Today we are going to review the third type of reference list that we can use in our YARA-L rules in Google SecOps. This one is focused on regular expressions.

Regex reference lists provide additional flexibility because they are not limited to direct string matches. This can be helpful when working with file paths, command lines and other values where we need a portion of the value to match rather than the entire value. Regex reference lists use re2 syntax which is used throughout search and rules in Google SecOps. The only difference in the syntax for regex reference lists is that the word regex is inserted before the reference list, so our syntax will be the UDM field name in regex %list_name.

Follow along in the video below to see how regex reference lists can be used in a YARA-L rule.

Regex reference lists are useful when working with files, commands and folders that can be variable as well as domains and other terms where we need to find a portion of the field. This syntax can also be used in search making these reference lists nice and portable. Just don’t forget that if you have values that are all upper, lower or mixed case that you have a way to handle this variability.

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events