Function to placeholder assignment

Supported in:

In YARA-L, the process of using functions to process data and store the result is called function-to-placeholder assignment. Placeholder variables (denoted by $) are used to represent specific data points extracted from UDM events and other data sources. Functions can then operate on these event fields, or combinations of fields, and the results of these operations are assigned to the placeholder variables for use in other parts of the query, such as the match, condition, and outcome sections.

  • Functions: YARA-L provides metric functions, that can perform calculations or data transformations on event fields.

  • Placeholder variables: These are Variables, denoted by a preceding dollar sign (such as $user, $ip), that can hold values derived from event fields or function outputs. They're defined in the events section and can be used throughout the rule.

  • Assignment: The function's output is assigned to a placeholder variable.

Limitations

There are two limitations when using function to placeholder assignment:

  1. Every placeholder in function to placeholder assignment must be assigned to an expression containing an event field.

    Valid examples

    $ph1 = $e.principal.hostname
$ph2 = $e.src.hostname

// Both $ph1 and $ph2 have been assigned to an expression containing an event field.
$ph1 = strings.concat($ph2, ".com")

    $ph1 = $e.network.email.from
$ph2 = strings.concat($e.principal.hostname, "@gmail.com")

// Both $ph1 and $ph2 have been assigned to an expression containing an event field.
$ph1 = strings.to_lower($ph2)

    Invalid example

    $ph1 = strings.concat($e.principal.hostname, "foo")
$ph2 = strings.concat($ph1, "bar") // $ph2 has NOT been assigned to an expression containing an event field.

  2. The function call should depend on exactly one event. However, more than one field from the same event can be used in function call arguments.

    Valid example

    $ph = strings.concat($event.principal.hostname, "string2")

    $ph = strings.concat($event.principal.hostname, $event.src.hostname)

    Invalid example

    $ph = strings.concat("string1", "string2")

    $ph = strings.concat($event.principal.hostname, $anotherEvent.src.hostname)

Need more help? Get answers from Community members and Google SecOps professionals.