Skip to main content

Hi 

I would like to know if i can user the last seen metric of a user in a YARA rule , if yes while i am using i am not seeing the result 

My YARA rule is this 

rule Inactive_Account {
    meta:
    author = "Rahul"
    description = "Discovers previously inactive accounts ."
    severity = "Medium"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    $login.metadata.vendor_name ="Microsoft"
    $login.metadata.product_event_type = "4624"
    $login.target.user.userid != /.*\\$/ nocase
    $login.target.user.userid = $user
   

    $entity.graph.metadata.entity_type = "USER"
    $entity.graph.entity.user.userid = $user    
    $entity.graph.metric.last_seen.seconds = $secondlastseen
   
           
    match:
        $user over 24h

  condition:
    $login and $entity
}

Yes it can as John Stoner shows here in his New to Chronicle Blog. I'm not certain but maybe it's last_seen_time.seconds instead of last_seen.seconds? I am pretty certain it's just a small syntax error though or maybe a missing line?

the last_seen_time is not available for the USER entity type...

Based on the doc: 

"The first_seen_time and last_seen_time fields are populated with entities that describe a domain, IP address, and file (hash). For entities that describe a user or asset, only the first_seen_time field is populated. These values are not calculated for entities that describe other types, such as a group or resource."

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.