Yara-L language is rich, powerful, built for security... but the downside, is that the learning curve can be quite high, espiecialy for people coming from more "simple" languages like SPL (by the way, SecOps now includes a SPL/KQL/Sigma to Yara-l rule translator in the Labs)
So I've spent some time to reorganize my notes and beautify them in order for all to benefit from a Yara-L one page cheat sheet:
It's intended to people doing investigations, creating dashboards, or writing rules, mainly with already a basic knowledge of Yara-L.
Of course, it's not exhaustive. For example, the following topics are not covered:
- Boolean (it's quite obvious no ?)
- Metrics from the UEBA module
- Some sections like Meta and Options
- Variables type
…
And keep in mind that SecOps, and the Yara-L language are rapidly evolving: requests in SQL are now available in SecOps (in private preview at time of writing)
Feel free to comment, suggest improvements… for this cheat sheet.
Download link is: https://github.com/Matchistador/Yara-L/blob/main/YARA-L%20cheat%20sheet.pdf