Skip to main content
Solved

Regex in YARA-L rule

  • October 27, 2023
  • 5 replies
  • 161 views
N
Forum|alt.badge.img+4

Hello everyone!

Im currently struggling with the regex usage in the rule.

I need to create a regex in order to detect the logs with an Admin privilege from  "PermissionGroup": "Admins" or "SocRole": "Administrator"

security_result.detection_fields.value =

"{
\\"PermissionGroup\\": \\"Admins\\",
\\"SocRole\\": \\"Administrator\\"
}"

 I created regex on the regex website to match SocRole : (?<=\\"SocRole\\":\\s\\")(.*?)(?=\\")

However, when Im trying to apply it in my rule, it keeps giving the error that literal is not terminated

re.regex($e.security_result.detection_fields.value, `(?<=\\"SocRole\\":\\s\\")(.*?)(?=\\")`
 
I also tried this way:
$e.security_result.detection_fields.value = /SocRole:.*/ . but it doesnt detect any logs 
 
Can you please help me to correct this issue?
Thanks in advance!🙂

Best answer by NastyaS

Unfortunately Lookahead or Lookbehinds aren't supported in re2 as far as I am aware. However the alternative is to match and group values. I don't have the data required to test the logic of the rule, however it should work. - https://regex101.com/r/riJNQ4/1

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "Windows"
    confidence_threshold = "50"

  events:

    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.base_labels.log_types = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
    $SocRole = re.capture($e.security_result.detection_fields.value, (`\\\\"SocRole\\\\":\\\\s\\\\"([^\\\\]+)`)) // Splits SocRole Value
    $PermissionGroup = re.capture($e.security_result.detection_fields.value, (`\\\\"PermissionGroup\\\\":\\\\s\\\\"([^\\\\]+)`)) // Splits PermissionGroup Value

    $SocRole = "Administrator" or $PermissionGroup = "Admins"

    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}




Thank you for help🙂

But I don't why it didn't detect anything...

So, I tried different ways and in my case this rule worked out and is detecting logs

 

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "SOAR"
    confidence_threshold = "50"

  events:
    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
   
    (
        $e.security_result.detection_fields.value = /"SocRole":\\s"Administrator"/ nocase
        or $e.security_result.detection_fields.value = /"PermissionGroup":\\s"Admins"/ nocase
    )

    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}

5 replies

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 27, 2023

Hi Nastya,

 

Google Chronicle utilizes re2, which doesn't support Lookbehind, which will be partly the reason for the error "literal is not terminated".

Can you share the full rule, as well as the udm key field you want to match for the security_result.detection_fields field. As well as some values that you want to have matched, and values you don't want matched!

N
Forum|alt.badge.img+4
  • NastyaSBronze 2
  • Author
  • Bronze 2
  • October 27, 2023

Hi Nastya,

 

Google Chronicle utilizes re2, which doesn't support Lookbehind, which will be partly the reason for the error "literal is not terminated".

Can you share the full rule, as well as the udm key field you want to match for the security_result.detection_fields field. As well as some values that you want to have matched, and values you don't want matched!


Hi Ayman,

Thank you for reply.

And does re2 support Lookahead?

Sure, here is the full rule:

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "Windows"
    confidence_threshold = "50"

  events:
    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.base_labels.log_types = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
     $e.security_result.detection_fields.value = /SocRole:.*/
    //re.regex($e.security_result.detection_fields.value, `(?<=\\"SocRole\\":\\s\\")(.*?)(?=\\")`)
    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}
 
and here is a udm key:
 
security_result.detection_fields.value = "{
\\"Email\\": \\"testesiem@gmail.com\\",
\\"Environments\\": [
\\"*\\"
],
\\"LicenseType\\": \\"Regular\\",
\\"PermissionGroup\\": \\"Admins\\",
\\"SocRole\\": \\"Administrator\\",
\\"UserType\\": \\"External\\"
}"
AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 27, 2023

Hi Ayman,

Thank you for reply.

And does re2 support Lookahead?

