This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Yara-L split regex match

Posted on 05-29-2025 12:24 PM
chronicleDDsr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hello Community,

we are stuck on a simple case but confusing part in a regex/strings within chronicle, documentation doesnt specifically mention this part.

We are trying to match a, field_A value with field_B's part of the value.
Ex:

$oringalfile.field_A = "test.py"
$secondaryfilefullpath= "etc/somedirectory/test.py" 

What is the best way to match this ? Split end part of the string, store and then compare? How to achieve this? Would be great if i can get a lead here.

Thank you!

Solved Solved
0 5 444
Topic Labels
Jump to Solution
0 Likes
Reply
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

There isn't a single way to do this (for better or worse) so here is how I do it. You can put the comparison of the two strings on the same line, however having them broken out on separate lines as you are building it allow you to throw that placeholder variable ($common_file) into the outcome section to view the output And tune the regex if needed.

What I like to do, is get the first part of the rule triggering, then the second part and then put the join together last when i know those two values are being regex'd correctly, but that's just me.

While nocase should work, using what i outlined above, i prefer to use strings.to_lower (or upper) on the captured value so I know I have the case I want when I compare them. You can use case insensitivity using re2 or nocase, but I like strings.to_lower better in this example.

Hope this helps.

rule rule_comparison_using_re_capture_between_files {

meta:
 author = "Google Cloud Security"

events:
 $process.metadata.event_type = "PROCESS_LAUNCH"
 $process.metadata.log_type = "WINDOWS_SYSMON"
 $process.principal.hostname = $hostname
 strings.to_lower(re.capture($process.principal.process.file.full_path, `(?:.*[\\/])?([^\\/]+\.exe)`)) = $common_file

 $other_process.metadata.event_type = "PROCESS_LAUNCH"
 $other_process.metadata.log_type != "WINDOWS_SYSMON"
 $other_process.principal.hostname = $hostname
 strings.to_lower(re.capture($other_process.target.process.file.full_path, `(?:.*[\\/])?([^\\/]+\.exe)`)) = $common_file

match:
 $hostname, $common_file over 5m

condition:
 $process and $other_process
}
jstoner_0-1748610495166.png

 

View solution in original post

Jump to Solution
Reply
5 REPLIES 5

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

 

I have a couple questions that hopefully will be able to provide a better answer

-Is this a search or rule?

-I am assuming these two values exist in the same event or are they from two different events?

I can mock it up depending on anything else you can share with me...

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
chronicleDDsr
Bronze 4
Bronze 4
In response to jstoner
Reply posted on --/--/---- --:-- AM

This is in detection Rule and they exist in different log sources ( different events) and am looking to compare them.
And and I don't know what file name we would normally get in field_A value but i want to match with end part of filefullpath value
Ex:
$oringalfile.field_A = "test.py"
$secondary.filefullpath= "etc/somedirectory/test.py

$oringalfile.field_A = "doc.zip"
$secondary.filefullpath= "etc/somedirectory2/doc.zip

Edit: Also can you confirm the syntax to use case sensitivity like NOCASE for these matches?
is this the right way ?

re.capture($filewrite.target.file.full_path, `(.\..*$)`) = $originaldownload.target.resource.name nocase

 

 

Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

Here is an example search that works and will limit search results to the matches. I did use the case sensitivity toggle and set it to off. Otherwise i would also need to leverage additional functions to convert case. The re2 syntax will vary for the example you have but the layout for the search should be the same.

metadata.event_type = "PROCESS_LAUNCH"
metadata.log_type = "WINDOWS_SYSMON"
re.capture(target.process.file.full_path, `(?:.*[\\/])?([^\\/]+\.exe)`) = src.process.file.full_path
Jump to Solution
0 Likes
Reply

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

There isn't a single way to do this (for better or worse) so here is how I do it. You can put the comparison of the two strings on the same line, however having them broken out on separate lines as you are building it allow you to throw that placeholder variable ($common_file) into the outcome section to view the output And tune the regex if needed.

What I like to do, is get the first part of the rule triggering, then the second part and then put the join together last when i know those two values are being regex'd correctly, but that's just me.

While nocase should work, using what i outlined above, i prefer to use strings.to_lower (or upper) on the captured value so I know I have the case I want when I compare them. You can use case insensitivity using re2 or nocase, but I like strings.to_lower better in this example.

Hope this helps.

rule rule_comparison_using_re_capture_between_files {

meta:
 author = "Google Cloud Security"

events:
 $process.metadata.event_type = "PROCESS_LAUNCH"
 $process.metadata.log_type = "WINDOWS_SYSMON"
 $process.principal.hostname = $hostname
 strings.to_lower(re.capture($process.principal.process.file.full_path, `(?:.*[\\/])?([^\\/]+\.exe)`)) = $common_file

 $other_process.metadata.event_type = "PROCESS_LAUNCH"
 $other_process.metadata.log_type != "WINDOWS_SYSMON"
 $other_process.principal.hostname = $hostname
 strings.to_lower(re.capture($other_process.target.process.file.full_path, `(?:.*[\\/])?([^\\/]+\.exe)`)) = $common_file

match:
 $hostname, $common_file over 5m

condition:
 $process and $other_process
}
jstoner_0-1748610495166.png

 

Jump to Solution
Reply

Posted on --/--/---- --:-- AM
chronicleDDsr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Thank you! i was able to get results using approach similar to the one you added here

Jump to Solution
0 Likes
Reply
Top Solution Authors
View all