YARA-L 2.0 functions for Google SecOps Native Dashboards

Supported in:

This document explains how to use the following functions in queries to create charts, alongside the YARA-L 2.0 functions supported by Google SecOps in the Detection Engine.

In addition to the YARA-L 2.0 functions that Google Security Operations supports in the Detection Engine, the following functions can be used in queries to build charts.

math.log

Returns the natural log value of an integer or float expression as follows:

math.log(numericExpression)

  • Parameter ype: NUMBER

  • Return type: NUMBER

Example

math.log($e1.network.sent_bytes) > 20

math.round

Returns the value of a float expression rounded to the specified number of decimal places.

math.round(numericExpression,decimalPlaces)

  • Parameter type: NUMBER

  • Return type: NUMBER

Examples

math.round(10.7) // returns 11
math.round(1.2567, 2) // returns 1.25
math.round(-10.7) // returns -11
math.round(-1.2) // returns -1
math.round(4) // returns 4, math.round(integer) returns the integer

group

Groups fields of the same type into a placeholder.

group(field1, field2, field3…)

  • Parameter type: Event type

  • Return type: Grouped event fields

Example

In the following example, the group() function gathers all the IP addresses found in the principal.ip, target.ip, and src.ip fields across all events that triggered the detection. The IP addresses are then added to the placeholder variable $ip. The rule then matches the IP address and returns a count of distinct events for each unique IP address.

$ip = group(detection.collection_elements.references.event.principal.ip, detection.collection_elements.references.event.target.ip, detection.collection_elements.references.event.src.ip)
$ip != ""
match:
  $ip
outcome:
  $count = count_distinct(detection.id)
order:
  $count desc

// Detection1: principal.ip = 1.1.1.1
// Detection2: src.ip = 1.1.1.1, target.ip = 2.2.2.2
// Detection3: target.ip = 1.1.1.1
// Detection4: principal.ip = 2.2.2.2

Result:

$ip $count
1.1.1.1 3
2.2.2.2 2

Aggregate functions

When events contain multiple values, you must use aggregate functions to summarize the data. In addition to the existing aggregate functions, you can also use the following aggregate functions:

  • avg(): outputs the average over all possible values. Only works with integer and float.

  • stddev(): calculates the standard deviation for all available values in the dataset. Only works with integer and float.

avg

Returns the average of values within a numeric column. It ignores NULL values during the calculation. It's commonly used with match to calculate averages within specific data groups.

avg(numericExpression)

  • Parameter type: NUMBER

  • Return type: NUMBER

Example

Find all the events where target.ip is not empty. For all the events that match principal.ip, store the average of metadata.event_timestamp.seconds in a variable called avg_seconds.

target.ip != ""
  match:
    principal.ip
  outcome:
    $avg_seconds = avg(metadata.event_timestamp.seconds)

stddev

Returns the standard deviation over all the possible values.

stddev(numericExpression)

  • Parameter type: NUMBER

  • Return type: NUMBER

Example

Finds all events where target.ip is not empty. For all events that match principal.ip, store the standard deviation of metadata.event_timestamp.seconds in a variable called stddev_seconds.

target.ip != ""
  match:
    principal.ip
  outcome:
    $stddev_seconds = stddev(metadata.event_timestamp.seconds)

IOC fields

Fields Description
ioc_value IOC indicator; can be either domain name or IP address
ioc_type IOC type; can be either IOC_TYPE_DOMAIN or IOC_TYPE_IP
feed_log_type IOC feed log type; for example, ET_PRO_IOC
is_global Determines whether this a global IOC indicator
day_bucket_seconds Specific day bucket when an IOC hit occurred, based on the event's timestamp
category Category or type for this indicator
confidence_score Raw confidence level from the IOC source
feed_name Original feed from which the IOC indicator originated
severity Raw severity level of the indicator
ioc_ingest_time Time when the IOC was first ingested into the system
asset Asset indicator
location Physical location

Rule sets fields

Fields Description
ruleset Display name
ruleset_family Family name
precise_alerting Alerting status of precise rules within a specific rule set
precise_live Status of precise rules
broad_alerting Alerting status of broad rules within the rule set
broad_live Status of live broad rules
detection_timestamp Specific timestamp when a detection event was triggered

Need more help? Get answers from Community members and Google SecOps professionals.