IBM Security QRadar

 View Only

QRadar YARA Rule Manager App awesome updates

By Gladys Koskas posted Wed June 22, 2022 02:14 PM


Hey guys

Have you noticed the new version of the IBM Security QRadar Manager for YARA Rules on the App Exchange ?
I will show you all the cool updates we've made!

Quick note before, if you want to discover how the app works, this blog entry will explain it to you. If you want to see a concrete use case, you should read the blog entry explaining how to tune rules to detect the CVE-2022-22965 exploit.

What's new in the YARA App ?

Data scanning

Things got way more powerful on the data scanning part. As a quick reminder, the variety of data you can scan is huge:

  • Raw payloads imported from a third party tool
  • Events from a Log Activity Search
  • Flows from a Network Activity Search
  • Suspicious Files

The big change happened in the rules selection. 
You can now select a Namespace and the associated Rules you want to use, decide that you want to match Any or All of them, add your filter to the selection and pick another Namespace to add.
In a few words, you can scan your data with all the rules you want, even from different namespaces.

Check this out ! 

The app now also shows which rules and data matched !

Rules import 

The rules import function has been improved to increase the capabilities related to namespace updates.

When you edit a namespace from the Rule Manager, you can now import a file, a message will appear and ask if you want to override or append the content.

From the Github integration window, you can now include all the rules at once to an existing namespace or simply create a new one on the fly.
You will be prompted if you are trying to override a rule in an existing namespace.

That will definitely make things cleaner and make the maintenance of the namespace much easier ! 

I hope this update will help you save precious time during your investigations.
Don't hesitate to tell us how we can make it even better for you, you can open an RFE via the portal here

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.