Hi!
I wrote a YARA-L rule for IOC matching where i need to check if the confidence level of the IOC is above 75.
I can see this field and respective value on the UI when seeing entity details. I attach an example below, the field i need to check on the YARA-L rule is the "Confidence (Min: 20, Max: 127)" one.
Is there any way to access this value in the YARA-L rule? It is not present on the UDM entity.
Thank you in advance!
Hi Melania,
I think you are correct in that you cannot use the confidence score within the Yara-L rules unfortunately as it is not stored in the graph. From what I can see the fields you have to work off of are:
metadata.vendor_name = "ET_PRO_IOC"
metadata.entity_type = "IP_ADDRESS"
metadata.threat.category = "SOFTWARE_MALICIOUS"
metadata.threat.category_details = "Observed serving executables"
metadata.threat.threat_name = "ET Intelligence Rep List"
metadata.source_type = "ENTITY_CONTEXT"
The meatadata.threat.category_details does seem to translate from the entity details view so you may be able to use that for tuning until the score is available.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.