What is YARA ?
Yet Another Ridiculous Acronym ! :o)
But it is also a "tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples [...] Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic" (source: https://yara.readthedocs.io/en/stable/)
YARA works on Windows, Linux and Mac OS X environments. It is used by many vendors, such as VirusTotal, CrowdStrike, Reversing Labs, FireEye, Blue Coat, Trend Micro, Symantec, PhishMe, Kaspersky, osquery, Forcepoint, Threat Connect, etc... oh ! and QRadar !
YARA has actually been part of QRadar since the version 7.3.0 with QIF and QNI, and it is now also accessible outside of these appliances!
The new YARA Rule Manager app allows to manage YARA Rules and scan logs, flows and even files !
Let me show you !
Manage YARA Rules
The app allows to create namespaces and to add/edit rules in them via import of a file or simple text edition.