Today, we are going to introduce the outcome section of a YARA-L rule and demonstrate how we can additional context to detections within Chronicle SIEM.

Along with this new section, a new variable called outcome is added to our other variables; event, match and placeholder that we previously discussed.

The outcome section provides context to detections as well as the ability to perform aggregation functions of events that make up a detection. Outcome variables can be leveraged directly within Chronicle but can also be helpful when integrating with ticketing systems and other integrations. These variables can be used to store descriptors like risk scores, MITRE ATT&CK techniques and IDs, calculated values and lists of value when multiple events are part of a rule and much more. 

While we can leverage outcome variables in conditions, nothing else about our rule changes, so if you already have rules built using meta, events, match and conditions, adding an outcome section and additional fields doesn’t require much more.

Follow along in the video below to see in action how to use a sliding window within a multi event rule.

Remember that Outcomes is a new section to YARA-L and provides the ability to add context to our detections. This context is created using syntax of dollar sign outcome variable name equals a field or constant. Outcomes can be helpful both in Chronicle as well as providing information about our detections to third party systems, so adding outcomes can be quite valuable to your security operations team.

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events