Searching and extracting a portion of a string can be handled with a regular expression but there are other methods to do this and in some cases more straightforward methods. Today we are going to take a look at a function that will help us extract a substring from a string based on an initial position and length. This function can be used as you build searches and rules in Google SecOps!

The strings.substr function can help us identify a specify portion of a string without having to use a regular expression and then extract that value by specifying an integer value where the substring starts followed by a length. The length argument is optional and not specified, the substring will continue until the end of the value in the field or variable. If we want to capture the first character, the first argument is the integer 1. If you specify 0 capture will still start at 1.

A few ways that this function could be use include outputting the substring to a placeholder variable that can then be used for aggregation or display in the outcome section. Another option would be to output the substring and then compare it to another string value. 

Follow along in this video to see how we can apply strings.substr to our searches and rules. 

strings.substr extracts a substring from a field or variable based on a start position and length. The output of this function can be used to filter a specific value or extract a substring that can be used for aggregation or used in the outcome section of a rule or search. There are other methods to extract portions of strings including using a regular expression. The point is there isn’t a single right way to solve a problem, but this provides another tool to assist you during hunts and investigations!

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Google SecOps Learning Path on Google Cloud Skills Boost
• Google SecOps documentation
• Google Cloud Security Community Events