YARA-L 2.0 functions for Google SecOps Native Dashboards

This document explains how to use the following functions in queries to create charts, alongside the YARA-L 2.0 functions supported by Google SecOps in the Detection Engine.

In addition to the YARA-L 2.0 functions that Google Security Operations supports in the Detection Engine, the following functions can be used in queries to build charts.

math.log

Returns the natural log value of an integer or float expression as follows:

math.log(numericExpression)

• Parameter ype: NUMBER

• Return type: NUMBER

Example

math.log($e1.network.sent_bytes) > 20

math.round

Returns the value of a float expression rounded to the specified number of decimal places.

math.round(numericExpression,decimalPlaces)

• Parameter type: NUMBER

• Return type: NUMBER

Examples

math.round(10.7) // returns 11
math.round(1.2567, 2) // returns 1.25
math.round(-10.7) // returns -11
math.round(-1.2) // returns -1
math.round(4) // returns 4, math.round(integer) returns the integer

group

Groups fields of the same type into a placeholder.

group(field1, field2, field3…)

• Parameter type: Event type

• Return type: Grouped event fields

Example

In the following example, the group() function gathers all the IP addresses found in the principal.ip, target.ip, and src.ip fields across all events that triggered the detection. The IP addresses are then added to the placeholder variable $ip. The rule then matches the IP address and returns a count of distinct events for each unique IP address.

$ip = group(detection.collection_elements.references.event.principal.ip, detection.collection_elements.references.event.target.ip, detection.collection_elements.references.event.src.ip)
$ip != ""
match:
  $ip
outcome:
  $count = count_distinct(detection.id)
order:
  $count desc

// Detection1: principal.ip = 1.1.1.1
// Detection2: src.ip = 1.1.1.1, target.ip = 2.2.2.2
// Detection3: target.ip = 1.1.1.1
// Detection4: principal.ip = 2.2.2.2

Result:

Aggregate functions

When events contain multiple values, you must use aggregate functions to summarize the data. In addition to the existing aggregate functions, you can also use the following aggregate functions:

• avg(): outputs the average over all possible values. Only works with integer and float.

• stddev(): calculates the standard deviation for all available values in the dataset. Only works with integer and float.

avg

Returns the average of values within a numeric column. It ignores NULL values during the calculation. It's commonly used with match to calculate averages within specific data groups.

avg(numericExpression)

• Parameter type: NUMBER

• Return type: NUMBER

Example

Find all the events where target.ip is not empty. For all the events that match principal.ip, store the average of metadata.event_timestamp.seconds in a variable called avg_seconds.

target.ip != ""
  match:
    principal.ip
  outcome:
    $avg_seconds = avg(metadata.event_timestamp.seconds)

stddev

Returns the standard deviation over all the possible values.

stddev(numericExpression)

• Parameter type: NUMBER

• Return type: NUMBER

Example

Finds all events where target.ip is not empty. For all events that match principal.ip, store the standard deviation of metadata.event_timestamp.seconds in a variable called stddev_seconds.

target.ip != ""
  match:
    principal.ip
  outcome:
    $stddev_seconds = stddev(metadata.event_timestamp.seconds)

IOC fields

Rule sets fields

Need more help? Get answers from Community members and Google SecOps professionals.