Skip to main content

I'm trying to build a rule that will check our VPN logs which contains the username and bytes out of all the users connections. I want to know the average of bytes out / day / username to be able to compare it against "$yesterday". The idea is that I will detect if johndoe had a "bytes out" of 50GB in a day while his average is only 20GB.

I understand that I need to use metrics.network_bytes_outbound, but I always get an error. Suggestions?

Run frequency: 24 hours

 

$avg_bytes_out = max(metrics.network_bytes_outbound(period:1d, window:30d, metric:value_sum, agg:avg, principal.user.userid:$e.principal.user.userid))
 

{"code":400,"statusText":"Bad Request","message":"cannot identify time window in the rule","details":[],...

Hello, 

 

validating intermediate representation: events section does not declare event variable used in outcome section (e)

This line should be a variable.   principal.user.userid:$e.principal.user.userid. ->  principal.user.userid:$user or you must define $e and the line would be simplified to this - principal.user.userid:$e

where you would define the $e or $user in your events section.  

 
$user = $bytes_out.principal.user.userid
 
However, I am not sure if the stats functions are available yet through the API.    

 

There are a couple of things that could be possible issues and since we don't have the complete rule here, if something isn't defined in the events or match sections properly, these issues may be part of the reason you are getting an error. 


I put together a set of 4 blogs on metrics, here is the first one https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-Metrics-in-YARA-L-Rules-Part-1/ba-p/726322 but this one highlights the basic foundations of how a rule with a metric might look with your criteria in the events section, the match section containing whatever you are aggregating by with a time window of over 1d which basically is the present that we will then use to compare against the yesterday(s) in the metrics.


This blog starts getting into the statistical measures and what you might want to set in the condition section of the rule to establish a threshold for the rule to trigger against when comparing today's measures against the historical measure https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-Metrics-in-YARA-L-Rules-Part-2/ba-p/726336


Finally, I would take a look at the docs around metrics because you have a number of options to choose from https://cloud.google.com/chronicle/docs/detection/metrics-functions#functions


The principal.user.userid is certainly a fine choose for the filter, but as @dnehoda mentions, you will want to make sure that this is a placeholder variable in the events section of the rule, and I would probably also use it as the match variable as well. If you wanted a more granular metric to calculate on, you can, the lists in the functions in the docs provide the combinations you can use, you just need to make sure that the entire combination is used in the metric as well.


Hopefully these few tips help get you going in the right direction but if you have more questions, don't hesitate to reach out!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.