Skip to main content

Data Tables

  • April 17, 2025
  • 2 replies
  • 29 views
mccrilb
Forum|alt.badge.img+12

This showed up in our SIEM today. I have been trying to figure this out. I can get it to work in a UDM search, but not in a rule.

UDM

principal.hostname in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1_Exclude.Hostname nocase
target.process.file.full_path in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1_Exclude.target_process_file_full_path nocase
 
 
Rule:
or ($e1.principal.hostname in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1 nocase
                        and $e1.target.process.file.full_path in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1_Exclude.target_process_file_full_path nocase
                        )
 
what am I doing wrong?

 

    2 replies

    David-French
    Staff
    Forum|alt.badge.img+9

    Hey @mccrilb. I'm taking a look at this now. What error are you seeing in the rules editor with the syntax you're using? Cheers

      David-French
      Staff
      Forum|alt.badge.img+9

      It looks like you haven't specified the column name for the data table "CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1" in your YARA-L rule logic. If that is indeed a data table then the syntax should be %data_table_name.column_name

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.