Skip to main content
Question

YARA-L Question: Password Change Initiated from First Time Seen Country

  • July 14, 2026
  • 2 replies
  • 16 views

ar3diu
Forum|alt.badge.img+11

I am trying to write a rule for Google Workspace password resets initiated from a country that has not been seen in the last 30 days.
For some reason, the `first_seen` metric is malfunctioning (returning 0 even though the user has logged in from that country before).

Any tips?

 

$password_change.metadata.log_type = "WORKSPACE_ACTIVITY"
$password_change.metadata.product_name = "login"
$password_change.metadata.product_event_type = "password_edit"
$password_change.principal.ip_geo_artifact.location.country_or_region != ""

$user = $password_change.security_result.about.email
$country = $password_change.principal.ip_geo_artifact.location.country_or_region

match: $user, $country

outcome:
$first_seen_country = max(metrics.auth_attempts_success(
period:1d, window:30d,
metric:first_seen,
agg:max,
target.user.email_addresses:$user,
principal.ip_geo_artifact.location.country_or_region:$country))

condition:
$password_change and $first_seen_country = 0

 

2 replies

whathehack81
Forum|alt.badge.img+4

The metric is probably not malfunctioning. A return value of 0 also means that no metric series matched all supplied dimensions.

Your $user is extracted from the password-change event, but the metric filters historical authentication events using:

target.user.email_addresses: $user

principal.ip_geo_artifact.location.country_or_region: $country

Confirm that successful Workspace login events actually populate those exact two UDM fields. Depending on the parser, the authenticated identity may be under principal.user.email_addresses instead of target.user.email_addresses.

For a “not seen during the previous 30 days” check, an event count is also clearer than first_seen:

$previous_logins = sum(metrics.auth_attempts_success(

    period: 1d,

    window: 30d,

    metric: event_count_sum,

    agg: sum,

    principal.user.email_addresses: $user,

    principal.ip_geo_artifact.location.country_or_region: $country

))

Then:

condition:

    $password_change and $previous_logins = 0

Use target.user.email_addresses instead if that is where the login parser actually places the user. I would validate the historical login events in raw UDM first; otherwise 0 is indistinguishable from a genuinely new country


whathehack81
Forum|alt.badge.img+4

This will not reliably detect 30 minutes of event silence.

A YARA-L rule is evaluated when an event is processed. After the final event arrives, there is no new event at +1800 seconds to cause this condition to be evaluated:

$event and $seconds_since_last_event > 1800

It can only fire when another event later causes evaluation. For actual source-silence monitoring, use a scheduled search/health check, or a periodic heartbeat event and compare it with the last observed event for the specific source or host. Also use ingestion time rather than event time when the objective is detecting pipeline failure rather than delayed source timestamps.