Skip to main content

Hi All, 

 

I am looking to create a rule to compare the current number of events at a given day and time against the historical average for the same period. E.g. 100 events on Monday between 09:00 - 10:00 today versus the same number of events a week earlier (on Monday between 09:00 - 10:00). 

 

I have looked into the series by ​@jstoner on metrics, but the window timeframe is a daily window instead of an exact match for the same time period X days earlier. 

 

https://security.googlecloudcommunity.com/community-blog-42/new-to-google-secops-using-metrics-in-yara-l-rules-part-2-4019

 

Other SIEM platforms have the concept of subsearches, I’m not sure if the same functionality exists in YARA-L 2.0 or if there is a workaround to achieve a similar result. 

 

Any advice would be appreciated!

TIA 

Could you use a daily-run rule as a feeder/producer to write the required metrics into a data table as in https://cloud.google.com/chronicle/docs/investigation/data-tables#write_results_from_yara-l_queries_to_data_tables  with weekday (e.g. Monday) and day/month/year keys (e.g. Mon-28-08-2025) , then use this table either in dashboards or in your other consumer rules/queries to compare the same weekday (Monday) across different day/month/year ?

@AbdElHafez 
I tried using data tables from the Native dashboards but the feature is not enabled for GA yet as far as I understand. I haven’t tried doing the scheduled task for a daily write but it does seem like it’s over engineering something that should be a feature within YARA-L itself. 

You could ingest the dashboard data through the API as a separate data source as a workaround until this feature is enabled. 

Historic queries are also doable in BigQuery, I will try to think for a better approach.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.