This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

How to build a YARA-L metrics for average daily outbound bytes vs actual?

Posted on 08-23-2024 12:50 AM
TheChris
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm trying to build a rule that will check our VPN logs which contains the username and bytes out of all the users connections. I want to know the average of bytes out / day / username to be able to compare it against "$yesterday". The idea is that I will detect if johndoe had a "bytes out" of 50GB in a day while his average is only 20GB.

I understand that I need to use metrics.network_bytes_outbound, but I always get an error. Suggestions?

Run frequency: 24 hours

 

$avg_bytes_out = max(metrics.network_bytes_outbound(period:1d, window:30d, metric:value_sum, agg:avg, principal.user.userid:$e.principal.user.userid))
 

{"code":400,"statusText":"Bad Request","message":"cannot identify time window in the rule","details":[],...

0 2 260
Topic Labels
0 Likes
Reply
2 REPLIES 2
Top Solution Authors
View all