Stay organized with collections
Save and categorize content based on your preferences.
re.regex
You can define regular expression matching in YARA-L 2.0 using either of the following syntax:
Using YARA-L syntax — Related to events.
The following is a generic representation of this syntax:
$e.field = /regex/
Using YARA-L syntax — As a function taking in the following parameters:
- Field the regular expression is applied to.
- Regular expression specified as a string.
The following is a generic representation of this syntax:
re.regex($e.field, `regex`)
Description
This function returns true if the string contains a substring that matches the regular expression provided. It is unnecessary to add .* to the beginning or at the end of the regular expression.
Notes
- To match the exact string or only a prefix or suffix, include the
^
(starting) and $ (ending) anchor characters in the regular expression.
For example, /^full$/ matches "full" exactly, while /full/ could match
"fullest", "lawfull", and "joyfully".
- If the UDM field includes newline characters, the
regexp only matches the
first line of the UDM field. To enforce full UDM field matching, add a (?s) to
the regular expression. For example, replace /.*allUDM.*/ with
/(?s).*allUDM.*/.
- You can use the
nocase modifier after strings to indicate that the search
should ignore capitalization.
Param data types
STRING, STRING
Param expression types
ANY, ANY
Return type
BOOL
Code samples
Example 1
// Equivalent to $e.principal.hostname = /google/
re.regex($e.principal.hostname, "google")
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003eThe \u003ccode\u003ere.regex\u003c/code\u003e function in YARA-L 2.0 is used to check if a string contains a substring that matches a given regular expression, and is supported in Rules and Search.\u003c/p\u003e\n"],["\u003cp\u003eThere are two ways to define regular expression matching in YARA-L 2.0: using the \u003ccode\u003e$e.field = /regex/\u003c/code\u003e syntax or by using the \u003ccode\u003ere.regex($e.field, \u003c/code\u003eregex\u003ccode\u003e)\u003c/code\u003e function.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ere.regex\u003c/code\u003e function automatically checks for substrings, so adding \u003ccode\u003e.*\u003c/code\u003e at the beginning or end of the regular expression is unnecessary.\u003c/p\u003e\n"],["\u003cp\u003eTo ensure exact string matching or to match prefixes or suffixes, use the \u003ccode\u003e^\u003c/code\u003e and \u003ccode\u003e$\u003c/code\u003e anchor characters within the regular expression, and add a \u003ccode\u003e(?s)\u003c/code\u003e modifier for full multi-line field matching.\u003c/p\u003e\n"],["\u003cp\u003eThe function supports case-insensitive searches using the \u003ccode\u003enocase\u003c/code\u003e modifier after the strings.\u003c/p\u003e\n"]]],[],null,["### re.regex\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) [Search](/chronicle/docs/investigation/udm-search)\n\nYou can define regular expression matching in YARA-L 2.0 using either of the following syntax:\n\n- Using YARA-L syntax --- Related to events.\n The following is a generic representation of this syntax:\n\n $e.field = /regex/\n\n- Using YARA-L syntax --- As a function taking in the following parameters:\n\n - Field the regular expression is applied to.\n - Regular expression specified as a string.\n\n The following is a generic representation of this syntax: \n\n re.regex($e.field, `regex`)\n\n#### Description\n\nThis function returns `true` if the string contains a substring that matches the regular expression provided. It is unnecessary to add `.*` to the beginning or at the end of the regular expression.\n\n##### Notes\n\n- To match the exact string or only a prefix or suffix, include the `^` (starting) and `$` (ending) anchor characters in the regular expression. For example, `/^full$/` matches `\"full\"` exactly, while `/full/` could match `\"fullest\"`, `\"lawfull\"`, and `\"joyfully\"`.\n- If the UDM field includes newline characters, the `regexp` only matches the first line of the UDM field. To enforce full UDM field matching, add a `(?s)` to the regular expression. For example, replace `/.*allUDM.*/` with `/(?s).*allUDM.*/`.\n- You can use the `nocase` modifier after strings to indicate that the search should ignore capitalization.\n\n#### Param data types\n\n`STRING`, `STRING`\n\n#### Param expression types\n\n`ANY`, `ANY`\n\n#### Return type\n\n`BOOL`\n\n#### Code samples\n\n##### Example 1\n\n // Equivalent to $e.principal.hostname = /google/\n re.regex($e.principal.hostname, \"google\")"]]
