Today, we are going to cover the aggregation functions of min, max and sum and how they can be added to the outcome section of a YARA-L rules in Chronicle SIEM.

While there are not a lot of integer or float fields in UDM compared to string fields, min, max and sum really shine when used in conjunction with conditional logic and mathematical operations. Remember, it's important to understand that when working with multiple events in a rule that all outcome variables that contain UDM fields must have an aggregation associated with them.

Follow along in the video below to see in action how to use a aggregation functions like min, max and sum within a multi event rule.

Remember that min, max and sum provide additional aggregate functions in the outcome section, but they are limited to float and integer fields. As we demonstrated, we can use outcome variables in our conditions to narrow our result set, but there is more to be unlocked with these three aggregate functions when used with conditional logic and mathematical operators.

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events