Yara Rules and Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Yara Rules and Cortex XDR

L3 Networker

I have seen alerts screenshot on internet where an alert triggered after matching a Yara rules.

 

https://attackevals.mitre-engenuity.org/enterprise/participants/paloaltonetworks?adversary=carbanak-...

KanwarSingh01_1-1648928772751.png

(Fourth Screenshot)

 

Does Cortex XDR uses Yara Rules? I mean the screenshot answers it but how? Do we need to upgrade on a specific version of XDR agent? Can we build our own custom yara rules?

 

https://www.paloaltonetworks.com/cortex/cortex-xdr

KanwarSingh01_0-1648928403368.png

 

Would love to understand how it works.

Kind Regards
KS
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @KanwarSingh01 Cortex XDR uses several protection modules both on the agent as well as on the tenant-side, including integrations with Wildfire as well as other integrations (e.g. VirusTotal) that you may have added to your tenant. They range from behavioral techniques (BTPs/BIOCs), ML models, malware and exploit protection modules, YARA signatures, sandboxes, local analysis etc. These protection modules are both pre-execution and post-execution in nature, as well as both detective/preventative in nature.
Customers are not able to tune YARA rules in XDR as that is entirely evolving in the backend and is managed by dedicated Threat Hunters, malware researchers and exploit researchers. 
Lastly, your tenant modules are seamlessly upgraded to respond to evolving threats and attacks as observed by the relevant domain experts. On the agent side, please ensure that the CU's are rolled out ASAP while being inline with your organizational security policies. The agents themselves should also be regularly updated to address the vulnerabilities/capability improvements that are packaged with each new minor/maintenance release.

 

Please go through this article that talks about XDR's capabilities with recent malware in-the-wild that touches upon the various levels of protection within XDR.

View solution in original post

5 REPLIES 5

L5 Sessionator

Hi @KanwarSingh01 Cortex XDR uses several protection modules both on the agent as well as on the tenant-side, including integrations with Wildfire as well as other integrations (e.g. VirusTotal) that you may have added to your tenant. They range from behavioral techniques (BTPs/BIOCs), ML models, malware and exploit protection modules, YARA signatures, sandboxes, local analysis etc. These protection modules are both pre-execution and post-execution in nature, as well as both detective/preventative in nature.
Customers are not able to tune YARA rules in XDR as that is entirely evolving in the backend and is managed by dedicated Threat Hunters, malware researchers and exploit researchers. 
Lastly, your tenant modules are seamlessly upgraded to respond to evolving threats and attacks as observed by the relevant domain experts. On the agent side, please ensure that the CU's are rolled out ASAP while being inline with your organizational security policies. The agents themselves should also be regularly updated to address the vulnerabilities/capability improvements that are packaged with each new minor/maintenance release.

 

Please go through this article that talks about XDR's capabilities with recent malware in-the-wild that touches upon the various levels of protection within XDR.

Thanks @bbarmanroy  are there any plans of integrating Custom Yara Rules in the future?

Kind Regards
KS

L5 Sessionator

We are discussing this internally to see what can be done. On a tactical basis, if you're having any issues with any detections, please raise a support ticket.

Not having issues just questions.

Thank you.

Kind Regards
KS

We have a need for custome Yara rules as well.

Other vendors like Trend Micro do have this already implemented. 

Any news from internal discussions @bbarmanroy?

  • 1 accepted solution
  • 8683 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!