YARA-L Best Practices

This document describes Chronicle's recommended best practices for writing rules in YARA-L.

Filter out zero values

For the following rule that joins two UDM events having the same hostname:

events:
  $e1.principal.hostname = $hostname
  $e2.principal.hostname = $hostname
  ...

Many UDM events could have an empty hostname. Performing a join on events with empty hostnames needlessly consumes resources, and the resulting detections might not be useful. To increase the efficiency of this rule, add filters that exclude the zero value for the join variables (in the following example, $hostname != ""):

events:
  $hostname != "" // Filter out the zero value.

  $e1.principal.hostname = $hostname
  $e2.principal.hostname = $hostname
  ...

Add these filters to the beginning of the events section. Filters are applied in the order they appear in the rule.

Add an event type filter

In the following example, the IP addresses for each UDM event are checked against the reference list, consuming a lot of resources:

events:
  // For every UDM event, check if the target.ip is listed in
  // the suspicious_ip_addresses reference list.
  $e.target.ip in %suspicious_ip_addresses

If your YARA-L rule only detects on UDM events of a certain event type, adding an event type filter can help to optimize your rule by reducing the number of events the rule needs to evaluate.

events:
  // For every UDM event of type NETWORK_DNS, check if the target.ip is
  // listed in the suspicious_ip_addresses reference list.
  $e.metadata.event_type = "NETWORK_DNS"
  $e.target.ip in %suspicious_ip_addresses

Add these filters to the beginning of the events section. You should also put equality filters before regex or other comparisons. Filters are applied in the order they appear in the rule.