Skip to main content

Hello Team 

New to YARA L and i am trying to understand how to get a rule to alert if there is a "new" event NOT followed by a "resolved" event in a 5 min window. 

This is what I have currently : 

rule testAlert {
events:
$new.metadata.event_status = "new"
$new.metadata.vendor_name = "Microsoft"
$new.target.user.userid = $targetUser

$resolved.metadata.event_type = "resolved"
$resolved.metadata.vendor_name = "Microsoft"
$resolved.target.user.userid = $targetUser
match:
targetUser over 5m

condition:
$new and #resolved < 1
}

However this still seems to be alerting when there has been a resolved event.

 

Hi,

#resolved is to be superior or equal to 0 (#resolved > n where n>=0)

You are checking for event absence and you might want to look into non-existence (!$resolved).

You can find documentation and example here: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#bounded_and_unbounded_conditions

 

A hypothetical use case where the logic you're referring to could be used could be where a scheduled task has been modified, but a scheduled task hasn't been enabled thereafter within a 30 minute period period. Where the condition $modified is triggered, but the condition $enable isn't.

rule Condition_Not_Mach_Identification { meta: author = "Ayman C" events: $PrincipalHost = $modified.principal.hostname $modified.metadata.log_type = "WINEVTLOG" $modified.metadata.event_type = "SCHEDULED_TASK_MODIFICATION" $PrincipalHost = $enable.principal.hostname $enable.metadata.log_type = "WINEVTLOG" $enable.metadata.event_type = "SCHEDULED_TASK_ENABLE" match: $PrincipalHost over 30m outcome: $EnableCount = count_distinct($enable.metadata.id) condition: $modified and !$enable }



It is also worth noting that the UDM field within your original rule logic 'metadata.event_status ' is not valid

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.