This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

How to sort an array in YARA-L outcome section?

Posted on 12-19-2024 06:13 AM
rrazdan
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hey Folks, Happy Holidays !!!

I am trying to look for a way to sort an array of integers in increasing order in the outcome section of my rule. The reason to do that is to specifically look for an indexed value which can only be found when the array is sorted in the increasing order.

My outcome section looks something like this and I am looking to sort the $Session_Diff array

$Session_Diff = array($NextLoginTime - $PreviousLogoffTime)
$Deltas = arrays.size($Session_Diff)
$count_previous_events = count_distinct($previous.metadata.event_timestamp.seconds)
$count_events = $count_previous_events + 1
$pointer = $count_events - 2
$final_result = arrays.index_to_int($Session_Diff, $pointer)
 
Thanks in advance.
0 2 439
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @rrazdan,

Unfortunately, I don't believe there's a function out of the box to achieve this.

I would suggest opening a Feature Request for a function that does what you're requesting.

Kind Regards,

Ayman

0 Likes

Posted on --/--/---- --:-- AM
rajukg
Staff
In response to AymanC
Reply posted on --/--/---- --:-- AM

Even if we implement array.sort we can't use it in the outcome section.

To implement the array.sort we have to call UNNEST (remember that the rule definitions convert to SQL statements) but an UNNEST can't act on an aggregation, so any array derived from aggregation functions can't be used with this implementation of array.sort()

 We automatically sort outcome arrays after we get the SQL result back when we convert the SQL result to detections, so any sorting we do in the SQL will just get overridden by this.

But something like array.index_to_string(array.sort(strings.split("c,b,a"), ",")), 0) in the events section will work (yields "a").  So if we implement this array.sort it will work in the events section only but not in the outcome section.  This is assuming I am writing the code to translate the array.sort using the UNNEST.  I am not sure if there is another way to do this in SQL.

0 Likes
Top Solution Authors
View all