I’m facing an issue with a detection rule.
I want to use the arrays.filter_regex_contains function, but when I try to validate the rule I get this error:
parsing: function arrays.filter_regex_contains not found
Anyone has tried this?
This function is listed on : https://cloud.google.com/chronicle/docs/preview/detection-engine/yara-l-2-0-functions/arrays-filter_regex_contains
The error parsing: function arrays.filter_regex_contains not found indicates that the function is either deprecated or not available in the specific version of the YARA-L language used by your Google SecOps environment.
While arrays.filter_regex_contains was documented as a valid function, modern YARA-L often encourages using loops and the re.regex() function for array filtering.
any or all Keywords)
Instead of using a dedicated filter_regex_contains function, the standard and supported way to check if an array contains an element matching a regular expression is to use the any or all keywords with a lambda-style expression in your rule's condition section.
Here is how you would check if any element in an array matches a regular expression:
rule check_array_regex { meta: description = "Checks if any entry in an array matches a regex" events:
// Assuming $e.target.labels is the array of strings you want to check
$array_of_strings = $e.target.labels condition:
// Check if ANY element in the array ($value) matches the regex
any($array_of_strings, $value, re.regex(strings.to_lower($value), "suspicious_keyword.*")) }
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.