Question

“if” does not work in events

Forum|Forum|26 days ago
November 18, 2025
4 replies
61 views

+1

Gabriel Marchi
Bronze 1

Hello all,
Google recently launched nested if for the events part of the rules. I decided to try it out and noticed some problems
The exact same rule in doc works without any problems.

When I try to remove one of the if and make a simple if , it starts pointing out errors.

Another time I encountered an error was when I tried to perform a comparison using data tables.
The error message says that I am using an invalid type for the else field, but my else is a simple string.

Note: in the documentation, the only limitation is the maximum nesting of 20 if.

Has anyone else encountered these problems?

doc: ttps://docs.cloud.google.com/chronicle/docs/yara-l/nested-if
release note: https://docs.cloud.google.com/chronicle/docs/secops/release-notes#November_10_2025

+2

cmerchant
Bronze 1
Forum|Forum|26 days ago
November 18, 2025

I get the same issue. I also get the same type of error when I try to do this for composite detections

G

Like

l0qu3s34
Bronze 1
Forum|Forum|26 days ago
November 19, 2025

strings.coalesce(target.ip,"ip_invalida")

Like

G

+1

Gabriel Marchi
Author
Bronze 1
Forum|Forum|26 days ago
November 19, 2025

HI @l0qu3s34 ,
Your solution works in some cases, but my intention with this question is to understand why the if doesn’t work when used on its own, and why I receive an error message when I try to compare with data table.