Is there any way in Yara-L to check if a UDM field contains a substring of another UDM field? The following example shows a use case for this and the question I am trying to ask of the data:
rule variable_testing {
meta:
author ="amalone"
description ="Test to see if we can find a substring of one UDM field inside another udm field"
severity ="Low"
events:
$file.metadata.event_type ="FILE_MODIFICATION"
$file.principal.hostname =$hst
// Get the name of the file involved in the file modification
Is it possible to see if a UDM field contains a substring of another UDM field? For example, I have a file modification where I grab the name
of the file using the re.capture function. I want to match this event with a process launch event on the same host where the target.proccess.command_line
contains the name of the file from the file modifcation. The following two lines are syntactically incorrect but demonstrate the idea of what im trying to accomplish.
Looks like I was beaten to the punch, but since I already prepped this I'll throw it in here with the hope that this makes things even more clear.
The logic in the original post appears like it should work. I adapted it to some sample data we have in our demo instance. I kept this to a single event, but the logic remains identical.
The rule:
rule variable_testing {
meta:
author = "amalone and now eugene"
description = "Test using variable in various positions of the regex function"
severity = "Low"
events:
$event.metadata.event_type = "PROCESS_LAUNCH"
$event.metadata.product_name = "Microsoft-Windows-Sysmon"
$hostname = strings.to_lower($event.principal.hostname) // going to be "danieljones-pc"
$name_substring = strings.to_lower(re.capture($event.principal.hostname, "^([^-]*)")) // should pick up "danieljones
$fullpath = $event.src.file.full_path // should be "C:\\Users\\danieljones\\Desktop\\"
re.regex($fullpath, $name_substring) // checks to see if "danieljones" exists in the fullpath
outcome:
$Unaltered_Hostname = $hostname
$Extracted_Username = $name_substring
$Full_Path = $fullpath
condition:
$event
}
And here are some of the resulting detections along with the pertinent fields displayed (seems I can't upload images so here is a table):
As I read this, it sounds like you are trying to extract a value from one field in one event, extract a value from another field in another event (maybe same field, maybe different) and make them part of your join to determine if the rule will fire. Below is an adaptation of what I think you are attempting but using some data I had handy that I was working with.
In my example, we have Azure and O365 events and I want to correlate them together since they are very similar but in my case the action i am isolating on is in the metadata.description field in one event and in the other it is in the product_event_type (I will be looking into that later!). Notice I also pulled in line 7 and in line 15 the actual values (which are admittedly similar, but wanted to show you what those look like.)
Lines 9 and 17 have the captures. I am just looking for "service principal" with a leading space in both to illustrate the point. I suspect the regex to do the capture might be where things are getting dicey.
In the match, I am using that substring and the vendor name (mainly because I don't have a great userid or ip in both events in this example, so vendor worked in a pinch for a join, but hopefully you get the idea.
Jumping down to the condition section, I added the not array.contains because I was getting some null values in my match for some reason, so that was mainly to strike any extra noise.
rule variable_testing {
meta:
events:
$event1.metadata.event_type = "STATUS_UPDATE"
$event1.metadata.product_name = "Azure AD Directory Audit"
//$event1.metadata.description = "Update service principal"
$event1.metadata.description != ""
re.capture($event1.metadata.description, `\\s(service.principal)`) = $substring
$event1.metadata.vendor_name = $vendor
$event2.metadata.event_type = "USER_UNCATEGORIZED"
$event2.metadata.product_name = "Office 365"
//$event2.metadata.product_event_type = "Update service principal."
$event2.metadata.product_event_type != ""
re.capture($event2.metadata.product_event_type, `\\s(service.principal)`) = $substring
$event2.metadata.vendor_name = $vendor
match:
$substring, $vendor over 1m
outcome:
$sub = array_distinct($substring)
condition:
$event1 and $event2 and not arrays.contains($sub, "")
}
One final thing. I use this example in our rules workshop and I have found this to be useful for capturing the process, ie powershell.exe or calc.exe. Note that the forward slashes at the front and end could be swapped with ` instead.
Looks like I was beaten to the punch, but since I already prepped this I'll throw it in here with the hope that this makes things even more clear.
The logic in the original post appears like it should work. I adapted it to some sample data we have in our demo instance. I kept this to a single event, but the logic remains identical.
