Dokumen ini menjelaskan praktik terbaik yang direkomendasikan Google Security Operations untuk menulis aturan di YARA-L.
Memfilter nilai nol
Kolom dapat otomatis dihilangkan dalam peristiwa yang Anda jalankan aturannya. Jika kolom tidak diisi, kolom tersebut akan memiliki nilai default nol.
Misalnya, nilai string yang tidak ditentukan akan ditetapkan secara default ke "".
Jika Anda menyamakan dua kolom yang keduanya dihapus, keduanya mungkin memiliki nilai default nol. Hal ini dapat menyebabkan kecocokan yang tidak diinginkan jika dua kolom cocok karena keduanya memiliki nilai nol. Anda dapat menghindari perilaku ini dengan menentukan nilai nol secara eksplisit.
Misalnya, jika Anda memiliki aturan yang menyamakan dua peristiwa berdasarkan dua kolom, ada kemungkinan kedua kolom tersebut kosong, sehingga menyebabkan kecocokan:
$e1.field1 = $e2.field2
Jika e1.field1 dan e2.field2 tidak ada dalam data, "" = "" bernilai benar (true), sehingga terjadi kecocokan.
Ekspresi perbandingan berikut memastikan bahwa Anda tidak mendapatkan kecocokan karena e1.field1 dan e2.field2 tidak menyertakan data apa pun:
$e1.field1 = $e2.field2
$e1.field != ""
Nilai nol dan aturan yang bergantung pada pengayaan
Pada contoh berikut, alamat IP untuk setiap peristiwa UDM diperiksa berdasarkan daftar referensi, sehingga menggunakan banyak resource:
events:
// For every UDM event, check if the target.ip is listed in
// the suspicious_ip_addresses reference list.
$e.target.ip in %suspicious_ip_addresses
Jika aturan YARA-L Anda hanya mendeteksi peristiwa UDM dari jenis peristiwa tertentu, menambahkan filter jenis peristiwa dapat membantu mengoptimalkan aturan Anda dengan mengurangi jumlah peristiwa yang perlu dievaluasi oleh aturan.
events:
// For every UDM event of type NETWORK_DNS, check if the target.ip is
// listed in the suspicious_ip_addresses reference list.
$e.metadata.event_type = "NETWORK_DNS"
$e.target.ip in %suspicious_ip_addresses
Tambahkan filter ini ke awal bagian peristiwa. Anda juga harus menempatkan filter kesetaraan sebelum ekspresi reguler atau perbandingan lainnya. Filter diterapkan sesuai urutannya dalam aturan.
Untuk blog Komunitas tentang cara menggunakan YARA-L, lihat:
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-08-21 UTC."],[[["\u003cp\u003eYARA-L rules in Google Security Operations should filter out zero values to avoid unintended matches caused by omitted fields defaulting to zero.\u003c/p\u003e\n"],["\u003cp\u003eWhen creating rules that depend on enriched data, it's crucial to implement null checks to handle potential zero or null values before the enrichment process is complete.\u003c/p\u003e\n"],["\u003cp\u003eAdding event type filters to the beginning of the events section in YARA-L rules optimizes performance by reducing the number of events that the rule needs to evaluate.\u003c/p\u003e\n"],["\u003cp\u003eEquality filters should be placed before regex or other comparisons in the events section, as filters are applied in the order they appear.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Security Operations has a large community library for YARA-L rules.\u003c/p\u003e\n"]]],[],null,["# YARA-L best practices\n=====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThis document describes Google Security Operations's recommended best practices for writing rules in YARA-L.\n\nFilter out zero values\n----------------------\n\nFields might be automatically omitted in the events you run your rules against. When fields are omitted, they default to their zero values.\n\nFor example, an omitted string value defaults to `\"\"`.\n\nIf you equate two fields that are both omitted, they might both default to their zero values. This might lead to unintended matches where two fields match because they both have zero values. You can avoid this behavior by explicitly specifying the zero value.\n\nFor example, if you have a rule that equates two events based on two fields, there is a chance that both of those fields are empty, causing a match: \n\n $e1.field1 = $e2.field2\n\nIf both `e1.field1` and `e2.field2` are omitted in the data, `\"\" = \"\"` is true, causing a match.\n\nThe following comparison expressions ensure that you don't get a match because `e1.field1` and `e2.field2` don't include any data: \n\n $e1.field1 = $e2.field2\n $e1.field != \"\"\n\n### Zero values and enrichment-dependent rules\n\nIf a rule depends on enriched data it hasn't been updated yet, the value might be null or zero.\nTherefore, it is good practice to filter out zero values (null checks) on enrichment-dependent rules. Learn [how Google SecOps enriches event and entity data](/chronicle/docs/event-processing/data-enrichment) and [how to use context-enriched data in rules](/chronicle/docs/detection/use-enriched-data-in-rules).\n| **Note:** Zero values are filtered out from match variables by default. For more information, see [zero value handling in the match section](/chronicle/docs/detection/yara-l-2-0-syntax#zero_value_handling_in_the_match_section).\n\nAdd an event type filter\n------------------------\n\nIn the following example, the IP addresses for each UDM event are checked against\nthe reference list, consuming a lot of resources: \n\n events:\n // For every UDM event, check if the target.ip is listed in\n // the suspicious_ip_addresses reference list.