Skip to main content

Hello Team 

New to YARA L and i am trying to understand how to get a rule to alert if there is a "new" event NOT followed by a "resolved" event in a 5 min window. 

This is what I have currently : 

rule testAlert {
events:
$new.metadata.event_status = "new"
$new.metadata.vendor_name = "Microsoft"
$new.target.user.userid = $targetUser

$resolved.metadata.event_type = "resolved"
$resolved.metadata.vendor_name = "Microsoft"
$resolved.target.user.userid = $targetUser
match:
targetUser over 5m

condition:
$new and #resolved < 1
}

However this still seems to be alerting when there has been a resolved event.

 

Hi,

#resolved is to be superior or equal to 0 (#resolved > n where n>=0)

You are checking for event absence and you might want to look into non-existence (!$resolved).

You can find documentation and example here: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#bounded_and_unbounded_conditions

 

A hypothetical use case where the logic you're referring to could be used could be where a scheduled task has been modified, but a scheduled task hasn't been enabled thereafter within a 30 minute period period. Where the condition $modified is triggered, but the condition $enable isn't.

rule Condition_Not_Mach_Identification {
meta:
author = "Ayman C"
events:
$PrincipalHost = $modified.principal.hostname
$modified.metadata.log_type = "WINEVTLOG"
$modified.metadata.event_type = "SCHEDULED_TASK_MODIFICATION"

$PrincipalHost = $enable.principal.hostname
$enable.metadata.log_type = "WINEVTLOG"
$enable.metadata.event_type = "SCHEDULED_TASK_ENABLE"

match:
$PrincipalHost over 30m

outcome:

$EnableCount = count_distinct($enable.metadata.id)

condition:
$modified and !$enable
}



It is also worth noting that the UDM field within your original rule logic 'metadata.event_status ' is not valid

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.