Skip to main content

Hello,

I am looking for a way to have a more dynamic risk score value for custom detections. For an alert about downloading logs, I would like to have the $risk_score go up when there are more unique files downloaded. I am trying with min() and if() with no luck. Here is the code:

 

$n_files = count_distinct($udm_download.target.resource.name)  //number of unique file downloads
 
$risk_score = $base_score + min($n_files/50 20) //If less than 1000 docs, add a value based on the number of unique docs, if more than 1000 docs, it will max out at 20 extra score. 
 
This approach does not work:
parsing: invalid number of arguments for min
 
$risk_score = $base_score + if($n_files/50>20, 20, $n_files/100) //If less than 1000 docs, it should return the $nfiles/100 value, if more than 1000 docs it caps out at 20 extra score. 
 
This approach also does not work:
 
parsing: Only placeholders, event fields, and constants are allowed in else clause
 
Is there any way or function that I am missing? Thanks.
 
 
 

Hi @UriJ,

How about approaching it like the below method:

rule TEST_INCRMENT { meta: rule_version = "1.7" author = "Ayman C" events: $udm.principal.asset.hostname = $Hostname $udm.metadata.event_timestamp.seconds = $EventTimestamp $udm.metadata.log_type = "ZEEK" match: $Hostname over 1h outcome: $risk_score = max(60 + if (01 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) + if (07 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) + if (( timestamp.get_hour($EventTimestamp, "GMT") >= 0 and timestamp.get_hour($EventTimestamp,"GMT")<= 6), 10) + if (( timestamp.get_hour($EventTimestamp, "GMT") >= 18 and timestamp.get_hour($EventTimestamp,"GMT")<= 24), 10)) $n_files = count_distinct($udm.target.resource.name) $OtherIncrment = if($n_files / 40 >= 20, 1, 0) + if(($n_files / 40 >= 100), 2, 0) condition: $udm and ($OtherIncrment >= 1 and $risk_score > 60 or $OtherIncrment > 1) }

Kind Regards,

Ayman

Hi @UriJ,

How about approaching it like the below method:

rule TEST_INCRMENT { meta: rule_version = "1.7" author = "Ayman C" events: $udm.principal.asset.hostname = $Hostname $udm.metadata.event_timestamp.seconds = $EventTimestamp $udm.metadata.log_type = "ZEEK" match: $Hostname over 1h outcome: $risk_score = max(60 + if (01 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) + if (07 = timestamp.get_day_of_week($EventTimestamp, "GMT"), 10) + if (( timestamp.get_hour($EventTimestamp, "GMT") >= 0 and timestamp.get_hour($EventTimestamp,"GMT")<= 6), 10) + if (( timestamp.get_hour($EventTimestamp, "GMT") >= 18 and timestamp.get_hour($EventTimestamp,"GMT")<= 24), 10)) $n_files = count_distinct($udm.target.resource.name) $OtherIncrment = if($n_files / 40 >= 20, 1, 0) + if(($n_files / 40 >= 100), 2, 0) condition: $udm and ($OtherIncrment >= 1 and $risk_score > 60 or $OtherIncrment > 1) }

Kind Regards,

Ayman


Hello,

Thanks for the reply AymanC, this works for good enough since I can create multiple if statements and keep adding sections for a distributed risk score. 

Thanks, I will mark it as solution.

Kind regards,

UriJ

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.