Yara-L: Output the exact value for repeated field that was found in data table

Question

Hey, I want to output (with outcome section) the exact value for the repeated field (e.g. target.ip) that was found in the data table with IN operator.Is it even possible? Maybe you have some suggestions?Example rule:rule rule_name {  meta:        severity = "MEDIUM"    events:        $e.metadata.event_type = "NETWORK_CONNECTION"        $e.target.ip = $target_ip        $target_ip IN %dt.ioc    outcome:        $matched_value = ? // one of the IPs from target_ip that was actually found in data table    condition:        $e}

nazarii-plebanskyi · Accepted Answer

That’s correct, my test environment contains several events with multiple IPs in target.ip field.

But actually it seems like in the outcome we get only the “correct” IP, so no problem anymore 😀
Example of my rule if anyone is curious:

rule rule_123 {
    meta:
        ...

    events:
        $e.metadata.event_type = "NETWORK_CONNECTION"
        $ioc = $e.target.ip
        %dt_123.type = "ip"
        %dt_123.ioc = $ioc

    match:
        $ioc over 1m

    outcome:
        $ioc_value = array($ioc)

    condition:
        $e
}

AbdElHafez · Answer

Hi ​@nazarii-plebanskyi,So your events have multiple target.ip fields not just the only zero index one target.ip[0] ?and you want to outcome only the ip that is present in your data table instead of All the existing target.ip[*] ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded