Detect off additional fields in Yara-L

Is it possible to make a Yara-L rule that is detecting off of a specific field in the additional section?

I have data in the UDM field:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I do not know how to access data after the fields["entity"] section. The following rule shows what the rule would currently look like.

rule AM_Example_additional_rule {



  meta:

    author = "amalone"

    description = "Sample rule to chat about additional section"

    severity = "Medium"



  events:

    $e.additional.fields["entity"]  = /\\.exe$/



  condition:

    $e

}

From my testing this does not pick up on the data from the logs.

Page 1 / 1

We currently support additional in our rules. You can find more information in the link below:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#maps

I am not sure what the UDM you are trying to match looks like, but something I noticed is that the value is missing quotes. Sample from our documenation:

$e.udm.additional.fields["pod_name"] = "kube-scheduler"

Best,

Rene

We currently support additional in our rules. You can find more information in the link below:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#maps

I am not sure what the UDM you are trying to match looks like, but something I noticed is that the value is missing quotes. Sample from our documenation:

$e.udm.additional.fields["pod_name"] = "kube-scheduler"

Best,

Rene

Hi Rene,

In our case there is data that seems to be stored in fields after the brackets. In the event viewer we see fields like the following:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I would like to search this field in a rule with a regex that applies to a specific file type.

Hi Rene,

In our case there is data that seems to be stored in fields after the brackets. In the event viewer we see fields like the following:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I would like to search this field in a rule with a regex that applies to a specific file type.

Hi,

Expanding on Rene's comments. Here is what I came up with that might help you with searching the specific file type.

re.regax($e.udm.additional.fields["pod_name"] = “file_type_blackhole”, regax)

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#regexp_functions

I think more documentation on Yara L and chronicle is definitely needed. The repository on Github is nearly 2 years old.

Hi Rene,

In our case there is data that seems to be stored in fields after the brackets. In the event viewer we see fields like the following:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I would like to search this field in a rule with a regex that applies to a specific file type.

Hi,

The value of "additional.fields["entity"].entity_payload.attachments.name" looks interesting. Is this a regular UDM or UDM Entity event? Also, what is the log source for event?

You can open a support case, so we can further look at this.

Hi,

The value of "additional.fields["entity"].entity_payload.attachments.name" looks interesting. Is this a regular UDM or UDM Entity event? Also, what is the log source for event?

You can open a support case, so we can further look at this.

Hi Rene,

This should be a regular UDM event. I will go ahead and submit a case.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded