This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

YARA-L rule to loop through specific additional_fields keys

Posted on 03-25-2025 08:15 AM
_K_O
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi everyone, 

I'm currently working on a detection which has "additional_fields" for permissions that were added to a user, e.g.:

  • $udm.additional.fields["permissions_added_permissionA"]
  • $udm.additional.fields["permissions_added_permissionB"]
  • $udm.additional.fields["permissions_added_permissionC"]

Each permission will then contain a specific permission type, e.g. Read, Write, Admin, etc. as shown below:

_K_O_0-1742915622485.png

I can create a detection by explicitly extracting each and every field and creating a regex to look for the permission types individually, but that can lead to missed fields either now or in the future if additional ones are added. 

Is there a way to loop through every additional field which starts with "permissions_added" and look for "write" or "admin" permissions?

TIA!

0 5 7,218
Topic Labels
0 Likes
5 REPLIES 5
Top Solution Authors
View all