Skip to main content

Im using the below data sources - "Palo alto, Cloudflare, ExtraHop, Sysmon, Microsoft Defender for endpoints"

My Yara Rule:

 

events:

    (       ($e.metadata.log_type = "CLOUDFLARE" and $e.metadata.vendor_name = "Cloudflare") or

      ($e.metadata.log_type = "PAN_FIREWALL" and $e.metadata.vendor_name = "Palo Alto Networks") or

       ($e.metadata.log_type = "CLOUDFLARE" and $e.metadata.vendor_name = "Cloudflare") or

      ($e.metadata.log_type = "EXTRAHOP" and $e.metadata.vendor_name = "ExtraHop") or

       ($e.metadata.log_type = "WINDOWS_SYSMON" and $e.metadata.vendor_name = "Microsoft") or

      ( $e.metadata.log_type = "Microsoft Defender for Endpoint" and $e.metadata.vendor_name = "Microsoft")

    ) and

    $e.principal.ip = $ip_address and

    strings.extract_domain($e.target.url) in %CloudStorageDomains_List and

    $e.network.sent_bytes > 10000000

  match:

        $ip_address over 15m

 

  outcome:

        $total_bytes_transferred = sum($e.network.sent_bytes)

        $unique_target_domains = count_distinct(strings.extract_domain($e.target.url))

        $user_id = array_distinct($e.principal.user.userid) // To get a list of all users involved

        $destination_application = array_distinct($e.target.application)

  condition:

        $e and $total_bytes_transferred > 10000000

}

RULE IS ACCEPTING WITH NO ERRORS, BUT AT THE SAME TIME NO RESULTS GIVING.


Then I started doing debugging to make sure my rule is correct by changing --
$e.network.sent_bytes > 100

$e and $total_bytes_transferred > 1000
RULE IS ACCEPTING WITH NO ERRORS, BUT AT THE SAME TIME NO RESULTS GIVING.


Then I mentioned only 1 data source
Like below:

 $e.metadata.vendor_name = "Palo Alto Networks"

     and

 $e.principal.ip = $ip_address and

    strings.extract_domain($e.target.url) in %CloudStorageDomains_List and

    $e.network.sent_bytes > 10  // Set to a very low number for testing

  match:

    $ip_address over 15m

  outcome:

        $total_bytes_transferred = sum($e.network.sent_bytes)

        $unique_target_domains = count_distinct(strings.extract_domain($e.target.url))

        $user_id = array_distinct($e.principal.user.userid)

        $destination_application = array_distinct($e.target.application)

  condition:

        $e and $total_bytes_transferred > 500// Set to a very low number for testing}.

RULE IS ACCEPTING WITH NO ERRORS, BUT AT THE SAME TIME NO RESULTS GIVING.


What to do any suggestions are accepted. 
Looking forward for more ideas. Thanks a lot. 
 

 

 


 

Hi,

I see you’re looking for network events from multiple data sources.

A common issue is that the same event isn’t always parsed identically across all log sources, which can break your logic.

I think it would be better to build this rule based on the "EventType" field and look specifically for this kind of network event.

Try using:

($e.metadata.event_type = "NETWORK_HTTP" or $e.metadata.event_type = "NETWORK_CONNECTION")

 

instead of:

    (       ($e.metadata.log_type = "CLOUDFLARE" and $e.metadata.vendor_name = "Cloudflare") or

      ($e.metadata.log_type = "PAN_FIREWALL" and $e.metadata.vendor_name = "Palo Alto Networks") or

       ($e.metadata.log_type = "CLOUDFLARE" and $e.metadata.vendor_name = "Cloudflare") or

      ($e.metadata.log_type = "EXTRAHOP" and $e.metadata.vendor_name = "ExtraHop") or

       ($e.metadata.log_type = "WINDOWS_SYSMON" and $e.metadata.vendor_name = "Microsoft") or

      ( $e.metadata.log_type = "Microsoft Defender for Endpoint" and $e.metadata.vendor_name = "Microsoft")

events:

     

         ($e.metadata.event_type = "NETWORK_HTTP" or $e.metadata.event_type = "NETWORK_CONNECTION")

     and

    $e.principal.ip = $ip_address and

    strings.extract_domain($e.target.url) in %CloudStorageDomains_List and

    $e.network.sent_bytes > 100 // Set to a very low number for testing

 

  match:

        $ip_address over 15m

 

  outcome:

        $total_bytes_transferred = sum($e.network.sent_bytes)

        $unique_target_domains = count_distinct(strings.extract_domain($e.target.url))

        $user_id = array_distinct($e.principal.user.userid)

        $destination_application = array_distinct($e.target.application)

  condition:

        $e and $total_bytes_transferred > 1000 // Set to a very low number for testing

}





I tried switching with event _type

NO LUCK- No results-Its still not failiing my query for debugging I changed the bytes sent and received not showing up any results. 

Can you try running a test with something like the following?

rule bytes_sent {
   meta:
       description = "Bytes sent > 1000"

   events:
       $net.metadata.event_type = "NETWORK_HTTP"
       $net.network.sent_bytes > 1000
       $net.principal.ip = $ip

    match:
        $ip over 5m

   outcome:
        $user = array_distinct($net.principal.user.userid)
        $total_bytes_sent = sum($net.network.sent_bytes)
        $target_domain = array_distinct(strings.extract_domain($net.target.url))

   condition:
       $net
}

From there, try adding in your reference list and some common domains. The rule test of the above in my test tenant returns:

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.