This post introduces the statistical search capability and provides an introduction to gain a greater understanding of how a statistical search is built. 

Statistical search is an expansion of search that goes beyond the tabular result set. With statistical search, the analyst has the opportunity to aggregate data by common values and generate calculated values while applying sorting and limits on the result set. To better align search and rules, Google SecOps utilizes YARA-L constructs for statistical search.

It’s important to note that any field in UDM can be used in a search, but only the fields that are referenced in the match and outcome sections are the fields or variables that are going to be in the results of a statistical search.

Follow along in the video below to see how a statistical search is constructed.

Statistical search aggregates results based on values and generates calculations, like a count. To aggregate and calculate values, Google SecOps uses YARA-L constructs with the match section used for aggregations and outcome section used for calculations. Additional sections for sorting and outputting a fixed number of results are available as well. Finally, remember that a statistical search can have a match section, an outcome section or both, depending on the type of search being built. 

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events