Question

Need Guidance Converting Complex Rule Logic to Chronicle YARA-L

Forum|Forum|3 months ago
November 25, 2025
3 replies
106 views

+4

havox
New Member

I am currently converting the following rule logic given below:
https://analyticsrules.exchange/analyticrules/237c3855-138c-4588-a68f-b870abd3bfc9/

I have already implemented most of the correlation and hotword-matching logic, but I am stuck on how to express several KQL constructs in Chronicle YARA-L, especially for the AzureDiagnostics table. can’t find appropriate Documentation for AzureDiagnostics.

The KQL portion I am struggling to translate is exactly this:

| extend hasHotword = iff(Statement has_any (hotwords), 1, 0) | summarize countEvents = count(), countStatements = dcount(Statement) , countStatementsWithHotwords = dcountif(Statement, hasHotword == 1) , countFailedStatementsWithHotwords = dcountif(Statement, (hasHotword == 1) and (Error > 0)) , countSuccessfulStatementsWithHotwords = dcountif(Statement, ((hasHotword == 1)) and (Error == 0)) , anyMonitoredStatement = anyif(Statement, (hasHotword == 1)) , anySuccessfulMonitoredStatement = anyif(Statement, (hasHotword == 1) and (Error == 0)) , anyInfo = anyif(AdditionalInfo, hasHotword == 1) , hotWord = anyif(extract(strcat_array(hotwords, '|'), 0, tolower(Statement)), hasHotword == 1) by Database, ClientIp, ApplicationName, PrincipalName, timeSlice,HostName,ResourceId | extend WindowType = case( timeSlice >= ago(detectionWindow), 'detection', (ago(trainingWindow) <= timeSlice and timeSlice < ago(detectionWindow)), 'training', 'other') | where WindowType in ('detection', 'training')); let trainingSet = processedData | where WindowType == 'training' | summarize countSlicesWithHotwords = dcountif(timeSlice, countStatementsWithHotwords >= monitoredStatementsThreshold) by Database; processedData | where WindowType == 'detection' | join kind = inner (trainingSet) on Database | extend IsHotwordAnomalyOnStatement = iff(((countStatementsWithHotwords >= monitoredStatementsThreshold) and (countSlicesWithHotwords <= trainingSlicesThreshold)), true, false) , anomalyScore = round(countStatementsWithHotwords/monitoredStatementsThreshold, 0) | where IsHotwordAnomalyOnStatement == 'true'

Kindly help this out @cmmartin_google @jstoner

+4

Austin123
Bronze 3
Forum|Forum|3 months ago
November 26, 2025

Hi @jstoner & @cmmartin_google ,

Could you please provide some insight.

Like

+23

jstoner
Staff
Forum|Forum|3 months ago
November 26, 2025

I honestly don’t know where to start with this very open ended question.

Are you asking for assistance from the community for help with Azure Diagnostic documentation? Is that one our side in terms of our parsing of that data or what Microsoft provides for that table?

Or are you asking for assistance to understand what the equivalent command in YARA-L is for a KQL command? We may not have an equivalent for all commands that are there but specific questions on a command is something we may be able to point you to an equivalent.

Finally, are you aware of the multi-stage query capability that is in public preview to process an output and then take that output and process it in the next stage? It is not in rules yet but it is available in search if you want to check that out as well.

https://docs.cloud.google.com/chronicle/docs/investigation/multi-stage-yaral

Like

+4

Austin123
Bronze 3
Forum|Forum|3 months ago
November 27, 2025

Hi @jstoner ,

Thanks for your response. Something similar or equivalent.

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded