This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

semantic analysis: match variable encoded_value is not assigned to an event field - help required

Posted on 03-19-2024 03:53 AM
Cyber_Chief1999
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi all,

 

I am having an issue with the error message in the title field and some help would be really appreciated.

Cyber_Chief1999_0-1710845539357.png

 

I have wrote a YARA-L rule in Chronicle which captures various matching powershell command and decodes the successful match using the strings.base64.decode function. I followed the guidance on (https://chronicle.security/blog/posts/new-to-chronicle-capturing-strings-for-additional-analysis/) and also created a shortened version of my base rule to test the syntax and it worked absolutely fine. Yet when i try and save the main master rule (below), i receive an error which after troubleshooting has not progressed much.  Any help on why the encoded_value variable needs assigning to a placeholder would be helpful, despite the fact i have used the exact same line in a much shorter detection rule without an error.

 

To summarise, the rule is looking for the presence of base64 strings used in command line and then capturing those true positive strings and assigning to a variable called encoded_value.

 

Many thanks

 

1 2 311
Topic Labels
2 REPLIES 2
Top Solution Authors
View all