AI-powered YARA rule forge for threat detection engineering. Generate, validate, and deploy YARA rules across Elastic, Splunk, and standalone YARA environments from a single CLI.
Writing YARA rules is slow, inconsistent, and requires deep expertise. Threat intel analysts spend hours hand-crafting rules that may still miss variants. And deploying the same rule across Elastic SIEM, Splunk, and standalone YARA means maintaining three different formats.
YaraForge uses AI to generate syntactically correct, semantically meaningful YARA rules from natural language threat descriptions. It then validates them against a clean corpus, tests for false positives, and deploys to your SIEM of choice.
Pipeline:
Threat Intel Text -> AI Rule Generation -> Validation ->
False-Positive Testing -> SIEM Deployment
Targets: Elastic | Splunk | Standalone YARA
- AI Rule Synthesis - Generate YARA rules from threat intelligence text, malware reports, or plain English descriptions
- Multi-target Deployment - Deploy to Elastic Security, Splunk, or standalone YARA from a single command
- Pre-built Rule Bundles - Ships with curated rules for ransomware, webshells, and generic malware
- Automated Validation - Syntax checking and false-positive rate testing before deployment
- Structured Rule Repository - Organized by threat category
git clone https://github.com/rawqubit/yaraforge.git
cd yaraforge
pip install -e .Generate a rule from a threat description:
yaraforge generate --description "Detect Cobalt Strike beacon using malleable C2 indicators"Validate your rule repository:
yaraforge validate --rules rules/Deploy to Elastic Security:
yaraforge deploy --target elastic --rules rules/malware/Run the full forge pipeline:
yaraforge forge --input threat_report.txt --deploy elasticyaraforge/
|-- engine/ # YARA rule loading, parsing, scanning
|-- cli/ # CLI entrypoints
|-- deploy/ # Deployment adapters (Elastic, Splunk, YARA)
|-- report/ # Output and reporting
`-- rules/
|-- malware/
|-- ransomware/
`-- webshells/
See ARCHITECTURE.md for the full system design.
- Python 3.10+
- OpenAI API key (
OPENAI_API_KEY) yara-pythonfor local validation
- SOC teams generating detection rules from threat intel feeds
- Red teamers creating custom detection challenges
- Security engineers maintaining rule libraries across multiple SIEMs
- Automated rule generation in CI/CD pipelines
$ yaraforge generate --description "Detect Cobalt Strike beacon using default sleep mask and malleable C2 profile patterns"
YaraForge v1.0.0 AI-Powered YARA Rule Forge
Generating YARA rule...
rule CobaltStrike_Beacon_SleepMask_MalleableC2
{
meta:
description = "Detects Cobalt Strike beacon with default sleep mask and malleable C2 indicators"
author = "YaraForge / rawqubit"
date = "2025-03-10"
reference = "https://github.com/rawqubit/yaraforge"
severity = "HIGH"
strings:
$sleep_mask_1 = { 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 }
$malleable_c2 = "Content-Type: application/octet-stream" ascii
$beacon_str = /MZRE[A-Za-z0-9+/]{200,}/ ascii
condition:
uint16(0) == 0x5A4D and
any of ($sleep_mask_*) and
($malleable_c2 or $beacon_str)
}
Validating rule...
Syntax check: PASSED
False-positive test (10k clean files): 0 FP (0.00%)
Rule saved to: rules/malware/cobalt_strike_beacon_sleepmask.yar
Deploying to Elastic Security...
Rule created: "CobaltStrike_Beacon_SleepMask_MalleableC2" (ID: rule-4821)
See CONTRIBUTING.md for guidelines.
Found a vulnerability? See SECURITY.md for responsible disclosure.
MIT (c) Srinikhil Chakilam