Use nested if statements for more complex logic
Supported in:
You can use if
statements in both the outcome
and events
sections. You can also use if
statements within
the then
else
clauses of another if
statement. This capability lets you
introduce more complicated logic to your query.
This syntax is supported in Rules, Search, and Dashboards.
Syntax
if(BOOL_CLAUSE, THEN_CLAUSE, ELSE_CLAUSE)
Nested if
examples
Search example: outcome section
This example assigns an outcome score based on principal.hostname
.
$nested_if.principal.hostname != ""
outcome:
$score = max(
if($nested_if.principal.hostname = /win-adfs/,
5,
if($nested_if.principal.hostname = /server/,
3,
if($nested_if.principal.hostname = /win-atomic/,
1,
0))))
Search example: events section
This example assigns the placeholder IP to target.ip
or principal.ip
so long as
they're non-empty. If the IP values are missing, it assigns no_valid_ip
.
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$ip = if($e.target.ip != "",
$e.target.ip,
if($e.principal.ip != "",
$e.principal.ip,
"no_valid_ip"))
match:
$ip
Rule example: nested if
in outcome
section
rule nested_if_outcome_example {
meta:
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$e.principal.ip = $ip
match:
$ip over 5m
outcome:
$score = max(
if($e.principal.hostname = /win-adfs/,
5,
if($e.principal.hostname = /server/,
3,
if($e.principal.hostname = /win-atomic/,
1,
0))))
condition:
$e
}
Rule example: nested if
in events
section
rule nested_if_events_example {
meta:
events:
$e.metadata.event_type = "NETWORK_CONNECTION"
$ip = if($e.target.ip != "",
$e.target.ip,
if($e.principal.ip != "",
$e.principal.ip,
"no_valid_ip"))
match:
$ip over 5m
condition:
$e
}
Known limitation
The if()
statement is a function in YARA-L 2.0 and subject to the function
depth limit of 20.
Need more help? Get answers from Community members and Google SecOps professionals.
