Let's look at how we can use the string function coalesce or as it is called in YARA-L strings.coalesce, for use in rule building in Google SecOps.

We previously discussed that string matching and regular expressions provide a good deal of flexibility, but functions like strings.coalesce provide additional capabilities for YARA-L rule writing. strings.coalesce takes N number of values and returns the first value in the function that is not an empty string. strings.coalesce can be used with both string values in UDM as well as constants.

Follow along in the video below to see how strings.coalesce can be used as an aggregation that we can use for our match variable in a YARA-L rule.

Remember that when working with the strings.coalesce function it is for use with string fields and constants and will return the first non-null value so the order of the values in the function is important. The video focused on using coalesce in the events and match sections, but it can also be used within the outcome section of a rule.