Skip to main content

Import YARA Rules

This section has instructions for importing YARA rules from GitHub into Cloud SIEM.

YARA rules are an open source framework for identifying malware. Cloud SIEM runs YARA rules against files uploaded by the network sensor. When a file matches a YARA rule, Cloud SIEM creates a special record which results in a “file analysis” signal being created.  Once you’ve imported rules, Cloud SIEM will sync with the repository no less than every hour.

To import YARA rules:

  1. Classic UI. In the top menu select Content > File Analysis.
    New UI. In the main Sumo Logic menu, select Cloud SIEM > File Analysis. You can also click the Go To... menu at the top of the screen and select File Analysis.
  2. Click Add Source.
  3. On the Add New Source popup, click Create in the GitHub tile.
    Create button
  4. The Add New Source popup updates.
    Add New Source dialog
  5. Name. Enter a display name for the rule set to be imported.
  6. Description. Describe the rule set.
  7. Enabled. If you want Cloud SIEM to apply to rules upon import, leave the toggle set to Enabled. Otherwise, change it to Disabled.
  8. URL. Enter the URL of the GitHub repository that contains the rules.
  9. GitHub Machine Username. Enter a username if the repository is private.
  10. GitHub Machine Token. Enter a token if the repository is private.
  11. YARA file Regex. The regex in this field is matched to rule names in the repository. The default regex will match rule files whose file extension is .yar, .yara, or .rule.  
  12. Default Severity. Enter the severity to be assigned when the signal is created.
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.