Skip to main content
Solved

Where can I find the official documentation/field list for the Detection Schema in YARA-L?

  • May 29, 2026
  • 2 replies
  • 21 views
joaocarvalho
Forum|alt.badge.img+3

Hello community,

I am currently working on building analytical dashboards within Google SecOps, querying directly against the detections table using the Detection Schema via the Dashboard/Analytics query engine.

While writing my dashboard aggregation queries, I often need to pivot and filter based on specific rule metadata. For example:

$Rulename = detection.detection.rule_name  

(
    $Rulename = /AWS/ nocase or 
    detection.detection.rule_set_display_name = /AWS/ nocase or 
    detection.detection.rule_set = /AWS/ nocase
)

detection.detection.rule_set != "Mandiant Hunt Cloud Identification Rules"
detection.detection.rule_set_display_name != "Mandiant Hunt Cloud Identification Rules"

$rule_set = detection.detection.rule_set_display_name

match:     
    $Rulename 

outcome:     
    $Count = count_distinct(detection.id) 
    $ruleSet = array_distinct($rule_set)

order:     
    $Count desc

My issue is that while the UDM Schema is beautifully documented in the official UDM Field List documentation, I cannot find an equivalent comprehensive field list or reference documentation for the Detection Schema fields (such as the nested attributes under detection.detection.* or detection.*).

To work around this limitation, I've been intentionally forcing compiler errors by injecting non-existent fields (e.g., detection.detection.invalid_field_placeholder) so the syntax validator spits out the valid fields in the error message, like this:

compilation error compiling query: generating predicates: getting event field descriptors in predicate conversion: accessing field "detection.detection.invalid_field_placeholder": field "invalid_field_placeholder" does not exist, valid fields are: "about", "category", "category_details", "threat_name", "rule_set", "rule_set_display_name", "ruleset_category_display_name", "rule_id", "rule_name", "display_name", "rule_version", "rule_type", "rule_author", "rule_labels", "alert_state", "detection_fields", "outcomes"..."

While "hacking" the compiler parser gives me a temporary dictionary of fields, it doesn't scale, and it doesn't give me the expected data types or structural details of the objects.

Does anyone know if there is an official, public-facing documentation page or a PDF reference guide that maps out the entire data structure for the Detection Schema? If not, is there an internal resource or SecOps blog post that details this?

Any insights from fellow engineers or the Google SecOps product team would be highly appreciated!

Best regards,

João Guilherme

SIEM Consultant @Redbelt Security

Best answer by AymanC

Hi ​@joaocarvalho,

 

This is likely what you’re looking for - YARA-L 2.0 dashboard query library  |  Google Security Operations  |  Google Cloud Documentation

 

Kind Regards,

Ayman

2 replies

AymanC
Forum|alt.badge.img+14
  • AymanCBronze 5
  • Bronze 5
  • Answer
  • May 29, 2026

Hi ​@joaocarvalho,

 

This is likely what you’re looking for - YARA-L 2.0 dashboard query library  |  Google Security Operations  |  Google Cloud Documentation

 

Kind Regards,

Ayman

    joaocarvalho
    Forum|alt.badge.img+3
    • joaocarvalhoBronze 1
    • Author
    • Bronze 1
    • May 29, 2026

    Hi Ayman,

    Wow, that was blazing fast!

    This is precisely what I was looking for. Having the comprehensive root and nested detection.detection.* fields mapped out saves us from doing reverse engineering via compiler syntax errors.

    Thank you so much for the quick and accurate help.

    Kind regards,

    João Guilherme

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.