As you mentioned, the warning message can be seen by clicking on the yellow triangle and I assume you got the following message:
When writing rules with multiple event variables, outcomes that include sum, count, or array are calculated over every combination of events
Basically, it's saying the rule will work, it compiles correctly, but be mindful of this meaning the way the aggregation functions are being calculated. For others wondering what the link is, here it is. to https://cloud.google.com/chronicle/docs/detection/yara-l-issues#outcome_aggregations_with_multiple_event_variables
When the aggregation occurs, you now have combinations of events (from both event variables) and while aggregation functions that have distinct can pull out unique combinations, sum doesn't really have a good way to do this. I'm probably not doing a great job explaining it but I do have a solution to offer.
outcome:
$push_count = count_distinct($push.metadata.id)
$response_count = count_distinct($response.metadata.id)
//$push_count = count_distinct(if($push.metadata.product_event_type = "system.push.send_factor_verify_push", 1, 0))
//$response_count = count_distinct(if($response.metadata.product_event_type = "user.session.start", 1, 0))
$bet_count = math.abs($push_count - $response_count)
If we stay away from sum in this case, we can still separate these unique events and count them, but we want to use something distinct, like the metadata.id which is unique to each event. If we count them distinctly with the event variable prepended to it we get a count of X number of row that meet the criteria laid out in the events section for push and doing the same for response we get Y number. Then the bet_count just calculates the difference between them...
As you mentioned, the warning message can be seen by clicking on the yellow triangle and I assume you got the following message:
When writing rules with multiple event variables, outcomes that include sum, count, or array are calculated over every combination of events
Basically, it's saying the rule will work, it compiles correctly, but be mindful of this meaning the way the aggregation functions are being calculated. For others wondering what the link is, here it is. to https://cloud.google.com/chronicle/docs/detection/yara-l-issues#outcome_aggregations_with_multiple_event_variables
When the aggregation occurs, you now have combinations of events (from both event variables) and while aggregation functions that have distinct can pull out unique combinations, sum doesn't really have a good way to do this. I'm probably not doing a great job explaining it but I do have a solution to offer.
outcome:
$push_count = count_distinct($push.metadata.id)
$response_count = count_distinct($response.metadata.id)
//$push_count = count_distinct(if($push.metadata.product_event_type = "system.push.send_factor_verify_push", 1, 0))
//$response_count = count_distinct(if($response.metadata.product_event_type = "user.session.start", 1, 0))
$bet_count = math.abs($push_count - $response_count)
If we stay away from sum in this case, we can still separate these unique events and count them, but we want to use something distinct, like the metadata.id which is unique to each event. If we count them distinctly with the event variable prepended to it we get a count of X number of row that meet the criteria laid out in the events section for push and doing the same for response we get Y number. Then the bet_count just calculates the difference between them...
Thank you for your answer
