IBM QRadar

 View Only

Threat hunting with QRadar and YARA !

By Gladys Koskas posted Mon October 25, 2021 11:41 AM

  

What is YARA ?

Yet Another Ridiculous Acronym ! :o)

But it is also a "tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples [...] Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic" (source: https://yara.readthedocs.io/en/stable/)

YARA works on Windows, Linux and Mac OS X environments. It is used by many vendors, such as VirusTotal, CrowdStrike, Reversing Labs, FireEye, Blue Coat, Trend Micro, Symantec, PhishMe, Kaspersky, osquery, Forcepoint, Threat Connect, etc... oh ! and QRadar !

YARA has actually been part of QRadar since the version 7.3.0 with QIF and QNI, and it is now also accessible outside of these appliances!

The new YARA Rule Manager app allows to manage YARA Rules and scan logs, flows and even files !


Let me show you !

Manage YARA Rules

The app allows to create namespaces and to add/edit rules in them via import of a file or simple text edition.

Namespaces



Rules


If you need some inspiration to find rules, check out this repo that references a lot of places to download a lot of them https://github.com/InQuest/awesome-yara#rules

I love the way they classified content !



Scan Data

Many options are available to you here.

Choose the data

First set of options is on the data you want to scan, you can choose between 4 possibilities


Payload: This option allows to bring raw payloads coming from an offense investigation or from a third party too as an example
Advanced Search (AQL) and Saved Search: These are the searches coming from the Log Activity and the Network Activity. It is a quick way to retrieve all the data from a particular device or a user on a specific period of time as an example.
Upload File: This option lets you upload an actual suspicious file and scan it with the YARA rules you've defined.

 

Choose the rules

The second half of the screen is letting you choose which rules will be used to scan your data



The app will trigger a scan on the sample of data you selected in the first part, and will return a match / not match result, depending on the options you selected here. You can decide that you need any rule in your namespace to match a payload, all the rules, or only a selection of them.

Example of a scan based on data retrieved with an AQL search:

Example of a scan based on a file uploaded:


How to get the app ?

You can get the IBM Security QRadar Manager for YARA Rules on the App Exchange by clicking here

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.
0 comments
108 views

Permalink