Sure, here is the full rule:

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "Windows"
    confidence_threshold = "50"

  events:
    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.base_labels.log_types = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
     $e.security_result.detection_fields.value = /SocRole:.*/
    //re.regex($e.security_result.detection_fields.value, `(?<=\\"SocRole\\":\\s\\")(.*?)(?=\\")`)
    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}
 
and here is a udm key:
 
security_result.detection_fields.value = "{
\\"Email\\": \\"testesiem@gmail.com\\",
\\"Environments\\": [
\\"*\\"
],
\\"LicenseType\\": \\"Regular\\",
\\"PermissionGroup\\": \\"Admins\\",
\\"SocRole\\": \\"Administrator\\",
\\"UserType\\": \\"External\\"
}"

Unfortunately Lookahead or Lookbehinds aren't supported in re2 as far as I am aware. However the alternative is to match and group values. I don't have the data required to test the logic of the rule, however it should work. - https://regex101.com/r/riJNQ4/1

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "Windows"
    confidence_threshold = "50"

  events:

    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.base_labels.log_types = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
    $SocRole = re.capture($e.security_result.detection_fields.value, (`\\\\"SocRole\\\\":\\\\s\\\\"([^\\\\]+)`)) // Splits SocRole Value
    $PermissionGroup = re.capture($e.security_result.detection_fields.value, (`\\\\"PermissionGroup\\\\":\\\\s\\\\"([^\\\\]+)`)) // Splits PermissionGroup Value

    $SocRole = "Administrator" or $PermissionGroup = "Admins"

    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}



N
N
Forum|alt.badge.img+4
  • NastyaSBronze 2
  • Author
  • Bronze 2
  • Answer
  • October 27, 2023

Unfortunately Lookahead or Lookbehinds aren't supported in re2 as far as I am aware. However the alternative is to match and group values. I don't have the data required to test the logic of the rule, however it should work. - https://regex101.com/r/riJNQ4/1

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "Windows"
    confidence_threshold = "50"

  events:

    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.base_labels.log_types = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
    $SocRole = re.capture($e.security_result.detection_fields.value, (`\\\\"SocRole\\\\":\\\\s\\\\"([^\\\\]+)`)) // Splits SocRole Value
    $PermissionGroup = re.capture($e.security_result.detection_fields.value, (`\\\\"PermissionGroup\\\\":\\\\s\\\\"([^\\\\]+)`)) // Splits PermissionGroup Value

    $SocRole = "Administrator" or $PermissionGroup = "Admins"

    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}




Thank you for help🙂

But I don't why it didn't detect anything...

So, I tried different ways and in my case this rule worked out and is detecting logs

 

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "SOAR"
    confidence_threshold = "50"

  events:
    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
   
    (
        $e.security_result.detection_fields.value = /"SocRole":\\s"Administrator"/ nocase
        or $e.security_result.detection_fields.value = /"PermissionGroup":\\s"Admins"/ nocase
    )

    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}
AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 27, 2023

Thank you for help🙂

But I don't why it didn't detect anything...

So, I tried different ways and in my case this rule worked out and is detecting logs

 

rule soar_user_creation_admin {
 
  meta:
    author = "NastyaS"
    description = "The rule detects a suspicious admin account creation"
    short_description = "New admin creation activity"
    severity = "Medium"
    priority = "Medium"
    status = "TEST"
    created_date = "2023-10-25T00:00:00Z"
    rule_version = "1.1"
    yara_version = "YL2.0"
    data_source = "SOAR"
    confidence_threshold = "50"

  events:
    $e.metadata.log_type = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.product_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.vendor_name = "CHRONICLE_SOAR_AUDIT"
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "Add User"
   
    (
        $e.security_result.detection_fields.value = /"SocRole":\\s"Administrator"/ nocase
        or $e.security_result.detection_fields.value = /"PermissionGroup":\\s"Admins"/ nocase
    )

    $e.principal.ip = $ip

  match:
    $ip over 15m

  outcome:
    $risk_score = 50

  condition:
    $e
}

Very difficult to know for certain the proposed solution I gave would work, without having the trial data to see, however the same POC worked for an alternative rule idea.

Glad you got it working in the end!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.