Rule condition not working for ingestion_labels without KV, but KV works

Hi ​@desertfalcon 

Thanks for your post. Full disclosure, I am using Gemini to provide you with a response. Please double check the answer before fully implementing. And let me know if this solves your problem. 

The reason the first condition works and the second doesn't is based on the underlying data structure of the UDM (Unified Data Model):

• ingestion_kv_labels: This is a map/key-value structure. When you reference it with a specific key, you are looking at a singular value that can be directly compared.

• ingestion_labels: This is a repeated field (a list/array). In YARA-L, you cannot use a direct inequality operator ($!=$) against a list to exclude a specific value because of how the rule engine iterates through the array.

If a log has labels ["sample 1", "production"], the condition $e.metadata.ingestion_labels.value != "sample 1" evaluates to true for the "production" element, causing the event to be included in your results even though "sample 1" is present.

The Solution: Using none or any

To correctly filter out events that contain a specific non-KV ingestion label, you must use a quantifier.

To Exclude a Label:

Use the none quantifier. This ensures that no element in the list matches the string.

Code snippet

none $e.metadata.ingestion_labels.value = "sample 1"

To Include a Label:

If you want to ensure at least one label matches, you should use:

Code snippet

any $e.metadata.ingestion_labels.value = "sample 1"

In Summary

• Syntax Correction: Change $e.metadata.ingestion_labels.value != "sample 1" to none $e.metadata.ingestion_labels.value = "sample 1".

• Behavior: Non-KV ingestion labels are treated as arrays. Direct comparison ($!=$) fails on arrays because if any other element in the list doesn't match "sample 1", the whole condition returns true.