Re: YARA-L rule to loop through specific additiona...

_K_O · 03-25-2025 08:15 AM

Hi everyone,

I'm currently working on a detection which has "additional_fields" for permissions that were added to a user, e.g.:

$udm.additional.fields["permissions_added_permissionA"]
$udm.additional.fields["permissions_added_permissionB"]
$udm.additional.fields["permissions_added_permissionC"]

Each permission will then contain a specific permission type, e.g. Read, Write, Admin, etc. as shown below:

I can create a detection by explicitly extracting each and every field and creating a regex to look for the permission types individually, but that can lead to missed fields either now or in the future if additional ones are added.

Is there a way to loop through every additional field which starts with "permissions_added" and look for "write" or "admin" permissions?

TIA!

TomAtGoogle

This is a good way to walk through an array of values.

rule check_array_values {
meta:
author = "Your Name/Organization"
description = "Checks if all values in a specific array field match expected values."
severity = "LOW" # Adjust severity as needed
priority = "MEDIUM" # Adjust priority as needed

events:
$e.metadata.event_type = "YOUR_EVENT_TYPE" // Replace with your event type
$array_field = $e.YOUR_ARRAY_FIELD // Replace with your array field

match:
// Check if the array exists and is not empty.
$array_field != null and array_length($array_field) > 0

// Check if ALL array elements match expected values.
// Replace "expected_value1", "expected_value2", etc. with your desired values.
not any($array_field, $value, $value != "expected_value1" and $value != "expected_value2" and $value != "expected_value3")

outcome:
$matched_values = $array_field
$message = "Array values checked: " + to_string($matched_values)
return $message
}

rule check_array_for_specific_value{
meta:
author = "Your Name/Organization"
description = "Checks if a specific value exists within an array field."
severity = "MEDIUM"
priority = "HIGH"

events:
$e.metadata.event_type = "YOUR_EVENT_TYPE"
$array_field = $e.YOUR_ARRAY_FIELD

match:
$array_field != null and array_contains($array_field, "specific_value")

outcome:
$matched_value = "specific_value"
$message = "Specific value found in array: " + to_string($matched_value)
return $message
}

_K_O

How would I create the array based on a regex initially? I.e. how would I be able to add all of the additional fields starting with"permissions_added" to the array without doing it explicitly?

AymanC

Hi @_K_O,

Does the below solve your use case?

(additional.fields.key = /permissions_added/ and additional.fields.value.string_value = /^write$|^admin$/)

Kind Regards,

Ayman

_K_O

Hi @AymanC,

Thanks for the reply! When I try using that method, I get a compilation error stating that the key cannot be used in that fashion:

AymanC

Hi @_K_O,

That's a shame, seems like it compiles in the normal search. May be worth mapping (if it makes sense) to security_result.detection_fields (it works when using the combination in rules), and then utilising the mentioned method, seems like additional.fields isn't compatiable with this currently.

Kind Regards,

Ayman

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

YARA-L rule to loop through specific additional_fields keys