Is it possible to use Arrays.contains with two variables in Yara-L?

Is it possible to use Arrays.contains with two variables in Yara-L?

In the documentation it seems that the arrays.contains function can be used like the following, 

arrays.contains($asset_id_list, "id_1234")

Is it possible to use the function with two variables so I can compare the list with a value in a UDM field?

The following code snippet shows a possible use case for this scenario:

rule Example_rule_for_arrays {

    author = "amalone"
    description = "Look for a spike in failed logins for a User account followed by a successful login from an IP address associated with a fail"
    severity = "Low"

    $fail.metadata.event_type = "USER_LOGIN" 
    $fail.security_result.summary = /Failed/ nocase
    $ = $user
    $success.metadata.event_type = "USER_LOGIN"
    $success.security_result.summary = /Success/ nocase
    $ = $user

    $fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds
     $user over 2d

    $Total_Fails = count($ // count of total failed logins

    $Failed_login_IPs_Count = count_distinct($fail.principal.ip) // Number of IPs with a failed login to the User
    $Failed_login_IPs_List = array_distinct($fail.principal.ip) // Unique list of IPs with a failed login for the user

    $Success_login_IPs_Count = count_distinct($success.principal.ip) // Number of IPs with a Successful login to the User
    $Success_login_IPs_List = array_distinct($success.principal.ip) // Unique list of IPs with a Successful login for the user
      // Look for at least 30 fails over 2 days from more than 3 IP addresses.
      // QUESTION: Is there a way to say "The value of $success.principal.ip exists inside of $Failed_login_IPs_List"
      //    note: I don't want to match off of the IP as well as that will cut down on the number of failed login logs
      // Want to do something like arrays.contains($Failed_login_IPs_List, $success.principal.ip) in the condition
    $fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30 



  • what if you just tied them with the placeholders in the events? I used the hostname instead of IP because with DHCP the IP address would change in a two-day period in our environment. But you could use the IP instead. Then in my case, I went with hostnames and tried this with your rule logic.

    I also changed mine to one hour just because I am playing with your rule in my environment.

    And what are you using for log sources? We have crowdstrike so that is the source I am thinking with on this.

  • Thanks for the follow-up! By tying the hostnames together with $successfulhostname = $failedhostname it makes it so the rule is looking for a successful login and a failed login on the same host. Moving down to the condition statement $Failed_login_Host_count greater than 3 makes the rule logic mean the following if I am correct:

    "Look for a single user where they have had a successful login and failed login on three separate devices over the course of an hour. In that same hour there should be 30 total fails across all hostnames"

    This is a useful rule but logically is a bit different from what I'm looking for above. By joining the hosts together it makes it so the User has to have a success and a fail on all 3 different hosts. What I am looking for is the capability to check if a value exists within an array. The English version from my rule logic is:

    "Look for a single user with more than 30 failed logons from 3 separate IPs where there is also a successful logon from at least one of the 3 IPs"

    This leans on one of the IPs with a successful logon existing in the array of IPs with a fail. I don't think this is doable at the moment but something like arrays.contains($Failed_Login_Ips_List, $Success.Principal.IP) would meet the requirements.

  • I am only tying the successful host login event to be from a previous failed host login event.

    The failed event has no tie to a successful event.

    This is a multievent rule. Event 1 is the login failure from a host, Event 2 is a successful login from a previously Failed host.

    We have mobile carts and devices that move around and can pull different IP's from DHCP. so for me, I need to work by hostname.

    With running the rule I am seeing hits on the expected accounts in our environment. Our scanners and so forth.

    Change my hostname to your IP and I think the logic would still hold.

  • The rule above is mainly an example in my case to try and show the functionality of looking for a UDM event inside of an array in the outcomes section. With how the rule is currently it requires a success and fail on each host. I'm wondering if it is possible to look through one of the arrays in the outcome section for a value that is inside of a UDM field. This would require calling the function with two variables as parameters which I'm not sure is allowed.

  • gotcha. Yea, I am not sure you can do it that way. maybe submit a feature request?

    I guess mine would be a workaround,

Sign In or Register to comment.