Console
    Start free

    Options section syntax

    Supported in:

    The options section of a YARA-L query is only available for Rules.

    You can specify options using the syntax key = value , where key must be a predefined option name and value must be a valid value for the option:

     rule RuleOptionsExample {
  // Other rule sections

  options:
    allow_zero_values = true
}

    Options values

    The following values for options are available:

    allow_zero_values option

    The valid values for allow_zero_values option are true and false (default), which determine if the option is enabled or not. The allow_zero_values option is disabled if it's not specified in the query.

    To enable the allow_zero_values setting, add the following to the options section of your query: allow_zero_values = true

    This action prevents the query from implicitly filtering out the zero values of placeholders that are used in the match section, as described in Zero values in match section .

    suppression_window option

    The suppression_window option provides a scalable mechanism to control alert volume and deduplicate findings, particularly for users who move from Splunk (and other platforms) that utilize similar alert-throttling capabilities.

    The suppression_window uses a tumbling window approach—a fixed-size, non-overlapping window that suppresses duplicate detections. You can optionally provide a suppression_key to further refine which query instances are suppressed within the suppression window . The deduplication key ( suppression_key ), the specific data point the system looks at to decide if an event is a duplicate, varies by rule type:

    • Single-event queries use an outcome variable named suppression_key to define the deduplication scope. If you don't specify a suppression_key , all query instances are suppressed globally during the window.

    Example: suppression window option for single-event queries

    In the following example, suppression_window is set to 5m and suppression_key is set to the $hostname variable. After the query triggers a detection for $hostname , any further detections for $hostname are suppressed for the next five minutes. However, if the query triggers on an event with a different hostname, a detection is created.

    rule SingleEventSuppressionWindowExample {
  // Other rule sections

  outcome:
    $suppression_key = $hostname

  options:
    suppression_window = 5m
}
    • Multiple event queries use the variables defined in the match section to determine what should be suppressed. The suppression_window value must also be greater than the match window.

    Example: suppression window option for multiple-event queries

    In the following example, suppression_window is set to 1h . After the query triggers a detection for ( $hostname , $ip ) over a 10m window, any further detections for ( $hostname , $ip ) are suppressed for the next hour. However, if the query triggers on events with a different combination, a detection is created.

    rule MultipleEventSuppressionWindowExample {
  // Other rule sections

  match:
    $hostname, $ip over 10m

  options:
    suppression_window = 1h
}

    Additional information

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: