IBM Security QRadar

Threat hunting with QRadar and YARA !

By Gladys Koskas posted Mon October 25, 2021 11:41 AM

  

What is YARA ?

Yet Another Ridiculous Acronym ! :o)

But it is also a "tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples [...] Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic" (source: https://yara.readthedocs.io/en/stable/)

YARA works on Windows, Linux and Mac OS X environments. It is used by many vendors, such as VirusTotal, CrowdStrike, Reversing Labs, FireEye, Blue Coat, Trend Micro, Symantec, PhishMe, Kaspersky, osquery, Forcepoint, Threat Connect, etc... oh ! and QRadar !

YARA has actually been part of QRadar since the version 7.3.0 with QIF and QNI, and it is now also accessible outside of these appliances!

The new YARA Rule Manager app allows to manage YARA Rules and scan logs, flows and even files !


Let me show you !

Manage YARA Rules

The app allows to create namespaces and to add/edit rules in them via import of a file or simple text edition.

Namespaces


Rules


If you need some inspiration to find rules, check out this repo that references a lot of places to download a lot of them https://github.com/InQuest/awesome-yara#rules

I love the way they classified content !



Scan Data

Many options are available to you here.

Choose the data

First set of options is on the data you want to scan, you can choose between 4 possibilities


Payload: This option allows to bring raw payloads coming from an offense investigation or from a third party too as an example
Advanced Search (AQL) and Saved Search: These are the searches coming from the Log Activity and the Network Activity. It is a quick way to retrieve all the data from a particular device or a user on a specific period of time as an example.
Upload File: This option lets you upload an actual suspicious file and scan it with the YARA rules you've defined.

 

Choose the rules

The second half of the screen is letting you choose which rules will be used to scan your data



The app will trigger a scan on the sample of data you selected in the first part, and will return a match / not match result, depending on the options you selected here. You can decide that you need any rule in your namespace to match a payload, all the rules, or only a selection of them.

Example of a scan based on data retrieved with an AQL search:

Example of a scan based on a file uploaded:


How to get the app ?

You can sign-up for the Early Access program !

By doing so, you get yourself a privileged access to a great app and a great team of developers that will take you through the entire process, be there to hear your feedback and your use cases, and of course will take feature requests !

If you are interested, please send an email to:

0 comments
22 views

Permalink