Volver al hub

Calculate Next-Gen SIEM Ingestion Total

Calculates total NG-SIEM ingest by each Vendor (connector)

Networkmonitoring
FDR intermediatepor AAuraa (cql-hub.com) 1 min read

Query

// Exclude EDR logs, since these are in-platform and don't count against NG-SIEM ingest
#Vendor != "crowdstrike"

// Add up our fields that are counted for ingest (not 100% accurate, but very close to it)
| total_event := concat([@timestamp, @rawstring, #event.dataset, #event.module])
| length(field=total_event, as=event_size)

// Get our results by Vendor and translate to MB and GB
| groupBy([#Vendor], function=[sum(event_size, as=SizeBytes)], limit=max)
| SizeMB:=unit:convert("SizeBytes", binary=true, from=B, to=M, keepUnit=true)
| SizeGB:=unit:convert("SizeBytes", binary=true, from=B, to=G, keepUnit=true)

// Sort
| sort(SizeBytes, limit=200)

// Total for all vendors (uncomment for this)
//| sum(SizeBytes, as=SizeBytes)
//| SizeMB:=unit:convert("SizeBytes", binary=true, from=B, to=M, keepUnit=true)
//| SizeGB:=unit:convert("SizeBytes", binary=true, from=B, to=G, keepUnit=true)

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.