Yara rules
Sentinel should adopt Yara rules support to enable industry collaboration and improvement
Anonymous
shared this idea
Keep in mind that Yara rules usually focus on detection using the file content or another payload. SIEM telemetry typically does not include content or payloads, and therefore Yara rules have limited value in a SIEM.
5 comments
-
Anonymous
commented
A use case scenario is when e.g. ACSC/JCSC/Fed Gov provide IOCs in YARA format. It would be very helpful to be able to ingest/import YARA rules into Sentinel (or convert to KQL) to run. If it would be better to add this capability in Defender instead, I would take that too
-
Max Frommherz
commented
Hello @anonym,
this request might seem a bit off topic. I'm working on a project fpr my university here in germany and I'm looking for some customers using Azure Sentinel to talk about their impressions. I would greatly appreciate it, if you could awnser some questions about Azure Sentinel. If you're please contact me at Max.Frommherz@Wieland.com.
Best regards
Max Frommherz -
Ofer Shezaf
commented
Keep in mind that Yara rules usually focus on detection using the file content or another payload. SIEM telemetry typically does not include content or payloads, and therefore Yara rules have limited value in a SIEM.
-
Anonymous
commented
Agreed. Many organisations use this format to create file-based detection rules which would allow security teams to quickly put in detection rules for new and emerging threats.
-
What is the use case / scenario you are looking to solve with this request?