Skip to main content

This showed up in our SIEM today. I have been trying to figure this out. I can get it to work in a UDM search, but not in a rule.

UDM

principal.hostname in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1_Exclude.Hostname nocase
target.process.file.full_path in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1_Exclude.target_process_file_full_path nocase
 
 
Rule:
or ($e1.principal.hostname in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1 nocase
                        and $e1.target.process.file.full_path in regex %CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1_Exclude.target_process_file_full_path nocase
                        )
 
what am I doing wrong?

 

Hey @mccrilb. I'm taking a look at this now. What error are you seeing in the rules editor with the syntax you're using? Cheers

It looks like you haven't specified the column name for the data table "CCF_SM_WINDOWS_Hack_Tools_CommandLine_Group1" in your YARA-L rule logic. If that is indeed a data table then the syntax should be %data_table_name.column_name

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.