Can I rename keys using Select() and Groupby() or Calculate() ?
select(“source_json.TargetUserOrGroupName” as “External Email”) where(“service” = “o365” and “source_json.Operation” = “AddedToSharingLink” and “source_json.TargetUserOrGroupName” NOT ICONTAINS-ANY [“mydomain.com”])groupby(“External Email”)
Hey antmar904,
You can use select and “as” to rename the keys but it appears those aliases are applied after the query is run and are unusable within the query itself (such as with the where() function). According to official Rapid7 documentation, the select function “is not supported with the groupby() clause or the calculate() function”. For more information, see here: Components for Building a Query | InsightIDR Documentation
Thank you. I just saw that in the documentation also.
You may be able to leverage regex field extraction with a named capture group.
I believe you can then use those capture group names within your groupby. Unsure how it interacts with Select and Calculate.
I suppose you could also set up a custom parsing rule if you wanted this to happen in the future going forward as well - you would have two identical values for a key but one would have the name of your capture group, so you could set that capture group to be called ‘ExternalEmail’ and in the future it would show up in your logs like a normal K/V pair.
Some info from R7 docs that might help. I’m not sure if this works as I describe so YMMV.