This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Here’s where you’ll find a buzzing community of Security professionals from around the world with one common mission: bringing their Security platforms to the next level.
Hey everyone,I've been writing Yara-L rules for a while now and I wanted
to share some of mine here for people to use. I also added in some
useful links that I use when writing rules and a bit of context about
some of the features. If anyone is inter...
Does anyone have any advice on how you could create a dashboard to see
the average amount of time between the initial log time and a detection
firing based off of that log? If possible I would like to see the
distributions of time based on log source...
In the documentation it seems that the arrays.contains function can be
used like the following, arrays.contains($asset_id_list, "id_1234")Is it
possible to use the function with two variables so I can compare the
list with a value in a UDM field?The ...
Hi Melania,I think you are correct in that you cannot use the confidence
score within the Yara-L rules unfortunately as it is not stored in the
graph. From what I can see the fields you have to work off of
are:metadata.vendor_name = "ET_PRO_IOC"metad...
Heres a list of rules i've written up in Yara-L along with some more
complex examples https://github.com/amalone341/YARA-L-Work . For
learning how to write rules I cant recommend the new to Chronicle series
enough. I'd start at the first post and rea...
The rule above is mainly an example in my case to try and show the
functionality of looking for a UDM event inside of an array in the
outcomes section. With how the rule is currently it requires a success
and fail on each host. I'm wondering if it is...