Yara rules windows environment

[Cássio Noronha]

Hi, I'm trying to create and distribute monitoring with Yara Rules for Windows environments with wazuh. I really need step by step help on how to configure yara rules in the windows environment.

[diego.pr...@wazuh.com]

Hi there! Thanks for using Wazuh!

In our blog, we have a detailed explanation about how to integrate Yara with Wazuh. Here the link:

https://wazuh.com/blog/how-to-integrate-yara-with-wazuh/

Although this post explains how to do it for Linux agents, at the end of the day is the same process. Let me explain this a bit more. In order to integrate Wazuh with Yara, we leverage the Active Response capability. This capability allows the user to run a script when a specific alert, alert level, or rule group has been triggered. Having said that, you can call the Yara binary from the script.

So, translating the example on the blog post to Windows, you should create a yara.bat script (instead of the yara.sh script used in the blog post) that calls the Yara binaries (already installed in the Windows machine). And place the script in the path c:\Program Files (x86)\ossec-agent\active-response\bin.

I hope this could be useful for you! Please, let me know if you have more questions!

Thanks!