Skip to main content
Question

Converting KQL to YARA L

  • November 7, 2025
  • 4 replies
  • 111 views
Krish_p
Forum|alt.badge.img+1

Hi @jstoner I am new to YARA L, I am trying to convert few KQL query into YARA L, but I can’t able to achive same as KQL logic. please help on this rules.

Response rows stateful anomaly on database | Microsoft Sentinel Analytic Rules

 

Drop attempts stateful anomaly on database | Microsoft Sentinel Analytic Rules

Austin123

4 replies

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • November 11, 2025

I don’t have an exact answer for you on this but I do want to share a few different ideas on ways that you might be able to go about addressing this.

 

The first is through the use of multi-stage search. This is in public preview and provides the ability to do a stat of a stat. I will be doing some more blogs on this soon (i hope) but it does provide some ways to get some stats of some events and aggregate and join to perform calculations like Z-Score. Here is an example of what this might look like. This example is focused on minute to minute data and sent bytes from network connections, but the concepts still apply.

 

stage minute_stats {
 metadata.event_type = "NETWORK_CONNECTION"
 net.ip_in_range_cidr(principal.ip, "10.128.0.0/16")
 network.sent_bytes > 0
 $ip = principal.ip
 $target = target.ip
match:
  $ip, $target by minute
outcome:
  $total_bytes_sent = sum(cast.as_int(network.sent_bytes))
}
stage agg_stats {
 $ip = $minute_stats.ip
 $target = $minute_stats.target
 match:
   $ip, $target
 outcome:
  $avg_bytes_sent = window.avg($minute_stats.total_bytes_sent)
  $stddev_bytes_sent = window.stddev($minute_stats.total_bytes_sent)
}

$ip = $agg_stats.ip
$ip = $minute_stats.ip
$target = $agg_stats.target
$target = $minute_stats.target
outcome:
  $hour_bucket = timestamp.get_timestamp($minute_stats.window_start)
  $principal_ip = $ip
  $target_ip = $target
  $z_score = math.abs(($minute_stats.total_bytes_sent - $agg_stats.avg_bytes_sent)/$agg_stats.stddev_bytes_sent)
order: $z_score desc

 

Another capability that might also be applicable is the use of metrics. Currently metrics are fixed, that is we have a defined set of metrics, but there is some potential that this may be expanded to allow users to define their own metrics. Metrics are also one day and 30 day currently. I wrote a series of blogs on metrics when this was first introduced and the concepts in these blogs still apply so I wanted to share that as well.

 

 

 

 

_K_O
Austin123
Forum|alt.badge.img+4
  • Austin123Bronze 3
  • Bronze 3
  • November 24, 2025

Hi ​@jstoner 

Please assist with converting this rule as below mentioned.

https://analyticsrules.exchange/analyticrules/c815008d-f4d1-4645-b13b-8b4bc188d5de/

Thanks in advance.

Austin123
Forum|alt.badge.img+4
  • Austin123Bronze 3
  • Bronze 3
  • November 26, 2025

Hi Team , 

Could you please share an update on this.

Thanks

 

matthewnichols
Community Manager
Forum|alt.badge.img+16
  • matthewnicholsCommunity Manager
  • Community Manager
  • November 26, 2025

Hi ​@Austin123 Thanks for your post. Converting rules is quite a heavy lift and time consuming. From a Community’s perspective we want and try to answer every post with support from both Community users and Googlers. If there is a Community member or Partner that’s an expert in converting rules we welcome your support.😎

@Austin123 if this frequently comes up, I would suggest looking into our PSO services or connecting with a Partner who does this regularly for customers. 

Austin123
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.