Hi there,
A bit of context: I'm trying to develop a pySigma backend and pipelines for chronicle, so we can fully utilize the treasure trove of use cases that is Sigma
Chronicle enforces Conjunctive Normative Form (CNF) for UDM queries:
You cannot use A OR (B AND C) in conjunctive normal form, but you can use (A OR 
AND (A OR C).
Extrapolating this to a simple sigma query:
title: Test
status: test
logsource:
category: test_category
product: test_product
detection:
sel:
principal.ip:
- valueA1
- valueA2
principal.user.userid:
- valueB1
- valueB2
condition: sel
Would lead to a CNF representation of
(principal.ip="valueA1" AND principal.user.userid="valueB1") OR (principal.ip="valueA1" AND principal.user.userid="valueB2") OR (principal.ip="valueA2" AND principal.user.userid="valueB1") OR (principal.ip="valueA2" AND principal.user.userid="valueB2")
Which only becomes worse if you have even more options. Now the weird thing: In YARA-L it's totally not an issue! YARA-L 2.0 language syntax | Chronicle | Google Cloud explicitly states:
"By default, the precedence order from highest to lowest is not, and, or.
For example, "a or b and c" is evaluated as "a or (b and c)". You can use parentheses to alter the precedence if needed."
Does someone know why this is the case,? It would make porting searches that I get from other teams easier to create rules on, but would also very much make my life easier to provide a UDM Search backend and not only a YARA-L backend.