Hey guys
Have you noticed the new version of the IBM Security QRadar Manager for YARA Rules on the App Exchange ?
I will show you all the cool updates we've made!
Quick note before, if you want to discover how the app works, this blog entry will explain it to you. If you want to see a concrete use case, you should read the blog entry explaining how to tune rules to detect the CVE-2022-22965 exploit.
What's new in the YARA App ?
Data scanning
Things got way more powerful on the data scanning part. As a quick reminder, the variety of data you can scan is huge:
- Raw payloads imported from a third party tool
- Events from a Log Activity Search
- Flows from a Network Activity Search
- Suspicious Files
The big change happened in the rules selection.
You can now select a Namespace and the associated Rules you want to use, decide that you want to match Any or All of them, add your filter to the selection and pick another Namespace to add.
In a few words, you can scan your data with all the rules you want, even from different namespaces.
Check this out !
Rules import
The rules import function has been improved to increase the capabilities related to namespace updates.
When you edit a namespace from the Rule Manager, you can now import a file, a message will appear and ask if you want to override or append the content.
From the Github integration window, you can now include all the rules at once to an existing namespace or simply create a new one on the fly.
You will be prompted if you are trying to override a rule in an existing namespace.
That will definitely make things cleaner and make the maintenance of the namespace much easier !
I hope this update will help you save precious time during your investigations.
Don't hesitate to tell us how we can make it even better for you, you can open an RFE via the portal here.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.