While we have talked about using regular expressions in rules previously, today we will introduce the re.regex function that can be used for rules and search. This can be helpful when working with fields where we want only a portion of the field to be analyzed to determine if the rule should trigger.

The function re.regex uses re2 and is equivalent to enclosing a string in forward slashes. The syntax for this function is re.regex followed by the field we are looking within and the re2 expression that we are expecting. The re2 expression is enclosed in backticks. re.regex is a great way to identify values of interest, particularly in fields that contain user inputted values or places where folder structures reside and there is variability.

Follow along in the video below to see how re.regex can be used in a YARA-L rule.

re.regex can be nested within an if/then/else statement and is most often used where fields have variability due to user input or folder structures, but it can be used elsewhere too!

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events