This is a good way to walk through an array of values.
rule check_array_values {
meta:
author = "Your Name/Organization"
description = "Checks if all values in a specific array field match expected values."
severity = "LOW" # Adjust severity as needed
priority = "MEDIUM" # Adjust priority as needed
events:
$e.metadata.event_type = "YOUR_EVENT_TYPE" // Replace with your event type
$array_field = $e.YOUR_ARRAY_FIELD // Replace with your array field
match:
// Check if the array exists and is not empty.
$array_field != null and array_length($array_field) > 0
// Check if ALL array elements match expected values.
// Replace "expected_value1", "expected_value2", etc. with your desired values.
not any($array_field, $value, $value != "expected_value1" and $value != "expected_value2" and $value != "expected_value3")
outcome:
$matched_values = $array_field
$message = "Array values checked: " + to_string($matched_values)
return $message
}
rule check_array_for_specific_value{
meta:
author = "Your Name/Organization"
description = "Checks if a specific value exists within an array field."
severity = "MEDIUM"
priority = "HIGH"
events:
$e.metadata.event_type = "YOUR_EVENT_TYPE"
$array_field = $e.YOUR_ARRAY_FIELD
match:
$array_field != null and array_contains($array_field, "specific_value")
outcome:
$matched_value = "specific_value"
$message = "Specific value found in array: " + to_string($matched_value)
return $message
}
This is a good way to walk through an array of values.
rule check_array_values {
meta:
author = "Your Name/Organization"
description = "Checks if all values in a specific array field match expected values."
severity = "LOW" # Adjust severity as needed
priority = "MEDIUM" # Adjust priority as needed
events:
$e.metadata.event_type = "YOUR_EVENT_TYPE" // Replace with your event type
$array_field = $e.YOUR_ARRAY_FIELD // Replace with your array field
match:
// Check if the array exists and is not empty.
$array_field != null and array_length($array_field) > 0
// Check if ALL array elements match expected values.
// Replace "expected_value1", "expected_value2", etc. with your desired values.
not any($array_field, $value, $value != "expected_value1" and $value != "expected_value2" and $value != "expected_value3")
outcome:
$matched_values = $array_field
$message = "Array values checked: " + to_string($matched_values)
return $message
}
rule check_array_for_specific_value{
meta:
author = "Your Name/Organization"
description = "Checks if a specific value exists within an array field."
severity = "MEDIUM"
priority = "HIGH"
events:
$e.metadata.event_type = "YOUR_EVENT_TYPE"
$array_field = $e.YOUR_ARRAY_FIELD
match:
$array_field != null and array_contains($array_field, "specific_value")
outcome:
$matched_value = "specific_value"
$message = "Specific value found in array: " + to_string($matched_value)
return $message
}
How would I create the array based on a regex initially? I.e. how would I be able to add all of the additional fields starting with"permissions_added" to the array without doing it explicitly?
Hi @_K_O,
Does the below solve your use case?
(additional.fields.key = /permissions_added/ and additional.fields.value.string_value = /^write$|^admin$/) Kind Regards,
Ayman
Hi @_K_O,
Does the below solve your use case?
(additional.fields.key = /permissions_added/ and additional.fields.value.string_value = /^write$|^admin$/) Kind Regards,
Ayman
Hi @AymanC,
Thanks for the reply! When I try using that method, I get a compilation error stating that the key cannot be used in that fashion:
Hi @AymanC,
Thanks for the reply! When I try using that method, I get a compilation error stating that the key cannot be used in that fashion:
Hi @_K_O,
That's a shame, seems like it compiles in the normal search. May be worth mapping (if it makes sense) to security_result.detection_fields (it works when using the combination in rules), and then utilising the mentioned method, seems like additional.fields isn't compatiable with this currently.
Kind Regards,
Ayman
