From d3a314171f815330f5be00b7da9d7a4fae83fdad Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 9 Jan 2026 15:31:18 +0000
Subject: [PATCH] Replace Splunk SPL with YARA-L in Google SecOps search
 examples

Co-authored-by: seanthegeek <44679+seanthegeek@users.noreply.github.com>
---
 docs/source/google_secops.md | 88 +++++++++++++++++++++++++++---------
 1 file changed, 66 insertions(+), 22 deletions(-)

diff --git a/docs/source/google_secops.md b/docs/source/google_secops.md
index 52fea8b..e5fda62 100644
--- a/docs/source/google_secops.md
+++ b/docs/source/google_secops.md
@@ -133,42 +133,86 @@ Each event includes:
 
 ## Google SecOps Searches
 
-Here are some example searches you can use in Google SecOps to hunt for DMARC issues:
+Here are some example YARA-L rules you can use in Google SecOps to hunt for DMARC issues:
 
 ### Find all DMARC failures
 
-```
-metadata.event_type = "GENERIC_EVENT"
-metadata.product_name = "parsedmarc"
-principal.ip != ""
-additional.fields.key = "dmarc_pass"
-additional.fields.value = "false"
+```yara-l
+rule dmarc_failures {
+  meta:
+    author = "parsedmarc"
+    description = "Detect DMARC authentication failures"
+    
+  events:
+    $e.metadata.event_type = "GENERIC_EVENT"
+    $e.metadata.product_name = "parsedmarc"
+    $e.principal.ip != ""
+    $e.additional.fields.key = "dmarc_pass"
+    $e.additional.fields.value = "false"
+    
+  condition:
+    $e
+}
 ```
 
 ### Find high severity DMARC events (rejected mail)
 
-```
-metadata.event_type = "GENERIC_EVENT"
-metadata.product_name = "parsedmarc"
-security_result.severity = "HIGH"
+```yara-l
+rule high_severity_dmarc_events {
+  meta:
+    author = "parsedmarc"
+    description = "Detect high severity DMARC events (rejected mail)"
+    
+  events:
+    $e.metadata.event_type = "GENERIC_EVENT"
+    $e.metadata.product_name = "parsedmarc"
+    $e.security_result.severity = "HIGH"
+    
+  condition:
+    $e
+}
 ```
 
-### Aggregate by source IP and target domain
+### Find repeated DMARC failures from same source
 
-```
-metadata.event_type = "GENERIC_EVENT"
-metadata.product_name = "parsedmarc"
-| stats count() as event_count by principal.ip, target.domain.name
-| sort event_count desc
+```yara-l
+rule repeated_dmarc_failures {
+  meta:
+    author = "parsedmarc"
+    description = "Detect repeated DMARC failures from the same source IP"
+    
+  events:
+    $e.metadata.event_type = "GENERIC_EVENT"
+    $e.metadata.product_name = "parsedmarc"
+    $e.additional.fields.key = "dmarc_pass"
+    $e.additional.fields.value = "false"
+    $e.principal.ip = $source_ip
+    
+  match:
+    $source_ip over 1h
+    
+  condition:
+    #e > 5
+}
 ```
 
 ### Find forensic reports with specific authentication failures
 
-```
-metadata.event_type = "GENERIC_EVENT"
-metadata.product_name = "parsedmarc"
-additional.fields.key = "auth_failure"
-additional.fields.value = "dmarc"
+```yara-l
+rule forensic_auth_failures {
+  meta:
+    author = "parsedmarc"
+    description = "Detect forensic reports with DMARC authentication failures"
+    
+  events:
+    $e.metadata.event_type = "GENERIC_EVENT"
+    $e.metadata.product_name = "parsedmarc"
+    $e.additional.fields.key = "auth_failure"
+    $e.additional.fields.value = "dmarc"
+    
+  condition:
+    $e
+}
 ```
 
 ## Privacy Considerations