@jstoner, (& any other staff) hope you're well.
I have been tinkering with Yara-L for a rule creation. Specifically, I want to detect RDP connections from users/hostnames in which their last RDP usage was 35 or more days ago (30 days is also fine). Is this possible with the current Yara-L? I've almost everything but I can't quite nail it down. If this isn't possible, is there a suitable compromise you can suggest e.g search for RDP connections then check if the associated user has logged in the past 30 days.
This is the best I've gotten:
rule rare_rdp_connections {
meta:
author: Bob
etc. etc.
events:
$e1.metadata.event_type = "NETWORK_CONNECTION"
$e1.src.port = 3389 or
$e1.target.port = 3389 or
$e1.network.application_protocol = "RDP"
$e1.principal.user.userid = $user
outcome:
$login_monthly_access = max(metrics.auth_attemtps_success)(period:1d, window:30d, metric:event_count_sum, agg:sum, $user)
condition:
$e1 and $login_monthly_access < 1
}
Again, ignoring any small errors, I want to know if this request is logically possible within YARA-L 2.0 & if not, is there a compromised version you can think of.
Thanks!