Cannot get results back from online rules (based on this https://community.sophos.com/intercept-x-endpoint/b/blog/posts/yara-scanning-rules-with-sophos-xdr ) so tried the simplest osquery I could think of:
SELECT * FROM yara WHERE path = 'c:\windows\system32\drivers\etc\hosts' and sigrule = 'rule test { condition: true }'
works correctly and gets results
but as soon as I add strings in I get nothing back:
SELECT * FROM yara WHERE path = 'c:\windows\system32\drivers\etc\hosts' and sigrule = 'rule test { strings: $a = {6a} condition: true }'
I see the same issue when using curl to get the rule.
Anyone have this working?
Thanks
