This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

If/then/else nesting error

Posted on 04-08-2025 09:20 AM
spwalz
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm trying to write a nested if then else condition in the outcomes section and I am getting this error: spwalz_0-1744128711011.jpeg
At first I assumed I was missing but I even tested the statement that's been provided by @jstoner for another question see here: https://www.googlecloudcommunity.com/gc/SecOps-SIEM/Else-if-condition-SecOps/m-p/855792/highlight/tr...

 

spwalz_1-1744128870467.png

Even this one throws the same error in our instance. Is there any chance nesting needs to be enabled further on the backend or is there something I am missing? 

Solved Solved
1 2 276
Topic Labels
Jump to Solution
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

The issue is that there is a gap in the current functionality between search/dashboards and the rules engine. We have made this nested conditional statement that I highlighted in the search/dashboard available but we have not added it to the rules engine (yet). We have work going on to merge items like this so that we have consistency across search and rules.

The above example is valid for rules that are not using a match section but if you are using aggregation in the rule (using a match section) the outcome section will require aggregation functions for the outcome variables. Because of that, below are a few examples of methods you could use with the aggregation functions.

 

outcome:
  $if_nested_1 = max(if($process.principal.hostname = /win-adfs/, 5, 0))
  $if_nested_2 = max(if($process.principal.hostname = /server/, 3, 0))
  $if_nested_3 = max(if($process.principal.hostname = /win-atomic/, 1, 0))
  $sum_it = $if_nested_1 + $if_nested_2 + $if_nested_3

 

outcome:
  $if_nested = max(if($process.principal.hostname = /win-adfs/, 5, 0)) +
                    max(if($process.principal.hostname = /server/, 3, 0)) +
                    max(if($process.principal.hostname = /win-atomic/, 1, 0))

View solution in original post

Jump to Solution
Reply
2 REPLIES 2

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hey @spwalz , 

Unless I'm missing something obvious, both the error that you provided and the official YARA-L documentation (https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#condition_section_syntax) allude to only being able to use placeholders, event fields, and constants in conditional statements. In other words, you cannot include a nested if‑statement (or any other function calls or expressions that aren’t one of those allowed types) in the else clause.

I tested it out in my instance using the example you posted and get the same error message. That being said, the answer you linked was from the Google team (@jstoner)  so I'd be interested to see if it there are cases where you can actually chain additional conditionals together. 

As an alternative, you should be able to create individual if statements and work with the output of the statements:

    $score1 = if($e.principal.user.userid = /value1/, 5, 0)
    $score2 = if($e.principal.user.userid = /value2/, 3, 0)
    $final_score = $score1 + $score2 // Or whatever you want to do with the output

 

Jump to Solution
Reply

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

The issue is that there is a gap in the current functionality between search/dashboards and the rules engine. We have made this nested conditional statement that I highlighted in the search/dashboard available but we have not added it to the rules engine (yet). We have work going on to merge items like this so that we have consistency across search and rules.

The above example is valid for rules that are not using a match section but if you are using aggregation in the rule (using a match section) the outcome section will require aggregation functions for the outcome variables. Because of that, below are a few examples of methods you could use with the aggregation functions.

 

outcome:
  $if_nested_1 = max(if($process.principal.hostname = /win-adfs/, 5, 0))
  $if_nested_2 = max(if($process.principal.hostname = /server/, 3, 0))
  $if_nested_3 = max(if($process.principal.hostname = /win-atomic/, 1, 0))
  $sum_it = $if_nested_1 + $if_nested_2 + $if_nested_3

 

outcome:
  $if_nested = max(if($process.principal.hostname = /win-adfs/, 5, 0)) +
                    max(if($process.principal.hostname = /server/, 3, 0)) +
                    max(if($process.principal.hostname = /win-atomic/, 1, 0))
Jump to Solution
Reply
Top Solution Authors
View all