\n $e.target.ip in %suspicious_ip_addresses\n\nIf your YARA-L rule only detects on UDM events of a certain event type, adding an event type filter can help to optimize your rule by reducing the number of events the rule needs to evaluate. \n\n events:\n // For every UDM event of type NETWORK_DNS, check if the target.ip is\n // listed in the suspicious_ip_addresses reference list.\n $e.metadata.event_type = \"NETWORK_DNS\"\n $e.target.ip in %suspicious_ip_addresses\n\nAdd these filters to the beginning of the events section. You should also put equality filters before regex or other comparisons. Filters are applied in the order they appear in the rule.\n\nFor Community blogs on working with YARA-L, see:\n\n- [YARA-L basics](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-know-Google-SecOps-SIEM-YARA-L-basics/ta-p/635468)\n- [YARA-L rule variables](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-know-Google-SecOps-SIEM-YARA-L-rule-variables/ta-p/635481)\n- [YARA-L operators and modifiers](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-know-Google-SecOps-SIEM-YARA-L-operators-and/ta-p/635489)\n- [Building a single event rule using a regular expression](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-SIEM-Building-a-single-event-rule/ta-p/635498)\n- [Aggregating events in rules](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-SIEM-Aggregating-events-in-rules/ta-p/635507)\n- [Setting a threshold in conditions](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-SIEM-Setting-a-threshold-in/ta-p/635521)\n- [Rules editor navigation](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Chronicle-SIEM-Rules-Editor-Navigation/ta-p/659309)\n- [YARA-L Rule Options](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-SIEM-YARA-L-Rule-Options/ta-p/659313)\n- [Building a Single Event Rule - String Match](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Chronicle-SIEM-Building-a-Single-Event-Rule/ta-p/659317)\n- [Building a Multi Event Rule - Joining Events](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Chronicle-Building-a-Multi-Event-Rule-Joining/ta-p/665140)\n- [Building a Multi Event Rule - Ordering Events](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Building-a-Multi-Event-Rule/ta-p/677993)\n- [Building a Multi Event Rule - Multiple Joins and Counts in Conditions](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Chronicle-Building-a-Multi-Event-Rule-Multiple/ta-p/683984)\n- [Building a Multi Event Rule - Sliding Windows](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Building-a-Multi-Event-Rule/ta-p/693405)\n- [Introducing Outcomes in a Single Event Rule](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Chronicle-Introducing-Outcomes-in-a-Single-Event/ta-p/699600)\n- [Outcomes in a Multi Event Rule - Counts](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Outcomes-in-a-Multi-Event-Rule/ta-p/703096)\n- [Outcomes in Multi Event Rules - Arrays](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-SIEM-Outcomes-in-Multi-Event-Rules/ta-p/705657)\n- [Outcomes in a Multi Event Rule - Max, Min, Sum](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Outcomes-in-a-Multi-Event-Rule-Max/ta-p/709795)\n- [Outcomes - Risk Score, Conditional Logic and Mathematical Operators](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Chronicle-Outcomes-Risk-Score-Conditional-Logic/ta-p/714517)\n- [Functions - strings.concat](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Functions-strings-concat/ta-p/719344)\n- [Functions - strings.coalesce](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Functions-strings-coalesce/ta-p/726303)\n- [Functions - Network](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Functions-Network/ta-p/732001)\n- [Reference List](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Reference-List/ta-p/738238)\n- [CIDR Reference Lists](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-CIDR-Reference-Lists/ta-p/745365)\n- [Regex Reference Lists](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Regex-Reference-Lists/ta-p/750396)\n- [Strings Function - Upper or Lower Case](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Strings-Function-Upper-Lower-Case/ta-p/750408)\n- [Regular Expression Function - re.regex](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Regular-Expression-Function-re/ta-p/768660)\n- [Regular Expression Function - re.capture](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Regular-Expression-Function-re/ta-p/775278)\n- [String Function - strings.base64_decode](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-String-Function-strings-base64/ta-p/783968)\n- [Regular Expression Function - re.replace](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Regular-Expression-Function-re/ta-p/791965)\n- [Getting started with Statistical Search](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Getting-Started-with-Statistical/ta-p/799951)\n- [Statistical Search - More Than a Count](https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/Getting-to-Know-Google-SecOps-Statistical-Search-More-Than-a/ta-p/803150)\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]