Practical Limitations of YARA-L Regex in Chronicle and Their Impact on SQL Injection Detection

Hi community, I am working on YARA-L detection rules in Google Chronicle to identify suspicious self-equality assignments (tautologies) in SQL logs. These patterns, like "1=1" or "test=test", are often used in SQL injection attempts to bypass filters or force true evaluations. Goal: Detect patterns where the left side of "=" exactly matches the right side, such as: test=test 1=1 time=time status = status flag=flag admin=admin bypass=bypass enabled=enabled id=id version=version But not detect mismatches like: 1=2 a=B (and similar non-tautologies) Challenges in Chronicle: I Tried regex -> ([A-Za-z0-9'-]+)\s*=\s*\1 were i used /1 #BackReference, but unfortunately backreference is not supported in YARAL, so using re.regex to directly check for equal values on both sides of "=". Then i used were grouping issue => The Chronicle re.capture() function only returns the first match in the text, and it supports only 0 or 1 capture group. If the regex contains 0 capture groups, Chronicle returns the first full substring that matches the expression. If the regex contains 1 capture group, it returns only the first captured value from that match. Chronicle never scans beyond the first match and cannot return multiple matches, If the regex contains two or more capture groups, Chronicle throws a compiler error. Because Chronicle stops at the first match, SQL statements containing ' OR (0=1 AND 'false'='true') -- false contradictions first OR EXISTS(SELECT * FROM users WHERE id=1) OR (1=1 OR 'a'='a') -- true tautologies later AND (SELECT COUNT(*) FROM information_schema.tables > 0) -- multiple comparisons such as 0=1 followed later by 1=1 will only match the earliest = expression in the string, preventing Chronicle from detecting the later valid tautology even if it exists. Finally What i am looking for….. Backreferences: It's impossible to match "previous group equals current text" without backreferences in pure regex, which Chronicle doesn't support for this. I have tried various regex patterns, but due to these constraints, I can't reliably detect true tautologies across the log. Question: Is there any workaround or creative way to detect these tautologies using regex or re.capture in Chronicle YARA-L? Or are there alternative approaches within Chronicle for handling this? Any examples or rule snippets would be greatly appreciated!