cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Is there a way to use or convert YARA rule to Sentinel KQL query for detections

deepak198486
Copper Contributor

‎Apr 04 2023 01:22 AM

‎Apr 04 2023 01:22 AM

Is there a way to use or convert YARA rule to Sentinel KQL query for detections

I have noticed that most malware detections are released in YARA language and Sentinel does not have baked in support for YARA rule.

Keen to understand how others are dealing with this situation.

Labels:
4,690 Views
1 Like
2 Replies
Reply
2 Replies
SunderSingh

‎Apr 18 2024 04:50 AM

‎Apr 18 2024 04:50 AM

Re: Is there a way to use or convert YARA rule to Sentinel KQL query for detections

Did you find a way to do this yet?
0 Likes
Reply
Clive_Watson

‎Apr 19 2024 06:06 AM

‎Apr 19 2024 06:06 AM

Re: Is there a way to use or convert YARA rule to Sentinel KQL query for detections

@SunderSingh 

If you have access to Microsoft Copilot for Security you can prompt to get a conversion (other AI may also work)

The basic  prompt I've used (and you can probably refine this):

create kql from this YARA rule < then paste in the YARA rule >


Note: The KQL isnt always perfect and may need to be checked and tweaked.

I've tried examples from: https://github.com/Yara-Rules/rules 


0 Likes
Reply