Deprecated labels field YARA-L

Question

I’m trying to create a detection for illicit consent grants for O365 and need to extract important values such as permissions, consent type, etc from the field target.labels["ConsentAction.Permissions"]

events:
    $e.metadata.log_type = "OFFICE_365"
    $e.metadata.product_event_type = "Consent to application."

    $permissions_raw = $e.target.labels["ConsentAction.Permissions"]

    $consent_type = re.capture($e.target.labels["ConsentAction.Permissions"], `ConsentType:\s*([^,]+)`)
    $scope = re.capture($e.target.labels["ConsentAction.Permissions"], `Scope:\s*([^,]+)`)
    $client_id = re.capture($e.target.labels["ConsentAction.Permissions"], `ClientId:\s*([^,]+)`)
    $resource_id = re.capture($e.target.labels["ConsentAction.Permissions"], `ResourceId:\s*([^,]+)`)

However when I save this a YARA-L rule, i’m getting the message “labels field is deprecated and might not populate as expected.”

I checked the link UDM field list | Google Security Operations | Google Cloud Documentation but did not find a solid information about it. I ran a retro hunt for the relevant events I had and seems like it worked without any issue. Can someone let me know if it’s still okay to use the field I'm currently using?

Asura · Answer

Hello ​@EP0,Indeed as mentioned in the doc labels field is deprecated, while you can still use it perfectly well, I expect it to disappear some day.Looking at the query you shared, if you are looking at the permission or consent action linked to a specific user activity. I believe you can use target.user.attribute.labels, which will work in a similar manner as target.labels. It is just that the label is “attached” to an entity which makes it more precise.additional.fields could also be another solution.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded