Unique values in MQL

Hi,

Is there a way to count hits on ONLY unique values ​​when searching in Helix?
Will be used for creating rules such as password spraying.

Hey there! Helix does not currently have a “count” function in MQL, but might be able to use a “groupby” widget in a dashboard or the standard groupby widget on the left hand side of the search screen.

Thanks!

Hi Nicole,

Thanks for the reply.
Sorry if I wasn’t descriptive enough in the preceding message.

My problem arises when I try to make rules and want to exclude hits on already observed values by the distinguisher.

To give an example of what I am trying to achieve then let’s imagine we observe five failed logins from the same host against the users “admin”, “admin”, “root”, “admin”, “dbuser”. The logic here should sort only on the unique hits and would therefore end up having only three hits observed on the users “admin”, “root” and “dbuser”, as user “admin” is reoccurring.

Is this possible?

I just wanted to follow up that I reached out to our team but haven’t gotten a response yet, hopefully can get you one soon!

Hi Nicole,

Thanks for the follow up.
Will await the response from your team :slight_smile:

Hi Nicole,

Any news from the team regarding this?

Best,
Julius

Hey Julius,

The response I got was that this requires a two rule solution were one rule (specific user account failures) is dependent on another rule (general failed logins).

I hope that helps, thanks for your patience.