OR 不支持不存在比较。例如,不支持 math.log($outcome1_sent_bytes) > 5 OR (#placeholder2) < 10。
跨不同事件的 OR 子句不支持非 UDM 变量。
不过,OR 在单个事件上下文中或与 AND 分组时受支持。例如 $entity and ($udm_event_1 or $placeholder_derived_from_udm_event_1)。再举一个例子,$entity and ($udm_event_1 or $outcome_udm_event_1_bytes > 1000)。
统计字符数 (#)
# 字符如果位于事件或占位符变量名称(例如 #c)之前,则表示相应事件的不同发生次数,或满足与相应变量关联的 events 部分中所有条件的不同值的数量。例如,#c > 1 表示事件或占位符 c 必须出现多次。
UDM 搜索条件支持“N of X”语法,可灵活评估多个条件。此语法可让您指定,如果 N(特定数量)个 X(布尔值表达式列表)的计算结果为 true,则满足条件。
示例:假设您想从 VirusTotal (VT) 丰富功能提供的预定义标记列表中,识别出表现出多种可疑行为(但不一定全部)的进程。“N of X”语法可让您指定必须满足的最低条件数,从而解决此问题。
以下 UDM 搜索查询会查找满足至少三个条件的进程:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.target.process.file.full_path = $process
match:
$process
outcome:
$first_seen = earliest($e.metadata.event_timestamp)
$last_seen = latest($e.metadata.event_timestamp)
$total_events = count($e.metadata.id)
// Collect all unique tags associated with this process from all its launch events
$tags = array_distinct($e.target.process.file.tags)
condition:
// Trigger if at least 3 of the following conditions (tag checks) are true
3 of [
arrays.contains($tags, "malware"),
arrays.contains($tags, "detect-debug-environment"),
arrays.contains($tags, "checks-disk-space"),
arrays.contains($tags, "checks-cpu-name"),
arrays.contains($tags, "invalid-signature"),
arrays.contains($tags, "self-delete")
]
order:
$total_events desc
ANY OF 和 ALL OF 运算符
如果列出的布尔值表达式中至少有一个的计算结果为 true,则 ANY of [expressions] 的计算结果为 true。ALL of [expressions] 要求列出的每个表达式都为 true。您可以使用 AND 等关键字将这些运算符与其他条件结合使用。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-02。"],[],[],null,["Conditions in UDM search and dashboards using YARA-L 2.0 \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n\nThe `condition` section defines criteria for including data in search results.\nThese conditions are evaluated against event and placeholder\nvariables defined in the `events` section. You can combine these conditions\nusing the `and` keyword.\n\nLimitations\n\nConditions in search have the following limitations:\n\n- **Required:** The `match` section is mandatory. Alternatively, you can define ungrouped\n filters directly within the `events` section.\n\n- **Required** : Event and placeholder variables must be aggregated within the\n `condition` section.\n\n- Only integer and float comparison expressions are supported. These expressions\n must have a variable on the left and an integer or float on the right (for\n example, `#c \u003e 1`, `$port = 80`). Supported operators are `\u003c`, `\u003e`, and `=`.\n\n- The order of variables and clauses within the `condition` section doesn't\n affect the results.\n\n- To use outcome variables in the `condition` section, define and aggregate them.\n You can filter unaggregated outcome variables in the `events` section.\n\n- Direct mathematical operations with variables are not supported (for example,\n `#e1 + 5 \u003e 6`, `$o1.sum($pl) \u003e 0`).\n\n- There are no additional restrictions if the `OR` conditions apply to the same\n base events. The following restrictions apply when `OR` is used across different events:\n\n - Nonexistence comparisons are not supported with `OR`. For example,\n `math.log($outcome1_sent_bytes) \u003e 5 OR (#placeholder2) \u003c 10` is not supported.\n\n - Non-UDM variables are not supported in `OR` clauses that span different events.\n However, `OR` is supported within a single event context or when grouped\n with `AND`. For example, `$entity and ($udm_event_1 or $placeholder_derived_from_udm_event_1)`. Here's another example, `$entity and ($udm_event_1 or $outcome_udm_event_1_bytes \u003e 1000)`.\n\nCount character (`#`)\n\nThe `#` character, when preceding an event or placeholder variable name (for\nexample, `#c`), represents the number of distinct occurrences of that event or\nthe number of distinct values satisfying all the conditions in the `events`\nsection associated with that variable. For example, `#c \u003e 1` implies that the\nevent or placeholder `c` must occur more than once.\n\n**Sample query:** \n\n $e1.principal.hostname = $hostname\n $e1.target.hostname = \"fedex.com\"\n $e1.target.port = 3042 // tcp/udp\n\n $e2.principal.hostname = $hostname\n $e2.target.hostname = \"homedepot.com\"\n $e2.target.port = 3042 // tcp/udp\n\n match:\n $hostname over 1h\n\n condition:\n #e1 \u003e 0 or #e2 \u003e 1\n\nValue character (`$`)\n\nThe `$` character's function depends on the context.\n\n- **Outcome variable:** When placed before an outcome variable name (for example,\n `$risk_score`), it represents the variable's value.\n\n- **Event or placeholder variable:** When placed before an event or placeholder\n variable name (for example, `$event`), it's equivalent to `#event \u003e 0` and\n implies that at least one occurrence of that event must exist.\n\nEvent and placeholder conditions\n\nYou can combine multiple condition predicates for events and placeholder\nvariables using the `and` keyword.\n\n**`or` usage example (single event):** \n\n condition:\n $ph2 and $ph3\n\n**Important:** When writing logic in the `events` or `condition` sections, use\n`!` for negation. Use the `not` keyword only in the `outcome` section.\n\nBounded and unbounded conditions\n\nEvent variable conditions can be bounded or unbounded.\n\n**Bounded conditions** require the associated event variable to exist. This\nmeans that at least one occurrence of the event must appear in any detection.\n\nExamples:\n\n- `$var` (equivalent to `#var \u003e 0`)\n- `#var \u003e n` (where `n \u003e= 0`)\n- `#var \u003e= m` (where `m \u003e 0`)\n\n**Sample query:** \n\n $e1.principal.hostname = $hostname\n $e1.target.hostname = \"fedex.com\"\n\n match:\n $hostname over 1h\n\n condition:\n #e1 \u003e 0\n\n**Unbounded conditions** allow the associated event variable to not exist.\nThis means that it is possible that no occurrence of the event appears in a detection.\nAny reference to fields on the event variable yields a zero value. Use these\nfor non-existence searches.\n\nExamples:\n\n- `!$var` (equivalent to `#var = 0`)\n- `#var \u003e= 0`\n- `#var \u003c n` (where `n \u003e 0`)\n- `#var \u003c= m` (where `m \u003e= 0`)\n\n**Sample query:** \n\n $e1.principal.hostname = $hostname\n $e1.target.hostname = \"fedex.com\"\n $e1.target.port = 3042 // tcp/udp\n\n match:\n $hostname over 1h\n\n outcome:\n $bytes_sent = sum($e1.network.sent_bytes)\n\n condition:\n $bytes_sent \u003e= 0\n\n**Note:** For non-existence search queries (using unbounded conditions), the\ndetection engine adds a 1-hour delay to the expected latency.\n\nSearch queries with unbounded conditions must meet the following criteria:\n\n- At least one UDM event must have a bounded condition; that is, at least one\n UDM event must exist.\n\n- Placeholders with unbounded conditions must associate with at least one\n bounded UDM event.\n\n- Entities with unbounded conditions must associate with at least one bounded\n UDM event.\n\nOutcome conditions\n\nYou can define outcome conditions using outcome variables, and combine them with\nlogical operators (`and`, `or`, `not`). The comparison syntax depends on the\noutcome variable's data type.\n\n- **integer and float:** Use `=`, `\u003e`, `\u003e=`, `\u003c`, `\u003c=`, `!=` (for example, `$risk_score \u003e 10`, `$risk_score \u003c= 5.5`).\n- **string:** Use `=` or `!=` (for example, `$severity = \"HIGH\"`).\n- **list of integers or arrays:** Use `arrays.contains()` (for example, `arrays.contains($event_ids, \"id_1234\")`).