Console
    Contact Us Start free

    Options section syntax

    Supported in:

    The options section of a YARA-L query is only available for Rules.

    You can specify options using the syntax key = value , where key must be a predefined option name and value must be a valid value for the option:

     rule RuleOptionsExample {
  // Other rule sections

  options:
    allow_zero_values = true
}

    Options values

    The following values for options are available:

    allow_zero_values option

    The valid values for allow_zero_values option are true and false (default), which determine if the option is enabled or not. The allow_zero_values option is disabled if it's not specified in the query.

    To enable the allow_zero_values setting, add the following to the options section of your query: allow_zero_values = true

    This action prevents the query from implicitly filtering out the zero values of placeholders that are used in the match section, as described in Zero values in match section .

    suppression_window option

    The suppression_window option lets you control how often a rule triggers a detection. It prevents the same rule from generating multiple detections within a specified time window, even if the query's conditions are met multiple times.

    Suppression windowing uses a tumbling window approach, which suppresses duplicates over a fixed-size, non-overlapping window.

    You can optionally provide a suppression_key to further refine which instances of the query are suppressed within the suppression window. If not specified, all instances of the query are suppressed. This key is defined as an outcome variable and is only considered for single event queries .

    Multiple event queries will use the match variables from the match section to determine what should be suppressed. The suppression_window value must also be greater than the match window.

    The default value of suppression_window is 0 ; that is, the suppression window is disabled by default.

    Example: suppression window option for single-event queries

    In the following example, suppression_window is set to 5m and suppression_key is set to the $hostname variable. After the query triggers a detection for $hostname , any further detections for $hostname are suppressed for the next five minutes. However, if the query triggers on an event with a different hostname, a detection is created.

    rule SingleEventSuppressionWindowExample {
  // Other rule sections

  outcome:
    $suppression_key = $hostname

  options:
    suppression_window = 5m
}

    Example: suppression window option for multiple-event queries

    In the following example, suppression_window is set to 1h . After the query triggers a detection for ( $hostname , $ip ) over a 10m window, any further detections for ( $hostname , $ip ) are suppressed for the next hour. However, if the query triggers on events with a different combination, a detection is created.

    rule MultipleEventSuppressionWindowExample {
  // Other rule sections

  match:
    $hostname, $ip over 10m

  options:
    suppression_window = 1h
}

    Additional information

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: