LinkedIn
Twitter
Today, we're going to cover another statistical function, window.median, that can be used in search and rules with Google SecOps.
Median is calculated by taking all the values in a dataset, ordering them from least to greatest and finding the value in the middle of the result set. In the example above, we have a sample set of 5, so the middle would be the third value in the dataset. Despite the average being 2.8, the third value is 2, so the median value is 2. If there is an even number of values in the sample set, Google SecOps will choose one of these values non-deterministically.
window.median requires two arguments, the numeric field or variable that is used to calculate the median and a boolean argument to ignore zero values. This function assumes that the the data in the rule or search is being aggregated which means that there is a match section and this function will be used in the outcome section.
Follow along in the video below to see how we can apply this function in our searches and rules.
Remember, the window.median function is very straightforward, but it does require two arguments, the field/variable that is being calculated as well as a true or false to denote whether zero values should be factored into the median calculation. True will ignore zero values, false will include zero values. Finally, functions starting with the word window are viewed as aggregation functions, so additional aggregation functions prepended to it in the outcome section are not needed.
Check out these additional resources with more information and learning opportunities: