Skip to main content
Question

Deprecated labels field YARA-L

  • February 17, 2026
  • 1 reply
  • 7 views

EP0
Forum|alt.badge.img+1

I’m trying to create a detection for illicit consent grants for O365 and need to extract important values such as permissions, consent type, etc from the field target.labels["ConsentAction.Permissions"]

events:
$e.metadata.log_type = "OFFICE_365"
$e.metadata.product_event_type = "Consent to application."

$permissions_raw = $e.target.labels["ConsentAction.Permissions"]

$consent_type = re.capture($e.target.labels["ConsentAction.Permissions"], `ConsentType:\s*([^,]+)`)
$scope = re.capture($e.target.labels["ConsentAction.Permissions"], `Scope:\s*([^,]+)`)
$client_id = re.capture($e.target.labels["ConsentAction.Permissions"], `ClientId:\s*([^,]+)`)
$resource_id = re.capture($e.target.labels["ConsentAction.Permissions"], `ResourceId:\s*([^,]+)`)

However when I save this a YARA-L rule, i’m getting the message “labels field is deprecated and might not populate as expected.” 
 


I checked the link UDM field list  |  Google Security Operations  |  Google Cloud Documentation but did not find a solid information about it. I ran a retro hunt for the relevant events I had and seems like it worked without any issue. Can someone let me know if it’s still okay to use the field I'm currently using? 


 

1 reply

Asura
Forum|alt.badge.img
  • February 17, 2026

Hello ​@EP0,

 

Indeed as mentioned in the doc labels field is deprecated, while you can still use it perfectly well, I expect it to disappear some day. 

Looking at the query you shared, if you are looking at the permission or consent action linked to a specific user activity. I believe you can use target.user.attribute.labels, which will work in a similar manner as target.labels. It is just that the label is “attached” to an entity which makes it more precise.

 

additional.fields could also be another solution.