Skip to main content
Answer

detection_window option

  • November 8, 2025
  • 4 replies
  • 100 views
G
Forum|alt.badge.img+1

Hello everyone,
has anyone tried using detection_window in the options?
I found it in the documentation, but I don't know how to use it, and it was only mentioned in an example rule; it doesn't appear in the options section.

When I put it in one of my rules, it doesn't work.
 

rule failed_logins_from_new_location
{
  meta: 
   author = "Security Team"
   description = "Detects multiple failed logins for a user from a new, never-before-seen IP address within 10 minutes."
   severity = "HIGH"

  events:
   $e.metadata.event_type = "USER_LOGIN"
   $e.security_result.action = "FAIL"
   $user = $e.target.user.userid
   $ip = $e.principal.ip

  outcome:
   $failed_login_count = count($e)
   $unique_ips = count_distinct($ip)
   $first_fail_time = min($e.metadata.event_timestamp)

  match:
   $user over 10m

  condition:
   #e >= 5

  options:
   detection_window=2d
}

taken from doc “ The options section specifies when the query first runs: it looks back two days.”

Reference link:
https://docs.cloud.google.com/chronicle/docs/yara-l/yara-l-overview

Best answer by jstoner

I just pulled the doc this morning and it looks like we might have been a bit ahead of ourselves on that option. It doesn’t look like it is there anymore. Sorry for the confusion.

 

 

4 replies

M
Forum|alt.badge.img+1
  • MartinLinBronze 2
  • Bronze 2
  • November 10, 2025

Hi Gabriel,


According to the documentation, it seems that detection_window is not currently included as an available option.

https://docs.cloud.google.com/chronicle/docs/yara-l/options-syntax#valid_options_values

G
jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • November 11, 2025

What were you trying to do with this option? If you are looking to suppress, suppression_window in the options section can be used. If you are looking to do something else, let us know and we can see how we might be able to help.

G
Forum|alt.badge.img+1
  • Gabriel MarchiBronze 1
  • Author
  • Bronze 1
  • November 12, 2025

Hi ​@jstoner 
At first, I just tested this option that appears in the documentation, but I found it interesting that you can control the time that the rule will observe, as implied in the documentation.
This option appears in an example on the Yara-L language overview page.

 

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • Answer
  • November 12, 2025

I just pulled the doc this morning and it looks like we might have been a bit ahead of ourselves on that option. It doesn’t look like it is there anymore. Sorry for the confusion.

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.