Question

I’m trying to understand how we can achieve anomaly-based detection in Chronicle YARA-L similar to the KQL logic

Forum|Forum|1 month ago
November 13, 2025
5 replies
95 views

havox
New Member

Reference: the rule identifies anomalous spikes in network traffic using baseline comparison and deviation scoring

Time series anomaly detection for total volume of traffic | Microsoft Sentinel Analytic Rules

In KQL we can use functions like anomalies , series_decompose_anomalies, time-series metrics, moving averages, baselines, and thresholds. But in YARA-L we don’t have these built-in functions or native anomaly detection capabilities.

My question is:
How can we replicate this kind of anomaly logic in Chronicle YARA-L?

Walker_81
Bronze 2
Forum|Forum|1 month ago
November 13, 2025

Hi,

you may wanna check one of the latest features called multi-stage yara which allows a rule to understand trend and detect an anomaly.

https://docs.cloud.google.com/chronicle/docs/investigation/multi-stage-yaral

Hope this is what you are looking for.

havox
Author
New Member
Forum|Forum|1 month ago
November 13, 2025

Thanks @Walker_81 : )

I checked the link — it seems more focused on searching events, but I was actually expecting some example rules. Is it possible to get a few sample multi-stage YARA-L rules that demonstrate anomaly or trend-based detection from the materials you mentioned? Even a simple example showing baseline comparison or multi-window logic would be really helpful.

ar3diu
Silver 2
Forum|Forum|28 days ago
November 17, 2025

You might find something useful in this article.

+16

matthewnichols
Community Manager
Forum|Forum|28 days ago
November 17, 2025

@havox Check out the following blogs that talk about our Community Rules Github repository which contains content that we are creating for workshops, blogs, conferences and research.

For example, “If you are an analyst just getting familiar with YARA-L or want to understand all of the components that should go into a rule to get the most out of it, we just released our style guide into the Github repository. This guide lays out best practices when it comes to rule writing using YARA-L. We’ve done our best to apply the concepts in the guide to the rules we publish in the community folder of the repo and align with what we evangelize in our workshops on rule development.”

Lots of useful information here that should help you find your answers.

havox
Author
New Member
Forum|Forum|27 days ago
November 18, 2025

Hi…. : (

I’m trying to use the metrics.file_executions_total UEBA metric in a YARA-L rule to detect anomalous spikes in process executions. However, the rule fails to compile with the error:

validating intermediate representation: unsupported filters for metric FILE_EXECUTIONS_TOTAL

The same logic works fine with other metrics like metrics.network_bytes_total. I have used valid period/window combinations (1h/today and 1d/30d), but it seems this specific metric isn’t supported for detection use.

Could you please confirm whether metrics.file_executions_total is currently available for YARA-L rules or if it’s limited to internal UEBA modeling?

Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded