This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Getting to Know Chronicle: Outcomes in a Multi Event Rule - Counts

on ‎01-26-2024 12:37 PM

jstoner
Staff
2 0 163

Today, we are going to introduce the ability to generate counts within the outcome section of a YARA-L rule in Chronicle SIEM.

Outcomes in Multi Event Rules - Counts.png

It is important to understand that when working with multiple events in a rule that all outcome variables that contain UDM fields must have an aggregation associated with them. Outcome variables that just contain constants do not need an aggregate function.

Follow along in the video below to see in action how to use a aggregation functions like count within a multi event rule.

Remember that count and count_distinct are just two of the aggregate functions that can be used in the outcome section. All event values must be aggregated in rules that contain multiple values. Finally, constants do not require an aggregate function, even in multi-event rules.

Outcomes in Multi Event Rules - Counts (1).png

Check out these additional resources with more information and learning opportunities:

Topic Labels
Contributors
Version history
Last update:
‎01-26-2024 12:37 PM
Updated by: