Forum Discussion
Is there a way to use or convert YARA rule to Sentinel KQL query for detections
I have noticed that most malware detections are released in YARA language and Sentinel does not have baked in support for YARA rule.
Keen to understand how others are dealing with this situation.
Have you try this query ruke translation website: uncoder.io ?
related questions:
Do you guys know who keeps the best/current yara rules?
Which rules would you say have the most value? Identity? EDR?
I'd imagine it would be painful to use yara against low level logs like windows events unless they're specific events like powershell.- Did you find a way to do this yet?
If you have access to Microsoft Copilot for Security you can prompt to get a conversion (other AI may also work)
The basic prompt I've used (and you can probably refine this):
create kql from this YARA rule < then paste in the YARA rule >
Note: The KQL isnt always perfect and may need to be checked and tweaked.
I've tried examples from: https://github.com/Yara-Rules/rules
