Skip to main content
Solved

outcome caution occur while create a rule

  • March 6, 2025
  • 2 replies
  • 23 views
choihyuksun
Forum|alt.badge.img+1

I would like to create a rule that counts the difference between the number of push authentication attempts and response events when login into OKTA. However, a caution message appears. I clicked 'Learn More' and read the documentation, but I still don't understand why this caution occurs or how to address it. Could you explain the reason for this caution and how to fix the issue?
When writing rules with multiple event variables, outcomes that include sum, count, or arra
y are calculated over every combination of events.

events:
$push.metadata.log_type = "OKTA"
$push.metadata.product_event_type = "system.push.send_factor_verify_push"
$push.principal.user.userid = $userid

$response.metadata.log_type = "OKTA"
$response.metadata.product_event_type = "user.session.start"
$response.principal.user.userid = $userid

// $response.metadata.event_timestamp.seconds // $push.metadata.event_timestamp.seconds

match:
$userid over 30m after $push

outcome:
$push_count = sum(if($push.metadata.product_event_type = "system.push.send_factor_verify_push", 1, 0))
$response_count = sum(if($response.metadata.product_event_type = "user.session.start", 1, 0))
$bet_count = math.abs($push_count - $response_count)

condition:
$push and $response and $bet_count > 10

Best answer by jstoner

As you mentioned, the warning message can be seen by clicking on the yellow triangle and I assume you got the following message:

When writing rules with multiple event variables, outcomes that include sum, count, or array are calculated over every combination of events

Basically, it's saying the rule will work, it compiles correctly, but be mindful of this meaning the way the aggregation functions are being calculated. For others wondering what the link is, here it is. to https://cloud.google.com/chronicle/docs/detection/yara-l-issues#outcome_aggregations_with_multiple_event_variables

When the aggregation occurs, you now have combinations of events (from both event variables) and while aggregation functions that have distinct can pull out unique combinations, sum doesn't really have a good way to do this. I'm probably not doing a great job explaining it but I do have a solution to offer.

 
outcome:
 $push_count = count_distinct($push.metadata.id)
 $response_count = count_distinct($response.metadata.id)
 //$push_count = count_distinct(if($push.metadata.product_event_type = "system.push.send_factor_verify_push", 1, 0))
 //$response_count = count_distinct(if($response.metadata.product_event_type = "user.session.start", 1, 0))
 $bet_count = math.abs($push_count - $response_count)

If we stay away from sum in this case, we can still separate these unique events and count them, but we want to use something distinct, like the metadata.id which is unique to each event. If we count them distinctly with the event variable prepended to it we get a count of X number of row that meet the criteria laid out in the events section for push and doing the same for response we get Y number. Then the bet_count just calculates the difference between them...

 

2 replies

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • Answer
  • March 6, 2025

As you mentioned, the warning message can be seen by clicking on the yellow triangle and I assume you got the following message:

When writing rules with multiple event variables, outcomes that include sum, count, or array are calculated over every combination of events

Basically, it's saying the rule will work, it compiles correctly, but be mindful of this meaning the way the aggregation functions are being calculated. For others wondering what the link is, here it is. to https://cloud.google.com/chronicle/docs/detection/yara-l-issues#outcome_aggregations_with_multiple_event_variables

When the aggregation occurs, you now have combinations of events (from both event variables) and while aggregation functions that have distinct can pull out unique combinations, sum doesn't really have a good way to do this. I'm probably not doing a great job explaining it but I do have a solution to offer.

 
outcome:
 $push_count = count_distinct($push.metadata.id)
 $response_count = count_distinct($response.metadata.id)
 //$push_count = count_distinct(if($push.metadata.product_event_type = "system.push.send_factor_verify_push", 1, 0))
 //$response_count = count_distinct(if($response.metadata.product_event_type = "user.session.start", 1, 0))
 $bet_count = math.abs($push_count - $response_count)

If we stay away from sum in this case, we can still separate these unique events and count them, but we want to use something distinct, like the metadata.id which is unique to each event. If we count them distinctly with the event variable prepended to it we get a count of X number of row that meet the criteria laid out in the events section for push and doing the same for response we get Y number. Then the bet_count just calculates the difference between them...

 

choihyuksun
Forum|alt.badge.img+1
  • choihyuksunBronze 1
  • Author
  • Bronze 1
  • March 10, 2025

As you mentioned, the warning message can be seen by clicking on the yellow triangle and I assume you got the following message:

When writing rules with multiple event variables, outcomes that include sum, count, or array are calculated over every combination of events

Basically, it's saying the rule will work, it compiles correctly, but be mindful of this meaning the way the aggregation functions are being calculated. For others wondering what the link is, here it is. to https://cloud.google.com/chronicle/docs/detection/yara-l-issues#outcome_aggregations_with_multiple_event_variables

When the aggregation occurs, you now have combinations of events (from both event variables) and while aggregation functions that have distinct can pull out unique combinations, sum doesn't really have a good way to do this. I'm probably not doing a great job explaining it but I do have a solution to offer.

 
outcome:
 $push_count = count_distinct($push.metadata.id)
 $response_count = count_distinct($response.metadata.id)
 //$push_count = count_distinct(if($push.metadata.product_event_type = "system.push.send_factor_verify_push", 1, 0))
 //$response_count = count_distinct(if($response.metadata.product_event_type = "user.session.start", 1, 0))
 $bet_count = math.abs($push_count - $response_count)

If we stay away from sum in this case, we can still separate these unique events and count them, but we want to use something distinct, like the metadata.id which is unique to each event. If we count them distinctly with the event variable prepended to it we get a count of X number of row that meet the criteria laid out in the events section for push and doing the same for response we get Y number. Then the bet_count just calculates the difference between them...

 


Thank you for your answer

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.