Skip to main content
Question

Detection Rule Test

  • August 18, 2025
  • 6 replies
  • 157 views
havox
Forum|alt.badge.img+3
  1. IP address of Windows host encoded in web request

            This detection will identify network requests in HTTP proxy data that contains Base64 encoded 

             IP addresses.

Reference URL : IP address of Windows host encoded in web request | Microsoft Sentinel Analytic Rules

  1. Windows host username encoded in base64 web request

           This detection will identify network requests in HTTP proxy data that contains Base64 encoded

           usernames from machines in the DeviceEvents table.

Reference URL : Windows host username encoded in base64 web request | Microsoft Sentinel Analytic Rules
 

could you please help with this above for YARAL Rule Logic.. 

6 replies

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • August 18, 2025

I’ll try to help you get started by sharing this blog that shows how we can use the re2 functions re.regex and re.capture, as well as base64 decoding with strings.base64_decode.

 

 

The join portion could be handled either by reference lists or data tables, using the word IN to perform a single column comparison.

havox
Forum|alt.badge.img+3
  • havox
  • Author
  • New Member
  • August 19, 2025

Is there any specific for URL Related encoded, and provide logic if any possible

 

 

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • August 19, 2025

sorry i don’t understand your question. you would want to capture the url and then decode it. The example in the blog is a command line but the concepts are similar.

havox
Forum|alt.badge.img+3
  • havox
  • Author
  • New Member
  • August 19, 2025

Thanks for clarifying :) What I was actually looking for is whether you could share any rule logic or a snippet that could help detect Base64-encoded content in URL Even a simple example would be really helpful as a starting point.

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • August 20, 2025

There is going to be some trial and error and testing involved, but here is an example. I might suggest having a reference list or data table of legit domains that you could filter out so if you are comfortable with certain domains, you could exclude those right off the top.

 

Otherwise we are using the same regex in these iterations and assuming that the base64 string will be at the end of the url. If we can’t make that assumption, the $ at the end can be removed but some more tuning will need to be done.

 

I put a few items in here that I tuned out after that capture, if you wanted you could use something like the strings length function has to be greater than some number as well.

 

Finally my output on some of the strings that were recognized as meeting the criteria of base64 did not decode. When I ran them through cyberchef, they didn’t decode cleanly either and magic seemed to indicate a combo of things, so this isn’t a perfect solution but might get you going in the right direction.

 

metadata.event_type = "NETWORK_HTTP"
target.url != ""
re.regex(target.url, `(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$`)
re.capture(target.url, `(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$`) = $url
strings.base64_decode(re.capture(target.url, `(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$`)) = $decode
$url != "4filter="
$url != "tatoken="
$url != "fpb="
//strings.length($url) > 4
match:
    target.url, $url, $decode

 

havox
havox
Forum|alt.badge.img+3
  • havox
  • Author
  • New Member
  • August 20, 2025

Thanks for the suggestion that would be really helpful

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.