\n\nSample query: \n\n $e1.principal.hostname = $hostname\n $e1.target.hostname = \"fedex.com\"\n $e1.target.port = 3042 // tcp/udp\n match:\n $hostname over 1h\n\n outcome:\n $bytes_sent = sum($e1.network.sent_bytes)\n\n condition:\n $e1\n\nN of X conditions in UDM search\n\nUDM search conditions support \"N of X\" syntax, which gives a flexible evaluation of\nmultiple criteria. This syntax lets you specify that a condition is met if `N`\n(a specific number) of `X` (a list of boolean expressions) evaluate to true.\n\nExample: Consider a scenario where you want to identify processes exhibiting\nseveral suspicious behaviors, but not necessarily all of them, from a predefined\nlist of tags provided by VirusTotal (VT) enrichment. The \"N of X\" syntax\naddresses this by letting you specify a minimum number of conditions that must\nbe met.\n\nThe following UDM search query looks for processes where at least three of the\nconditions are true: \n\n\n $e.metadata.event_type = \"PROCESS_LAUNCH\"\n $e.target.process.file.full_path = $process\n\n match:\n $process\n\n outcome:\n $first_seen = earliest($e.metadata.event_timestamp)\n $last_seen = latest($e.metadata.event_timestamp)\n $total_events = count($e.metadata.id)\n // Collect all unique tags associated with this process from all its launch events\n $tags = array_distinct($e.target.process.file.tags)\n\n condition:\n // Trigger if at least 3 of the following conditions (tag checks) are true\n 3 of [\n arrays.contains($tags, \"malware\"),\n arrays.contains($tags, \"detect-debug-environment\"),\n arrays.contains($tags, \"checks-disk-space\"),\n arrays.contains($tags, \"checks-cpu-name\"),\n arrays.contains($tags, \"invalid-signature\"),\n arrays.contains($tags, \"self-delete\")\n ]\n\n order:\n $total_events desc\n\nANY of and ALL of operators\n\n`ANY of [expressions]` evaluates to `true` if at least one of the listed boolean\nexpressions is `true`. `ALL of [expressions]` requires every listed expression to\nbe `true`. Combine these operators with other conditions using keywords like `AND`.\n| **Tip:** `ALL of [expressions]` is less efficient than linking each condition with `AND`. Whenever possible, use `AND` for better query performance.\n\nExample: \n\n\n $e.metadata.event_type = \"PROCESS_LAUNCH\"\n $e.target.process.file.full_path = $process\n\n match:\n $process\n\n outcome:\n $first_seen = timestamp.get_timestamp(min($e.metadata.event_timestamp.seconds))\n $last_seen = timestamp.get_timestamp(max($e.metadata.event_timestamp.seconds))\n $total = count($e.metadata.id)\n $tags = array_distinct($e.target.process.file.tags)\n $vt_first_seen_time = max(if((timestamp.current_seconds() - $e.target.process.file.first_seen_time.seconds) \u003c 86400, 1 , 0))\n $vt_last_analysis_time = max(if((timestamp.current_seconds() - $e.target.process.file.last_analysis_time.seconds) \u003c 86400, 1 , 0))\n $vt_last_modification_time = max(if((timestamp.current_seconds() - $e.target.process.file.last_modification_time.seconds) \u003c 86400, 1 , 0))\n $vt_last_seen_time = max(if((timestamp.current_seconds() - $e.target.process.file.last_seen_time.seconds) \u003c 86400, 1 , 0))\n\n condition:\n 3 of [\n arrays.contains($tags, \"malware\"),\n arrays.contains($tags, \"detect-debug-environment\"),\n arrays.contains($tags, \"checks-disk-space\"),\n arrays.contains($tags, \"checks-cpu-name\"),\n arrays.contains($tags, \"invalid-signature\"),\n arrays.contains($tags, \"self-delete\")\n ]\n and ANY of [\n $vt_first_seen_time = 1,\n $vt_last_analysis_time = 1,\n $vt_last_modification_time = 1,\n $vt_last_seen_time = 1\n ]\n\n order:\n $total desc\n\n unselect:\n $vt_first_seen_time,\n $vt_last_analysis_time,\n $vt_last_modification_time,\n $vt_last_seen_time\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
