IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
Is there any API for the adding of Yara rules in QRadar?
Tan Boon Chang
Hello Boon Chang,
There is QRadar application called "IBM Security QRadar Manager for YARA and SIGMA Rules" available on X-Force App Exchange. This app allows users to upload YARA rules or import them from GitHub, and to test them against logs, flows, and files.
Please check it. I hope this application can solve you tasks.
Perhaps I did not frame my question clearly.
I am already using 'IBM Security QRadar Manager for YARA' and am adding YARA rules with it into my QRadar system.
What I am asking about is whether there is an API available to be used with this YARA Manager, for such scenarios as there being is no internet connection available to connect to Github to import the YARA rules. In this scenario, a separate API which is able to import the YARA rules be it without going through the YARA Manager, or working hand-in-hand with the YARA Manager would be useful.
Wonder if there is such an API.
Hi Boon Chang,
YARA rule manager provides you ability to import rules from Github and, in addition to that, you can import from a local file or paste/enter rules directly into a web form. This video provides a short overview https://www.youtube.com/watch?v=_naH1CJfAyU
Let me know if this helpful. Otherwise, maybe, provide a bit more details of workflow you're facing (what is available/what's not, where do you have your rules available, do you envision some sort of automation or it's ok to provision/covert rules manually via GUI)
Yes, I am quite familiar with the QRadar YARA Manager as I have been using it for quite a while already.
And yes, I am envisioning some sort of automation.
Such that a user does not need to be physically present and manually click the various steps to import the YARA rule (from whichever sources be it from local or from Github). I think I can do this with general automation tools in the market. I am wondering if there is any API provided by QRadar already available to achieve this. For example, a backend folder whereby the imported YARA rules are stored and I can do some automation to import rules to there automatically, or even a API similar to the qradar/api_doc which is able to achieve this.
Nice to hear that you have been using the app for a while !
Unfortunately, there is no mechanism that allows to do that currently. Free free to open an RFE on the Ideas portal and the feasibility will be evaluated.
Have a good day !
Thank you for the reply.
Would like to know if there is any learning tutorial videos regarding using of QRadar YARA Manager.
From the top of my head:
1 Here are a couple of videos with short overview:
2 You can also check other videos from Jose Bravo + his videos contain references to Box folder with extra content.
3 Additionally, YARA / SIGMA Manager application on App Exchange contains links to blog posts and similar materials that can be helpful.
The second video (YARA to AQL Converter: https://youtu.be/_naH1CJfAyU) is particularly helpful, for now.
If I have a folder in the QRadar backend system which contains YARA rules files, how do I go about pointing the QRadar to import these files, without manually importing them one by one through the QRadar YARA Rule Manager tab?
Hi Boon Chang Tan,
Unfortunately, per my understanding such capability does not exist at the moment. You can share this idea here IBM Ideas Portal and team will take it into consideration.