Sample YARA-L queries for dashboards

Supported in:

Google SecOps SIEM

This document provides query examples of common dashboards use cases, organized by data source. For more information about dashboards, see Dashboards overview.

The following queries are examples of common dashboard use cases, organized by data source:

UDM events

The following YARA-L query counts user logins, grouping them by login status of "ALLOW" or "BLOCK":

//USER_LOGIN by status
metadata.event_type = "USER_LOGIN"
$security_result = security_result.action
$security_result = "BLOCK" OR $security_result = "ALLOW"
match:
    $security_result
outcome:
    $event_count = count_distinct(metadata.id)

The following YARA-L query counts successful user logins over time:

//successful sign-ins over time 
metadata.event_type = "USER_LOGIN"
$security_result = security_result.action
$security_result = "ALLOW"
$date = timestamp.get_date(metadata.event_timestamp.seconds, "America/Los_Angeles")
match:
    $security_result, $date
outcome:
    $event_count = count_distinct(metadata.id)
order:
    $date desc

The following YARA-L query counts user logins, grouped by countries:

//user sign-ins by country
metadata.event_type = "USER_LOGIN"
$country = principal.location.country_or_region
$country != ""
match:
    $country
outcome:
    $event_count = count_distinct(metadata.id)
order:
    $event_count desc

Ingestion metrics

The following YARA-L query counts log, event, and drop counts, grouped by log type:

//log count, event count, and drop count by log type
ingestion.log_type != ""
$log_type = ingestion.log_type
match:
    $log_type
outcome:
    $log_count = sum(ingestion.log_count)
    $event_count = sum(ingestion.event_count)
    $drop_count = sum(ingestion.drop_count)
order:
    $log_count desc

Detections

The following YARA-L query counts detections, grouped by severity and date:

//Detection count by severity over time
$date = timestamp.get_date(detection.created_time.seconds)
$severity = detection.detection.severity
match:
    $date, $severity
outcome:
    $detection_count = count_distinct(detection.id)
order:
    $date asc

The following YARA-L query retrieves the top 10 rule names, ranked by their detection count:

//top ten rule names by detection count
$rule_name = detection.detection.rule_name
match:
    $rule_name
outcome:
    $count = count_distinct(detection.id)
order:
    $count desc
limit:
    10

The following YARA-L query retrieves the top 10 IP addresses, ranked by their detection count:

 $ip = group(detection.collection_elements.references.event.principal.ip,detection.collection_elements.references.event.target.ip,detection.collection_elements.references.event.src.ip)
$ip != ""
match:
  $ip
outcome:
  $count = count(detection.id)
order:
  $count desc
limit:
    10

IOCs

The following YARA-L query retrieves the top 10 IOCs, ranked by count:

//Top 10 IOCs by count
$ioc_value = ioc.ioc_value
match:
    $ioc_value
outcome:
    $ioc_count = count(ioc.ioc_value)
order:
    $ioc_count desc
limit: 
    10

What's next

Learn more about how to use functions to build dashboards using YARA-L 2.0 functions for Google Security Operations Native Dashboards.