This post builds on what we previously learned about statistical searches and adds additional aggregation functions and calculations that can be performed to ask more complex questions of your data.

This time, we are going to use additional concepts like placeholder variables, aggregation functions and mathematical operators that are a part of YARA-L and apply them to the statistical search. If you've written YARA-L rules, some of these may be familiar to you!

There isn’t a single way to achieve the same outcome in some of these searches, so I'm going to show one method and you may uncover additional methods as well. Finally, there are a number of additional YARA-L functions available and we will use only a few of them today. Just know that there are additional capabilities that can be used to work with your data set.

Follow along in the video below to see how we can extend our statistical search.

We highlighted how placeholder variables and aggregation functions like array_distinct and sum can be added to search. It’s important to remember that there are multiple ways to achieve the same result, so there is not a single right or wrong method, it really goes back to what you are trying to accomplish.

Finally, while we used strings.concat and net.ip_in_range_cidr in our example, there are a number of functions that YARA-L makes available that can be used. Conditional statements can be used as well as mathematical operators in the outcome section of our statistical search.

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events