Skip to main content
Question

Curated rule YARA-L outcome variables

  • February 24, 2026
  • 1 reply
  • 14 views

EP0
Forum|alt.badge.img+2

I was looking into some of the curated rules’ YARA-L, specifically the “ATI High Priority Rule Match for Domain Name IoCs (target.hostname)” (rule high_ioc_eg_target_hostname)

I wanted to understand how these are set up but when I try to run them, I'm getting the error “validating intermediate representation: There cannot be more than 20 outcome variables in the outcome section

However I’m fairly sure this rule works as it triggered some detections in the last 24 hours.

Do the curated rules have different outcome section variable limit or are they ran with different constraints than custom rules? What other limitation differences are there between curated and custom rules?

1 reply

joaocarvalho
Forum|alt.badge.img+2
  • Bronze 1
  • February 25, 2026

To test or clone this rule in your own environment, consider removing some lines/variables from the outcome section. Most of those variables are not relevant to the core detection logic itself (which happens in the events and condition sections); they are merely informative, designed to populate the Alert UI with rich context.