In my events, in the 'target.namespace' field comes the value of the customer (customer1 or customer2 or customer3).
What I want to achieve in my rule is that depending on the value that the event has in the 'target.namespace field', one list or another is consulted.
Something like the following: $e.target.ip in %($e.target.namespace)_public_IPs
but that doesn't work.
The idea is to parameterize the query to the list and not to have to put a line for each customer because if in the future there are many more, it would not compensate to have to generate a line for each one of them.
What would be the right way to do it?
Thanks in advance.
Best answer by JeremyLand
Unfortunately YARA-L doesn't have a method to parameterize that reference list name. The 2 basic options for working around this are: 1: Separate lists per customer - In addition to the issues of adding new lines per customer that you have already brought up, that technique can only be expanded to 7 customers due to the maximum number of references lists in a rule (ref: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#reference_lists_syntax)
2: Use strings.concat to work with a single reference list as a multi column CSV - This only works with the string list type but would allow you to maintain a single reference list formatted like this
Unfortunately YARA-L doesn't have a method to parameterize that reference list name. The 2 basic options for working around this are: 1: Separate lists per customer - In addition to the issues of adding new lines per customer that you have already brought up, that technique can only be expanded to 7 customers due to the maximum number of references lists in a rule (ref: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#reference_lists_syntax)
2: Use strings.concat to work with a single reference list as a multi column CSV - This only works with the string list type but would allow you to maintain a single reference list formatted like this
