Today, we are going to cover two aggregation functions that are often used with strings in the outcome section of a YARA-L rule in Chronicle SIEM; array and array_distinct.

It's important to understand that when working with multiple events in a rule that all outcome variables that contain UDM fields must have an aggregation associated with them. Arrays are truncated after 25 elements, but when using array_distinct, all deduplication will take place before the truncation occurs.

Follow along in the video below to see in action how to use a aggregation functions like array_distinct within a multi event rule.

Remember that array and array_distinct are just two of the aggregate functions that can be used in the outcome section and all event values must be aggregated in rules that contain multiple values. I’ve found that array_distinct is my go to aggregation because it performs a deduplication prior to applying that truncation so I can see just unique values in my outcome variables.

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events