So I am facing a situation which is as follows :
I have this field,
metadata.description"new user: name=swiagent, UID=995, GID=749, home=/opt/SolarWinds/Agent, shell=/sbin/nologin"
I want to extract this name swiagent and strore it in a variable say $user.
Can I do something to store the part after "=" and before ","
How am I supposed to do that in yara L ?
I need this to make a usecase user account created and deleted in a short interval.
Similarly,
I want to extract the 2 strings after the usermod -aG command i.e. testgroup and testuser_hehe1 in 2 different varaibles.
metadata.description"root : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/usr/sbin/usermod -aG testgroup testuser_hehe1"
Can someone tell me how to code for the same?
Extract a substring from a string | Yara L
+7- Bronze 2
+14- Bronze 5
What I would suggest, where feasible is to do this extraction within the parser, this can allow you (in this case) to store that 'user' within the relevant UDM field, and allow you to map this new user as an 'entity'.
If this is something that is not feasible, then there is a function which allows you to utilise Regular Expression 2 (re2) to capture a string [1]. Bear in mind this uses RE2, and not RE1, therefore certain capabilities such as Lookahead and Lookbehinds are not supported. However, the below rule logic should work in your case, on the basis that for every log that comes in, this data is mapped to 'metadata.description', and there is consistency with the sample log you've provided.
In the below, we've used 're.capture', utilised a 'match and group' regular expression to match the contents that appear after 'new user: name=' up until everything up until ', UID='. We've stored this captured regular expression output string into a variable 'User' and then created a new variable within the Outcome section, known as 'ExtractedUser', which will output our newly stored captured string.
rule Re_Capture_Rule {
meta:
author = "Ayman C"
events:
$User = re.capture($e.metadata.description, "new\\\\suser:\\\\sname=([^,]+),\\\\sUID=")
outcome:
$risk_score = 0
$ExtractedUser = $User
condition:
$e
}
Some additional sources are below which can help!
[1] - https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-functions/re-capture
[2] - Re: Hunting for SQL injection - Google Cloud Community
[3] - https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Capturing-Strings-for-Additional-Analysis/ba-p/726409
Kind Regards,
Ayman Charkaui
+6- Bronze 2
Totally agree with @AymanC. You want to try and do the weirder modification of data in parsers to help you later on. Are you able to share a sample raw log? I think you want to try and modify the parser to get something you can use into the target.user.* object.
How does the target user look on the parsed events?
Question for the universe: While I had the parser open I spotted this, is it right to put the auid into target?
+23The re2 references that @AymanC list are good as well as guidance around capture. If you have two separate variables you want out of that string, you would need 2 placeholders and 2 captures.
Another option you could look at depending on the circumstance is to use something like strings.starts_with or strings.contains to determine if the field even meets criteria before even performing the regex and possibly even using strings.substr if the values you are looking for are in a very fixed position and length. In this case, I'm not sure if it would but i mention it as something to consider down the road.
Regex functions are generally more computationally expensive than other string functions, which is why I am suggesting leading with those first if possible, but if not no worries.
As it sounds like you are doing a good deal of rule building, I did want to direct your attention to a number of blogs and videos available on the community site that may help with some of the questions you are asking.
Videos (with examples): https://www.googlecloudcommunity.com/gc/Google-Security-Operations-Best/tkb-p/chronicle-best-practices
Regarding the question about auid, below is the udm usage guideline for user_creation events. Target would be the location the user is being created. Not sure if auid fits in that case but wanted to share the reference that should be followed.
https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#user_
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.