File name and type in TagCheck rules

[kam193]

I use TagCheck service to mark some indicators - and this is a great feature! However, I could potentially lower the number of false positives if I could filter out given file names and types (in my use case, the file name often matters more than type).

And here comes my question: is it already supported by TagCheck? I'm not sure if I don't miss something: generally, TagCheck seems to get only data from Tagging ODM models (tagcheck/tagcheck.py#L9), which, I think, do not usually contain those data. I see however mentioning e.g. file_type in the default YARA_EXTERNALS (yara_/helper.py#L13), but it looks to be used only in the default Yara service (yara_/yara_.py#L57 - and BTW, won't they get the al_al_ prefix in the yara_/yara_.py#L64?).

So, I'm unsure if I didn't miss anything. Is the case of matching name and/or type of the submitted file already supported?

[cccs-rs]

After taking a look at the service, it does seem that YARA_EXTERNALS is being used in a weird way that's not clear (if not erroneous). That is something we can definitely fix.

As to your main question about whether or not the filename or AL-identified file type can be used in a YARA rule definition as an external, I would say the answer is yes because the service is aware of these properties per the TaskMessage model.