I'm trying to write a nested if then else condition in the outcomes section and I am getting this error: 
At first I assumed I was missing but I even tested the statement that's been provided by @jstoner for another question see here: https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Else-if-condition-SecOps/m-p/855792/highlight/true
Even this one throws the same error in our instance. Is there any chance nesting needs to be enabled further on the backend or is there something I am missing?
Best answer by jstoner
The issue is that there is a gap in the current functionality between search/dashboards and the rules engine. We have made this nested conditional statement that I highlighted in the search/dashboard available but we have not added it to the rules engine (yet). We have work going on to merge items like this so that we have consistency across search and rules.
The above example is valid for rules that are not using a match section but if you are using aggregation in the rule (using a match section) the outcome section will require aggregation functions for the outcome variables. Because of that, below are a few examples of methods you could use with the aggregation functions.
outcome:
$if_nested_1 = max(if($process.principal.hostname = /win-adfs/, 5, 0))
$if_nested_2 = max(if($process.principal.hostname = /server/, 3, 0))
$if_nested_3 = max(if($process.principal.hostname = /win-atomic/, 1, 0))
$sum_it = $if_nested_1 + $if_nested_2 + $if_nested_3
outcome:
$if_nested = max(if($process.principal.hostname = /win-adfs/, 5, 0)) +
max(if($process.principal.hostname = /server/, 3, 0)) +
max(if($process.principal.hostname = /win-atomic/, 1, 0))
+12Hey @spwalz ,
Unless I'm missing something obvious, both the error that you provided and the official YARA-L documentation (https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#condition_section_syntax) allude to only being able to use placeholders, event fields, and constants in conditional statements. In other words, you cannot include a nested if‑statement (or any other function calls or expressions that aren’t one of those allowed types) in the else clause.
I tested it out in my instance using the example you posted and get the same error message. That being said, the answer you linked was from the Google team (@jstoner) so I'd be interested to see if it there are cases where you can actually chain additional conditionals together.
As an alternative, you should be able to create individual if statements and work with the output of the statements:
$score1 = if($e.principal.user.userid = /value1/, 5, 0)
$score2 = if($e.principal.user.userid = /value2/, 3, 0)
$final_score = $score1 + $score2 // Or whatever you want to do with the output
+22The issue is that there is a gap in the current functionality between search/dashboards and the rules engine. We have made this nested conditional statement that I highlighted in the search/dashboard available but we have not added it to the rules engine (yet). We have work going on to merge items like this so that we have consistency across search and rules.
The above example is valid for rules that are not using a match section but if you are using aggregation in the rule (using a match section) the outcome section will require aggregation functions for the outcome variables. Because of that, below are a few examples of methods you could use with the aggregation functions.
outcome:
$if_nested_1 = max(if($process.principal.hostname = /win-adfs/, 5, 0))
$if_nested_2 = max(if($process.principal.hostname = /server/, 3, 0))
$if_nested_3 = max(if($process.principal.hostname = /win-atomic/, 1, 0))
$sum_it = $if_nested_1 + $if_nested_2 + $if_nested_3
outcome:
$if_nested = max(if($process.principal.hostname = /win-adfs/, 5, 0)) +
max(if($process.principal.hostname = /server/, 3, 0)) +
max(if($process.principal.hostname = /win-atomic/, 1, 0))
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.