This post will introduce the function re.replace which provides a method to replace a portion of a value with another value and be used to finesse data in Google SecOps rules and search. As an added bonus, we will continue to build on our previous video where we decoded base64 strings and use the re.replace function to deal with null bytes and make it simpler to then perform additional analysis in our rules.

re.replace works in concert with other functions and placeholders and can be used to adjust values in fields that can then be compared to other events or lists. The syntax for the function contains three arguments, the string (often a UDM field), the regular expression that is being matched and the replacement value.

Follow along in the video below to see how re.replace can be used in a YARA-L rule.

re.replace allows us to swap a portion of a field’s value for another value and then use it elsewhere in our search or YARA-L rule. We could even null out a portion of a field, like strip off the domain from an email address to just return the user name. The output can be written to a placeholder or outcome variable and can be nested with other functions providing a whole world of flexibility when working with data.

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events