This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

How to Calculate String Length in YARA-L Query

Posted on 03-10-2025 05:46 AM
prashant_nakum
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi everyone,

I'm working on a Google SecOps Preview Dashboard and need to calculate the length of a string.

I have a use case where I need to calculate the length of  string field (f1) and then compute the average length across all events.

For example:

IDf1len(f1)
1"val-1"5
2"v-2"3
3"value-3"7

I need to display AVG(len(f1)).

Is there a built-in function for this, or is there any workaround to achieve it?

Any guidance would be greatly appreciated!

Thanks,
Prashant Nakum

Solved Solved
0 1 75
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Yes, couple of functions actually.

Here's a video on strings.length: https://www.googlecloudcommunity.com/gc/Google-Security-Operations/Getting-to-Know-Google-SecOps-Str...

And a blog on it as well https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Turning-Strings-into-Int...

Here's one on statistical functions including average https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-New-Statistical-Function...

And below is one way to go about doing what you are asking. In this case I am grouping/aggregating by hostname so that might change for what you are doing but hopefully this is a good template to get you started.

 

metadata.event_type = "PROCESS_LAUNCH"
target.process.command_line != ""
$command_length = strings.length(target.process.command_line)
match:
 principal.hostname
outcome:
$event_count = count(metadata.event_type)
$avg_length = window.avg($command_length)

View solution in original post

Jump to Solution
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Yes, couple of functions actually.

Here's a video on strings.length: https://www.googlecloudcommunity.com/gc/Google-Security-Operations/Getting-to-Know-Google-SecOps-Str...

And a blog on it as well https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Turning-Strings-into-Int...

Here's one on statistical functions including average https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-New-Statistical-Function...

And below is one way to go about doing what you are asking. In this case I am grouping/aggregating by hostname so that might change for what you are doing but hopefully this is a good template to get you started.

 

metadata.event_type = "PROCESS_LAUNCH"
target.process.command_line != ""
$command_length = strings.length(target.process.command_line)
match:
 principal.hostname
outcome:
$event_count = count(metadata.event_type)
$avg_length = window.avg($command_length)
Jump to Solution
0 Likes
Top Solution Authors
View all