Google Cloud

window.most_common_strings

Supported in:

Rules Search

window.most_common_strings(strings, how_many_to_retrieve)

Description

Returns the specified number of most common strings in the input values.

Param data types

STRING, INT

Return type

ARRAY_STRINGS

Code samples

Example 1

This example shows the top two most common hostnames in five minutes.

// This rule creates a detection when the most common hostname in 5 minutes for a user matches.
events:
 $e.user.userid = $userid
match:
 $userid over 5m
outcome:
  $p1 = window.most_common_strings($e.principal.hostname, 1) // yields ["pear"] if the event hostname values in the match window are ["apple", "apple", "pear", "pear", "pear", "banana"].
condition:
  $e and arrays.contains($p1, "apple")

Example 2

This example shows that the window size is more than the array size.

events:
 $e.user.userid = $userid
match:
 $userid over 5m
outcome:
  $p1 = window.most_common_strings($e.principal.hostname, 100) // yields ["pear", "apple", "banana"] if the event hostname values in the match window are ["apple", "apple", "pear", "pear", "pear", "banana"].
condition:
  $e and arrays.contains($p1, "apple")

Example 3

This example shows the default values are not ignored so most of times the top value will be 0 (adjust the second arg accordingly).

events:
 $e.user.userid = $userid
match:
 $userid over 5m
outcome:
  $p1 = window.most_common_strings($e.principal.hostname, 1) // yields [""] if the event hostname values in the match window are ["", "", NULL, "banana"].
condition:
  $e and arrays.contains($p1, "apple")