Skip to main content

Hello everyone!

I am having a doubt regarding the deprecated label; i.e.,  $ioc.graph.entity.labels.key, which has to be populated as $ioc.graph.entity.user.attribute.labels.key nowadays.

I am using this new label in the rule, however, all logs contain deprecated labels entity.labels.key and entity.labels.value, thus the rule doesn't detect logs with $ioc.graph.entity.user.attribute.labels.key.

I would like to know, if there is some way to define in the rule that $ioc.graph.entity.user.attribute.labels.key = $ioc.graph.entity.labels.key or such option doesn't exist and I have to ignore the compilation warning and keep using the deprecated label? 

Thank you in advance!🙂

Hello!


My recommendation is to modify parsing for the entity feed to place the data in $ioc.graph.entity.user.attribute.labels.key. This can be accomplished using Parser Extensions You can leave the data in the deprecated UDM field($ioc.graph.entity.labels.key) as well. This approach prevents inadvertently breaking other use cases, while allowing you to use the supported field in your YARA-L rule and avoid compilation warnings.

Hello!


My recommendation is to modify parsing for the entity feed to place the data in $ioc.graph.entity.user.attribute.labels.key. This can be accomplished using Parser Extensions You can leave the data in the deprecated UDM field($ioc.graph.entity.labels.key) as well. This approach prevents inadvertently breaking other use cases, while allowing you to use the supported field in your YARA-L rule and avoid compilation warnings.


Hello Herrald,

Thank you for reply.

Is there any possibility to accomplish it using existing parsers or something else instead of extensions?

Otherwise, I will override an existing parser, thus future updates from the Chronicle development team will not be live.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.