Skip to content

amalone341/YARA-L-Work

Repository files navigation

Set of some YARA-L rules

Table of Contents

  1. Intro
  2. Data in meta fields
  3. Building Blocks
  4. Checker
  5. Example Rules
  6. Entity Data

Intro

Quick disclaimer: Depending on your organization the UDM fields that these rules look off of may not match up directly. The rules may need some tuning. These rules are a collection of ones created by myself or by detection engineers I have worked with. Please use at your own risk. If you think there are any issues with the rules or any requests for Yara-L ones please feel free to reach out.

Resources

The following is a link to a few chronicle resources that I commonly use.

  • Yara-L Syntax Google's Yara-L syntax documentation.
  • New To Chronicle Series An in depth writeup on how to begin writing Yara-L rules. Cannot reccomend this series enough for someone trying to learn the language. Great example rules as well for seeing some of the newer capabilities of Yara-L.
  • List of UDM fields List of all UDM fields in the platform. Good link to save as it had all field names and the values for fields which are enumerations.
  • Graph data Good examples rules for using some of the context graphs on the platform.
  • Rule Examples NEW UPDATES!!! Chrionicle added more examples that show the flexibility of what can be done in Yara-L. Would recommend reviewing these to understand how multi event and outcome rules work.
  • More Graph Rules Thorough examples of how the graph data can be used for prevelance based detections.

Data in meta fields

For now heres what im going to put in the meta fields since its not specified:

  • severity:
    • CRITICAL: A detection of this rule is severe and warrants immediate response.
    • HIGH: Detections from this rule need to be looked into reletively soon.
    • MEDIUM: Rule that fingerprints interesting activity associated with TTPs. When in coordination with other MEDIUM rules on the same host/user the activity should be elevated.
    • LOW: Informational rule or rule to display activity of interest
  • status:
    • Experimental: Rule still needs some testing/tuning to be reliable
    • Testing: Rule is pretty consitent but needs some tuning and review of matches to be reliable
    • Stable : Tuned rule and needs to be looked at it if there is a detection and its high or critical

Building Blocks

These are a set of rules that look for possibly suspicious activty. By themselfs they are very noisy but when used in conjuction with each other they might provide good data. For example if one hostname is the cause of 3+ unique block rules it is worth investigating.

Checker

Rules for looking for certian IOCs (emails, IPs, hashes, etc.).

Example Rules

Yara-L provides features to let users create multi-event rules as well as a new outcomes section. The following rules are a bit more complex and are good examples of rules to look at for learning:

Entity Data

One of the most powerful features of Chronicle is the enichment in entity data. With this we can look at data points like first seen/last seen, prevalence, enriched data, and other intel sources that get ingested into the platform. The following rules utitize these features:

Much of this entity data can be added to existing rules to raise the level of suspicion. For example, if you have a rule looking for connections out to suspicious TLDs you can overlay the prevelence and first seen time to determine how rare the domain is for your environment.

About

Collection of detection rules written in YARA-L.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published