issue :In my rule I'm trying to us...

chrisd2 · 01-15-2025

Hello guys,I noticed that for some API endpoints, the URL path is : https://chronicle.googleapis.com/v1alpha/{api_version}/projects/{project_id}/locations/{region}/instances/{instance} (instances.get), but I could not figure out what the api_version ...

chrisd2 · 11-06-2024

Hello everyone,I wrote a parser extension ("code" mode) for a log_type in order to add a couple fields that were not handled by the default parser.I mapped a couple raw fields to UDM fields under security_result in the parser ext.Problem: I noticed t...

chrisd2 · 09-26-2024

Hello guys,Context :I'm working on some custom parsers for some logs that cannot be made native-SecOps-parsers-compliant. Once the parser is done, I need to validate it against a large number of logs. In order to do so, I export a few tens of thousan...

chrisd2

But honestly this is a dirty workaround, uses more resources than needed to compensate for the current lack of functionality 

chrisd2

Hello, I had a similar UC and could not find any solution. From my understanding, everything starts by the logs, so no logs = no results = no stats row.I found a workaround though, which is to look for larger duration in the logs and perform your agg...

chrisd2

Hello, you can create a placeholder for your "custom action" and define it following your logic : "If it's not explicitly BLOCK, let's consider it as ALLOW" with a `if`statement.Example query :metadata.event_type = "NETWORK_CONNECTION" $logtype = met...

chrisd2

You could even use a DataTable with 2 columns, one for your exact email addresses (typed as STRING) and one for your email patterns (typed as REGEX) so you have all your reference data at the same place !And then use it in your query :metadata.event_...

chrisd2

Hello, you could use a second Reference List, typed as 'regex' instead of string, and update your query to look for results matching (string) your first RefList OR matching (regex) your sedond RefList :( $email in %SAE_string_Test_List or $email in r...

My Stats

chrisd2's Bio

Badges chrisd2 Earned

Recent Activity

Bindplane agent & Windows logs : Removal of a specific XML element via processors

IP_ADDRESS entity metadata (AS / ASN)

Mysterious URL parameter in some v1alpha API endpoints path

Repeated fields overwritten in parser extension (code)

Gone missing : my logs

Re: Stats query using a regex reference list

Re: Stats query using a regex reference list

Re: Stats Search - Blocked or Allowed?

Re: Stats query using a regex reference list

Re: Stats query using a regex reference list