The rule:
rule variable_testing {
meta:
author = "amalone and now eugene"
description = "Test using variable in various positions of the regex function"
severity = "Low"
events:
$event.metadata.event_type = "PROCESS_LAUNCH"
$event.metadata.product_name = "Microsoft-Windows-Sysmon"
$hostname = strings.to_lower($event.principal.hostname) // going to be "danieljones-pc"
$name_substring = strings.to_lower(re.capture($event.principal.hostname, "^([^-]*)")) // should pick up "danieljones
$fullpath = $event.src.file.full_path // should be "C:\\Users\\danieljones\\Desktop\\"
re.regex($fullpath, $name_substring) // checks to see if "danieljones" exists in the fullpath
outcome:
$Unaltered_Hostname = $hostname
$Extracted_Username = $name_substring
$Full_Path = $fullpath
condition:
$event
}
And here are some of the resulting detections along with the pertinent fields displayed (seems I can't upload images so here is a table):
As I read this, it sounds like you are trying to extract a value from one field in one event, extract a value from another field in another event (maybe same field, maybe different) and make them part of your join to determine if the rule will fire. Below is an adaptation of what I think you are attempting but using some data I had handy that I was working with.
In my example, we have Azure and O365 events and I want to correlate them together since they are very similar but in my case the action i am isolating on is in the metadata.description field in one event and in the other it is in the product_event_type (I will be looking into that later!). Notice I also pulled in line 7 and in line 15 the actual values (which are admittedly similar, but wanted to show you what those look like.)
Lines 9 and 17 have the captures. I am just looking for "service principal" with a leading space in both to illustrate the point. I suspect the regex to do the capture might be where things are getting dicey.
In the match, I am using that substring and the vendor name (mainly because I don't have a great userid or ip in both events in this example, so vendor worked in a pinch for a join, but hopefully you get the idea.
Jumping down to the condition section, I added the not array.contains because I was getting some null values in my match for some reason, so that was mainly to strike any extra noise.
rule variable_testing {
meta:
events:
$event1.metadata.event_type = "STATUS_UPDATE"
$event1.metadata.product_name = "Azure AD Directory Audit"
//$event1.metadata.description = "Update service principal"
$event1.metadata.description != ""
re.capture($event1.metadata.description, `\\s(service.principal)`) = $substring
$event1.metadata.vendor_name = $vendor
$event2.metadata.event_type = "USER_UNCATEGORIZED"
$event2.metadata.product_name = "Office 365"
//$event2.metadata.product_event_type = "Update service principal."
$event2.metadata.product_event_type != ""
re.capture($event2.metadata.product_event_type, `\\s(service.principal)`) = $substring
$event2.metadata.vendor_name = $vendor
match:
$substring, $vendor over 1m
outcome:
$sub = array_distinct($substring)
condition:
$event1 and $event2 and not arrays.contains($sub, "")
}
One final thing. I use this example in our rules workshop and I have found this to be useful for capturing the process, ie powershell.exe or calc.exe. Note that the forward slashes at the front and end could be swapped with ` instead.
This is a great example for when the value we are looking for inside the UDM fields is known and we will definitely use it in the future!
In my case the values matched by the regex may not be the same every time. What I am looking for is somewhat of a contains function in regards to a udm field. So in pseudo code I could do something like this:
$file.metadata.event_type ="FILE_MODIFICATION"
$file.principal.hostname =$hst
// Get the name of the file involved in the file modification
Looks like I was beaten to the punch, but since I already prepped this I'll throw it in here with the hope that this makes things even more clear.
The logic in the original post appears like it should work. I adapted it to some sample data we have in our demo instance. I kept this to a single event, but the logic remains identical.
The rule:
rule variable_testing {
meta:
author = "amalone and now eugene"
description = "Test using variable in various positions of the regex function"
severity = "Low"
events:
$event.metadata.event_type = "PROCESS_LAUNCH"
$event.metadata.product_name = "Microsoft-Windows-Sysmon"
$hostname = strings.to_lower($event.principal.hostname) // going to be "danieljones-pc"
$name_substring = strings.to_lower(re.capture($event.principal.hostname, "^([^-]*)")) // should pick up "danieljones
$fullpath = $event.src.file.full_path // should be "C:\\Users\\danieljones\\Desktop\\"
re.regex($fullpath, $name_substring) // checks to see if "danieljones" exists in the fullpath
outcome:
$Unaltered_Hostname = $hostname
$Extracted_Username = $name_substring
$Full_Path = $fullpath
condition:
$event
}
And here are some of the resulting detections along with the pertinent fields displayed (seems I can't upload images so here is a table):
This solves the problem and it seems like this works in our environment as well. In my environment it seems it will accept 1 and not 2 due to not using a placeholder event variable:
