Skip to main content
Question

Converting KQL to YARA L

  • November 7, 2025
  • 4 replies
  • 173 views
Krish_p
Forum|alt.badge.img+1

Hi @jstoner I am new to YARA L, I am trying to convert few KQL query into YARA L, but I can’t able to achive same as KQL logic. please help on this rules.

Response rows stateful anomaly on database | Microsoft Sentinel Analytic Rules

 

Drop attempts stateful anomaly on database | Microsoft Sentinel Analytic Rules

    4 replies

    jstoner
    Staff
    Forum|alt.badge.img+23
    • jstoner
    • Staff
    • November 11, 2025

    I don’t have an exact answer for you on this but I do want to share a few different ideas on ways that you might be able to go about addressing this.

     

    The first is through the use of multi-stage search. This is in public preview and provides the ability to do a stat of a stat. I will be doing some more blogs on this soon (i hope) but it does provide some ways to get some stats of some events and aggregate and join to perform calculations like Z-Score. Here is an example of what this might look like. This example is focused on minute to minute data and sent bytes from network connections, but the concepts still apply.

     

    stage minute_stats {
     metadata.event_type = "NETWORK_CONNECTION"
     net.ip_in_range_cidr(principal.ip, "10.128.0.0/16")
     network.sent_bytes > 0
     $ip = principal.ip
     $target = target.ip
    match:
      $ip, $target by minute
    outcome:
      $total_bytes_sent = sum(cast.as_int(network.sent_bytes))
    }
    stage agg_stats {
     $ip = $minute_stats.ip
     $target = $minute_stats.target
     match:
       $ip, $target
     outcome:
      $avg_bytes_sent = window.avg($minute_stats.total_bytes_sent)
      $stddev_bytes_sent = window.stddev($minute_stats.total_bytes_sent)
    }

    $ip = $agg_stats.ip
    $ip = $minute_stats.ip
    $target = $agg_stats.target
    $target = $minute_stats.target
    outcome:
      $hour_bucket = timestamp.get_timestamp($minute_stats.window_start)
      $principal_ip = $ip
      $target_ip = $target
      $z_score = math.abs(($minute_stats.total_bytes_sent - $agg_stats.avg_bytes_sent)/$agg_stats.stddev_bytes_sent)
    order: $z_score desc

     

    Another capability that might also be applicable is the use of metrics. Currently metrics are fixed, that is we have a defined set of metrics, but there is some potential that this may be expanded to allow users to define their own metrics. Metrics are also one day and 30 day currently. I wrote a series of blogs on metrics when this was first introduced and the concepts in these blogs still apply so I wanted to share that as well.

     

     

     

     

      Austin123
      Forum|alt.badge.img+4
      • Austin123Bronze 3
      • Bronze 3
      • November 24, 2025

      Hi ​@jstoner 

      Please assist with converting this rule as below mentioned.

      https://analyticsrules.exchange/analyticrules/c815008d-f4d1-4645-b13b-8b4bc188d5de/

      Thanks in advance.

      Austin123
      Forum|alt.badge.img+4
      • Austin123Bronze 3
      • Bronze 3
      • November 26, 2025

      Hi Team , 

      Could you please share an update on this.

      Thanks

       

      matthewnichols
      Community Manager
      Forum|alt.badge.img+20
      • matthewnicholsCommunity Manager
      • Community Manager
      • November 26, 2025

      Hi ​@Austin123 Thanks for your post. Converting rules is quite a heavy lift and time consuming. From a Community’s perspective we want and try to answer every post with support from both Community users and Googlers. If there is a Community member or Partner that’s an expert in converting rules we welcome your support.😎

      @Austin123 if this frequently comes up, I would suggest looking into our PSO services or connecting with a Partner who does this regularly for customers. 

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.