Skip to main content

Detect off additional fields in Yara-L

  • February 16, 2023
  • 5 replies
  • 45 views
A
Forum|alt.badge.img+3

Is it possible to make a Yara-L rule that is detecting off of a specific field in the additional section?

I have data in the UDM field:
additional.fields["entity"].entity_payload.attachments.name = "test.exe"
 
I do not know how to access data after the fields["entity"] section. The following rule shows what the rule would currently look like.
 

 

rule AM_Example_additional_rule { meta: author = "amalone" description = "Sample rule to chat about additional section" severity = "Medium" events: $e.additional.fields["entity"] = /\\.exe$/ condition: $e }

 

From my testing this does not pick up on the data from the logs. 

5 replies

Rene_Figueroa
Staff
Forum|alt.badge.img+10

We currently support additional in our rules. You can find more information in the link below:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#maps

I am not sure what the UDM you are trying to match looks like, but something I noticed is that the value is missing quotes. Sample from our documenation:

$e.udm.additional.fields["pod_name"] = "kube-scheduler"

Best,

Rene

A
Forum|alt.badge.img+3
  • amalone341Bronze 1
  • Author
  • Bronze 1
  • February 17, 2023

We currently support additional in our rules. You can find more information in the link below:

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#maps

I am not sure what the UDM you are trying to match looks like, but something I noticed is that the value is missing quotes. Sample from our documenation:

$e.udm.additional.fields["pod_name"] = "kube-scheduler"

Best,

Rene


Hi Rene,

In our case there is data that seems to be stored in fields after the brackets. In the event viewer we see fields like the following:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I would like to search this field in a rule with a regex that applies to a specific file type.

L
Forum|alt.badge.img+5
  • LarryNicBronze 2
  • Bronze 2
  • February 20, 2023

Hi Rene,

In our case there is data that seems to be stored in fields after the brackets. In the event viewer we see fields like the following:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I would like to search this field in a rule with a regex that applies to a specific file type.


Hi,

Expanding on Rene's comments. Here is what I came up with that might help you with searching the specific file type. 

      re.regax($e.udm.additional.fields["pod_name"]  = “file_type_blackhole”, regax)

https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#regexp_functions

I think more documentation on Yara L and chronicle is definitely needed. The repository on Github is nearly 2 years old. 

A
Rene_Figueroa
Staff
Forum|alt.badge.img+10

Hi Rene,

In our case there is data that seems to be stored in fields after the brackets. In the event viewer we see fields like the following:

additional.fields["entity"].entity_payload.attachments.name = "test.exe"

I would like to search this field in a rule with a regex that applies to a specific file type.


Hi,

The value of "additional.fields["entity"].entity_payload.attachments.name" looks interesting. Is this a regular UDM or UDM Entity event? Also, what is the log source for event?

You can open a support case, so we can further look at this.  

A
Forum|alt.badge.img+3
  • amalone341Bronze 1
  • Author
  • Bronze 1
  • February 23, 2023

Hi,

The value of "additional.fields["entity"].entity_payload.attachments.name" looks interesting. Is this a regular UDM or UDM Entity event? Also, what is the log source for event?

You can open a support case, so we can further look at this.  


Hi Rene,

This should be a regular UDM event. I will go ahead and submit a case.

L
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.