Meta section syntax

Supported in:

Google secops SIEM

The meta section of a YARA-L query is required for a rule and must appear at the start of the query.

This section can include multiple lines, where each line defines a key-value pair. The key is a string value without quotes, and the value is a string with quotes, such as: <key> = "<value>"

In this example query rule, we want to find failed logins from a new location. The meta section specifies the author, description, and severity:

rule failed_logins_from_new_location { meta: author = "Security Team" description = "Detects multiple failed logins for a user from a new, never-before-seen IP address within 10 minutes." severity = "HIGH" ... rest of the rule ... }

What's next

Additional information

Need more help? Get answers from Community members and Google SecOps professionals.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.