Skip to main content
Question

How to ensure row-level matching in data tables when using multiple columns

  • August 24, 2025
  • 3 replies
  • 275 views
spartan_07
Forum|alt.badge.img+2

I'm working with data tables in Google SecOps and using them in my detection rules.

I have a data table named UserAccountCreatedNew with the following columns:

My goal is to check whether both Hostname and UserID from an event match a single row in the data table—not just independently across different rows.

For example, I want to avoid this:

Hostname matches row 1

UserID matches row 2

Instead, I want to confirm that both values exist together in the same row.

Sample Data Table: UserAccountCreatedNew

Hostname,UserID,LogType

WIN-1234, [removed by moderator] ,winevtlog

WIN-5678, [removed by moderator] ,winevtlog

WIN-9999, [removed by moderator] ,winevtlog

Yara L Rule :

rule windows_user_account_created_and_deleted_in_short_interval {

 meta:

 author = " [removed by moderator] "

 data_source = "Windows"

 severity = "Low"

 priority = "Low"



 events:

 $delete.metadata.product_event_type = "4726"

 $delete.metadata.vendor_name = "Microsoft"

 $delete.principal.hostname = $hostname

 $delete.target.user.userid = $user

 ($hostname in %UserAccountCreatedNew.Hostname and $user in %UserAccountCreatedNew.UserID)



 match:

 $hostname, $user over 1m



 outcome:

 $risk_score = 50

 $mitre_tactic = "Persistence, Impact"

 $mitre_technique = "Create Account, Account Access Removal"



 condition:

 $delete

}

I suspect the current YaraL logic might allow cross-row matches. I’d want to hear your thoughts on the best way to enforce same-row matching using data tables in YARA-L.

3 replies

jstoner
Community Manager
Forum|alt.badge.img+23
  • jstonerCommunity Manager
  • Community Manager
  • August 25, 2025

Row matching can be performed in data tables and rules by using and = next to both values you want to match within the same row. Change your IN on both field to data table comparisons to equals

 

Column matching will still work with IN but that will treat the hostname and the user as two separate values, ie is the host in this list and the user in that list.

 

 

S
Forum|alt.badge.img
  • shubmandalBronze 1
  • Bronze 1
  • March 26, 2026

Can we use 

“not ($hostname = %UserAccountCreatedNew.Hostname and $user = %UserAccountCreatedNew.UserID)”

my requirement is not to trigger the rule if the details match in the Data Table

Shubhadeep
jstoner
Community Manager
Forum|alt.badge.img+23
  • jstonerCommunity Manager
  • Community Manager
  • March 26, 2026

I pasted the documentation  around row based matching below along with the link. Note in the second paragraph that you need at least one item to match in the row to anchor it first before using an inequality on subsequent values within the row.

You can link UDM events to a data table using equality and comparison operators (=, !=, >, >=, <, <=) to perform row-based comparisons. This approach lets you filter data by matching values from UDM events against rows in the data table. If you're using multiple comparisons statements, all fields or conditions must match on the same data table row.

You must include at least one join condition between UDM fields and data table rows to use operators (such as not, !=, >, >=, <, <=) in your query. Google SecOps treats any rule with a data table join as a multi-event rule, which requires a corresponding match section in the rule definition.

https://docs.cloud.google.com/chronicle/docs/investigation/data-tables#row-based

 

Because you are looking for NOT X and NOT Y from the listing, could you use column matching on this instead and try something like this?

not ($hostname IN %UserAccountCreatedNew.Hostname and $user IN %UserAccountCreatedNew.UserID)

or

not $hostname IN %UserAccountCreatedNew.Hostname and 
not $user IN %UserAccountCreatedNew.UserID

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.