Let's look at how we can use look at another type of reference lists that we can use in our YARA-L rules in Google SecOps. This one is focused on CIDR.

CIDR reference lists follow the same concepts of string reference lists but have a very specific purpose. That purpose is to identify blocks of IP addresses based on CIDR notation rather than individual IP addresses. The syntax is very similar, we specify in our events section the UDM field name followed by in cidr %list_name.

The reference list is set to a syntax type of CIDR in the list manager. CIDR notation is supported for both IPv4 and IPv6 within reference lists.

Follow along in the video below to see how CIDR reference lists can be used in a YARA-L rule.

CIDR reference lists can be used to find IP addresses within a broader network block without having to specify every IP address in a range or using a large OR statement. This syntax can also be used in search and these reference lists can be reused in multiple rules making them nice and portable.

Check out these additional resources with more information and learning opportunities:

• New to Google SecOps blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events