Creating rules

Create a rule or set of rules in a rule namespace. Rules are used to help detect malware.

About this task

For an example of how to create a rule, see the Tutorial Guide tab.

Creating rules for YARA rule manager

Procedure

  1. On the YARA Rule Manager tab, click Create Namespace.
  2. Enter a name and description for the namespace.
  3. Add one or more rules to the namespace.
    • Write one or more rules directly in the Edit YARA rules box.
    • Upload a .txt or .yar file that contains one or more rules.
      1. Click Upload.
      2. Select the .txt or .yar file with your rules.
      3. If the Overwrite Rules prompt appears, choose to either append the rules you added to the namespace, or to overwrite all rules in the namespace.
    • Import a rule from GitHub by entering a link to a .yar file in the GitHub URL box.
      Tip: To import multiple rules from a GitHub repo, see Importing rules from GitHub.
  4. If prompted, map any include statements in the rules that you are creating or importing to the namespace that contains the rule.

    If the rule exists in the same namespace that you are creating or importing a rule for, or it's in a file that you are importing, select None (File included in this Namespace).

    Tip: You cannot select the same namespace for more than one import statement at a time. You cannot select a namespace that includes an import statement that is mapped to another namespace that you selected for mapping.
  5. Click Save.

Creating rules or AQL searches for Sigma rule manager

Procedure

  1. On the SIGMA Rule Manager tab, click SIGMA Rule Translator.
  2. Add one or more rules.
    1. Write one or more rules directly in the Edit SIGMA rules box.
    2. Upload a file that contains one or more rules.
    3. Click Upload.
    4. Select the file with your rules.
  3. Click Convert to a QRadar Rule to convert to a QRadar rule.
    1. Custom rule name and rule filters will be filled automatically.
    2. Click Save as Rule to save.
    3. Click Edit to edit the rule.
  4. Click Convert to AQL Search to convert to an AQL search.
    1. Click Run Scan to execute the search.
    2. Click Edit to edit the search.