Let's look at how we can use the CIDR network function or as it is called in YARA-L, net.ip_in_range_cidr, for use in rule building in Google SecOps.

The net.ip_in_range_cidr function supports both IPv4 and IPv6 addresses. To use the function, we need to provide the UDM field that the IP address is in, as well as the subnetwork range in CIDR notation, enclosed in quotes. The output of this function is boolean.  

By using this network function within the events section of our rule, we can easily focus a rule on specific netblocks. No matter which direction traffic is flowing, this network function can simplify your rule writing. Rather than crafting large regex strings to focus rules on specific netblock ranges, this network function is more performant while being simpler to write and troubleshoot.

Follow along in the video below to see how net.ip_in_range_cidr can be used to focus rules to specific netblocks in a YARA-L rule.

Remember that when working with the strings.coalesce function it is for use with string fields and constants and will return the first non-null value so the order of the values in the function is important. The video focused on using coalesce in the events and match sections, but it can also be used within the outcome section of a rule. 

Remember that this function can be used with both IPv4 and IPv6. The syntax is straightforward but needs a field and the CIDR range of interest. Because the output is boolean, we don’t need the function to be equal to something else.

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events