Yara Rules for SIEM Detections in Wazuh

[Grayden Odum]

I am hoping to use Yara rules for detections in the SIEM. I understand there is documentation for deploying Yara rules to endpoints.

However, I am hoping to have the ability to use Yara rules in Wazuh the same way the XML rules are used.

Is this possible? And if so, how can this be deployed/enabled on the Wazuh Manager?

Thanks in advance.

[Olusegun Adenrele Oyebo]

Hello Grayden,

Thank you for using Wazuh.

At the moment Wazuh's primary focus is on endpoint security hence it's not directly designed to integrate yara rules on the Wazuh server the same way you would integrate on an endpoint. At the same time this is actually a good use-case we can look into internally and when we have an update on how this can be achieved, you will be duly informed on our various channels. For now I'll leave you with some links below on integrations with yara:

• Detecting malware using yara integration

• File integrity monitoring and yara

• How to integrate yara with Wazuh

I hope this was able to provide clarity. Do not hesitate to get back to us in case you have any other query.

Best Regards.