Hi everyone, I’m looking for guidance on converting a KQL-based analytic rule into Chronicle YARA-L format. The rule involves correlating failed sign-in attempts to disabled accounts with successful sign-ins from the same IP address, using distinct user counts per IP and a ratio threshold to flag suspicious behaviour. I’d appreciate examples or best practices for: (1) joining different event types by a common field (IP address), (2) maintaining distinct counts of users per IP in YARA-L, and (3) implementing a ratio logic (e.g., failed attempts vs successful attempts) within the Chronicle framework. If anyone has a similar rule or template it would be greatly helpful.
Link: https://analyticsrules.exchange/analyticrules/500c103a-0319-4d56-8e99-3cec8d860757/
