Port Reference List in Chronicle

Question

Hey folks,

I wanted to dive into some network related use cases in Chronicle and stumpled upon a problem regarding managing ports in reference lists. When trying to query the ref-set inside YARAL, I receive a mismatch error, because ports are parsed as int:

$network.target.port in %uncommon_ports

validating intermediate representation: type mismatch between "%uncommon_ports" of type string and "network.udm.target.port" of type int

As there is no type casting/conversion function available, what other options exits besides inputting all entries/ports inside the rule seperated by ORs? Thanks!

David-French · Accepted Answer

Hi @maxjunker. Try this:events:  $e.metadata.event_type = "NETWORK_CONNECTION"  $target_port = strings.concat($e.target.port,"")  $target_port in %test_uncommon_ports_1  Check out this blog post by @jstoner for more info! https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Summer-2024-User-Mailbag-Part-2/ba-p/735049

maxjunker · Answer

thanks @David-French! Thats exactly what is was hoping for.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded