I'm working with data tables in Google SecOps and using them in my detection rules.

I have a data table named UserAccountCreatedNew with the following columns:

My goal is to check whether both Hostname and UserID from an event match a single row in the data table—not just independently across different rows.

For example, I want to avoid this:

Hostname matches row 1

UserID matches row 2

Instead, I want to confirm that both values exist together in the same row.

Sample Data Table: UserAccountCreatedNew

Hostname,UserID,LogType

WIN-1234, [removed by moderator] ,winevtlog

WIN-5678, [removed by moderator] ,winevtlog

WIN-9999, [removed by moderator] ,winevtlog

Yara L Rule :

rule windows_user_account_created_and_deleted_in_short_interval {

 meta:

 author = " [removed by moderator] "

 data_source = "Windows"

 severity = "Low"

 priority = "Low"



 events:

 $delete.metadata.product_event_type = "4726"

 $delete.metadata.vendor_name = "Microsoft"

 $delete.principal.hostname = $hostname

 $delete.target.user.userid = $user

 ($hostname in %UserAccountCreatedNew.Hostname and $user in %UserAccountCreatedNew.UserID)



 match:

 $hostname, $user over 1m



 outcome:

 $risk_score = 50

 $mitre_tactic = "Persistence, Impact"

 $mitre_technique = "Create Account, Account Access Removal"



 condition:

 $delete

}

I suspect the current YaraL logic might allow cross-row matches. I’d want to hear your thoughts on the best way to enforce same-row matching using data tables in YARA-L.