LinkedIn
Twitter
In our previous post, we provided an introduction to Chronicle SIEM with a focus on YARA-L basics and how detection rules are constructed.
In this post, we’ll focus on using variables in YARA-L to build detection rules. Follow along in the video below.
Types of variables
There are four kinds of variables we use in rules: event, placeholder, match, and outcome. In this post, we’ll focus on the first three and save outcome variables for a future post.
In YARA-L 2.0, all variables are represented as $<variable name>.
Example variables in a rule
Follow along in the video starting at 0:30 to see an example in action.
Our example is looking for repeated failed logins followed by a success.
So, how are these variables being used?
Event variable
The event variable is prepended to the full UDM field it’s associated with. Every line of criteria in the events section will have a variable in front of the UDM event or entity fields. If we’re looking for a single event or a single set of events with the same criteria, we might only have one event variable.
However, in this case, we have two event variables, $fail and $success, because the criteria associated with the failed events is different from what is associated with the successful events.
While the name of the event variable can be arbitrary, using a descriptive name can be beneficial for analysts reviewing the events because these variables are represented in detections.
After running a test rule function on the rule, you can see that the variable names of fail for events are followed by success. Having these in place like this makes it very easy for an analyst to look and understand which events are which.
Placeholder variable
Another kind of variable is the placeholder variable. Placeholder variables are pretty flexible. Once you define one in the events section, they can also be used in the match, outcome, or condition sections.
In our example, we have two placeholder variables: $hostname and $user. We have placeholder variables defined in both the success and the failed events. Those placeholders can then be used in the match section, where they become our match variables.
Just because you’re using a placeholder variable, that doesn’t mean it has to be in the match variable section as well. In this case, it just happens that they are.
Match variable
Match variables are needed to have a common value or values across disparate events that we want to join together.
Match variables are always followed by a time boundary. In this case, our match section states that we’re grouping events with common user and hostname values that occur within a 15 minute time window. For those familiar with SQL statements, this would be analogous to a GROUP BY statement.
That summarizes the three variables, event, placeholder, and match, in action.
But wait, there’s one more thing.
If you go down to the bottom to your condition section, you can see that your event variable of success has a dollar sign in front of it ($success), but the event variable of fail has a hash symbol in front of it (#fail). What does that mean?
The hash is a special character that can be used in place of the dollar sign in the condition section. When setting our conditions, we always need to use event or placeholder variables. $success means that a success event must exist. If we just wanted one failed event followed by one success event, we could say $fail and $success, but that could be a pretty noisy rule.
Instead, we can use #fail, which generates a distinct count of events that satisfy our event criteria within our time window.
It’s worth mentioning that you could do the same with a placeholder variable to get a distinct count of values in a specific field.
Because we’ve set our condition to #fail > 4 and $success, we need to see more than four failed events followed by at least one success event within the 15 minutes that was defined in the match section associated with the event criteria that we defined.
And that’s how variables can be used in YARA-L.
Just remember that event variables are used to organize like criteria together, placeholder variables can be used throughout the rule to describe different fields, and match variables link disparate events together within the match section.
