[MDE] Add the important feature, Yara rules if possible

%3CLINGO-SUB%20id%3D%22lingo-sub-2681994%22%20slang%3D%22en-US%22%3E%5BMDE%5D%20Add%20the%20important%20feature%2C%20Yara%20rules%20if%20possible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2681994%22%20slang%3D%22en-US%22%3E%3CDIV%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3ERefer%20to%20this%20advisory%20(first%20link).%20In%20addition%2C%20you%20can%20see%20that%20there%20are%20Yara%20rules%20from%20GitHub%20(inside%20pdf).%20(2nd%20link)%3C%2FDIV%3E%3CDIV%3EAll%20EDR%2FXDR%20companies%20(except%20Microsoft)%20already%20have%20features%20and%20a%20Yara%20rule%20configuration%20for%20the%20incident%20responders%20to%20detect.%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThe%20method%20of%20adding%20and%20detecting%20Yara%20rules%20has%20been%20in%20practice%20across%20companies%20for%20many%20years.%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EWould%20you%20mind%20advising%20on%20any%20reason%20why%20not%20adding%20the%20important%20feature%2C%20Yara%20rules%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EIt%20would%20be%20good%20if%20you%20include%20the%20important%20feature%2C%20Yara%20rules.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EIf%20not%2C%20would%20you%20mind%20advising%20on%20converting%20from%20Yara%20rules%20to%20MDE%20query%20for%20querying%20via%20advanced%20threat%20hunting%3F%20Thanks%20much%20appreciated.%20%3A)%3C%2Fimg%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Arial%22%3E%3CA%20href%3D%22https%3A%2F%2Fwww.csa.gov.sg%2Fsingcert%2FAdvisories%2Fad-2021-007%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%22%3Ehttps%3A%2F%2Fwww.csa.gov.sg%2Fsingcert%2FAdvisories%2Fad-2021-007%3C%2FA%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Arial%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Arial%22%3EThis%20link%20is%20the%20Yara%20rule.%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Arial%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FNeo23x0%2Fsignature-base%2Fblob%2Fmaster%2Fyara%2Fapt_cobaltstrike.yar%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FNeo23x0%2Fsignature-base%2Fblob%2Fmaster%2Fyara%2Fapt_cobaltstrike.yar%3C%2FA%3E%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Arial%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Arial%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fyara-rule-support%2Fm-p%2F2276820%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fyara-rule-support%2Fm-p%2F2276820%3C%2FA%3E%3CBR%20%2F%3E%3C%2FFONT%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2712779%22%20slang%3D%22en-US%22%3ERe%3A%20%5BMDE%5D%20Add%20the%20important%20feature%2C%20Yara%20rules%20if%20possible%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2712779%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F755693%22%20target%3D%22_blank%22%3E%40tay76%3C%2FA%3E%2C%3C%2FP%3E%0A%3CDIV%3E%3CBR%20%2F%3EWe're%20considering%20Yara%20support%20in%20the%20future.%20We%20have%20extensive%20Advance%20hunting%20toolkit%20which%20is%20discussed%20here%20%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fadvanced-hunting-overview%3Fview%3Do365-worldwide%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fadvanced-hunting-overview%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fadvanced-hunting-overview%3Fview%3Do365-worldwide%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20let%20me%20know%20if%20this%20helps%20answer%20your%20question.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor
Hi,

Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link)
All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect.
 
The method of adding and detecting Yara rules has been in practice across companies for many years.
Would you mind advising on any reason why not adding the important feature, Yara rules?
It would be good if you include the important feature, Yara rules.
If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. :)
1 Reply

Hi @tay76,


We're considering Yara support in the future. We have extensive Advance hunting toolkit which is discussed here https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-overview?....

Please let me know if this helps answer your question.