Let's look at how we can use the string function concatenation or as it is called in YARA-L strings.concat, for use in rule building in Chronicle SIEM.

String matching and regular expressions provide a good deal of flexibility, but functions like strings.concat provide additional capabilities for YARA-L rule writing. strings.concat takes N number of arguments and returns a string with these values in a single field or variable. Strings.concat can take strings, integers and floats from UDM as well as constants to create a value that can be used in a rule. Strings.concat can also be used in the outcome section to gather values into a single field.

Follow along in the video below to see how strings.concat can be used within the outcome and match sections of a YARA-L rule.

Using the concatenation function in YARA-L, we can pull together string, integer and float fields along with constants to generate descriptive string values. Remember that the constants in a concatenation need to be enclosed in quotes and that we can use placeholder variables and UDM field names.

While we used strings.concat in the outcome section to describe values within our detection, it can also be used in the events section to create a placeholder variable and as a match variable. There are lots of ways to use this function, just be mindful of repeated values in fields as you develop your rules!

Check out these additional resources with more information and learning opportunities:

• New to Chronicle blog series
• Chronicle Learning Path on Google Cloud Skills Boost
• Chronicle documentation
• Google Cloud Security Community Events