I was looking into some of the curated rules’ YARA-L, specifically the “ATI High Priority Rule Match for Domain Name IoCs (target.hostname)” (rule high_ioc_eg_target_hostname)
I wanted to understand how these are set up but when I try to run them, I'm getting the error “validating intermediate representation: There cannot be more than 20 outcome variables in the outcome section”
However I’m fairly sure this rule works as it triggered some detections in the last 24 hours.
Do the curated rules have different outcome section variable limit or are they ran with different constraints than custom rules? What other limitation differences are there between curated and custom rules?
Question
Curated rule YARA-L outcome variables
+2- Bronze 1
+2- Bronze 1
To test or clone this rule in your own environment, consider removing some lines/variables from the outcome section. Most of those variables are not relevant to the core detection logic itself (which happens in the events and condition sections); they are merely informative, designed to populate the Alert UI with rich context.
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.