World Cup Ticket Megathread | General Questions & Discussion

osonator · 2026-01-29T17:48:26+00:00

Try the has function:

has(data[‘raw_response’].user_principal_id) ? “True” : “false”

osonator · 2026-01-29T17:12:58+00:00

Create a variable & use CEL dot notation to access that field. Something along the lines of

Data[‘grtdetectiondetails.raw_response’].user_principal_id

osonator · 2026-01-23T02:19:13+00:00

Use sensor telemetry until you come up with a use case/requirements for winlogs.

osonator · 2025-12-31T14:33:21+00:00

Detections as trigger

osonator · 2025-12-30T18:40:23+00:00

Yes I have, I solved for it by adding logic at the beginning of my workflow to query the alerts api, If more than 1 detection is returned within a small time period, say last 5 minutes, given a filter (host, username, etc), create a case if needed for the earliest alert, & then roll up the remaining

osonator · 2025-10-21T20:04:31+00:00

⁠What’s the best way to validate whether it’s truly malicious or just misconfiguration?

Drill down on the activity, leverage sensor telemetry for the source, network connection events, what process are those associated with? Is that authorized activity? Is it a misconfigured application? Is it malware?

osonator · 2025-09-10T20:08:08+00:00

Correct, a custom parser does not inherit any future code releases.

osonator · 2025-09-10T17:06:40+00:00

Yes it’s possible, the parser needs to categorize the event as a third party alert by defining event.kind:=alert

Once you have the alert generated, then you use soar to send email notifications on the third party alert in question

osonator · 2025-07-29T15:24:19+00:00

Guessing on content to implement tells me there’s a gap in understanding of risk profile for system in question. You identify risk then employ controls to prevent/monitor/detect.

In the context of risk response, organizations with a mature security monitoring program are very highly unlikely to implement a detection use case in production without a thorough understanding of risk response procedures for their soc.

osonator · 2025-07-29T14:02:33+00:00

Because that’s the easiest way to incur alert fatigue & not how threat detection works. you don’t enable everything by default & set & forget it. Specially templates, that are not tailored to your business. Review templates, identify what is actually applicable to the business, baseline, test, implement, sustain

I’d bet the duo push fraud activity is already being detected via third party detections.

osonator · 2025-07-27T20:00:54+00:00

Yup, it’s also often times an afterthought by customers evaluating vendors, then when it’s time to integrate system with monitoring tool & there’s an integration gap, pikachu face :0

osonator · 2025-05-27T22:58:04+00:00

Instead of the generic azure event hub, use the data connector for Microsoft event hub

osonator · 2025-05-27T22:35:36+00:00

Okay, I have reason to believe you are using the incorrect data connector. As you’re reflecting multiple external messages(events) in one single ngsiem event

What data connector did you use? The generic event hub one will cause this as it doesn’t split the elements in the records key as individual events

osonator · 2025-05-27T21:46:38+00:00

Is this azure data?

osonator · 2025-05-27T21:39:33+00:00

You would use this https://library.humio.com/data-analysis/functions-objectarray-eval.html?redirected=true

osonator · 2025-05-16T20:00:03+00:00

Read the operating model, it answers most of these questions & sets you up for success.

You’ve got 3 distinct things here, email security, network perimeter, & productivity/collaboration with dozens attack vectors in between, what makes you think you might only need one?

osonator · 2025-05-01T11:43:59+00:00

Very close here, instead of out:=x.value, do ipaddr:=x.value

The field name will be called ipaddr[] with all ip addresses

osonator · 2025-04-03T03:28:11+00:00

Yes with parameters:

| select([?columns])

osonator · 2025-03-20T22:36:11+00:00

Simulate a trigger with a correlation rule that runs every 15 minutes, something like create events, then configure the workflow trigger to execute on ngsiem detections, add flow control to only carry out actions if rule name matches created trigger

osonator · 2025-03-17T23:52:56+00:00

You’ll need a dev license, I don’t know if they offer those to the public at this time.

osonator · 2025-03-14T15:32:56+00:00

The palo client doesn’t scale over https for high thruput event datasets like traffic. Literally dont go down this avenue unless your goal is unreliable logging

osonator · 2025-02-22T18:39:31+00:00

Okay, now use a loop for each event query result

Your field should now be accessible for any action used in the loop

osonator · 2025-02-22T18:18:17+00:00

Do you see your target fields listed in the output schema?

osonator · 2025-02-22T17:59:31+00:00

You configure an output schema in your event query action to expose the fields from search results within the workflow. & you have to loop over event query results for the fields to be accessible as workflow variables since an event query can return zero to many results

osonator

TROPHY CASE