yaa - yaml search for humans
yaa is a tool designed to search the content of open source projects that use YAML files as their primary file structure. It is primarily used for searching inside detection content projects but it can be used with any YAML-based project. SigmaHQ Project has approximately 2700 rules, and Splunk content library has approximately 1400 rules. Similarly, Nuclei templates and Sentinel detections, they contain a significant number of rules. Searching within the content of these files can be challenging, especially if you want a query language to extract specific search criteria. yaa provides a straightforward method by using a query language to search for specific content within the YAML files of these projects.
The power of yaa search comes from its query language, which depends on full-text search. Search can be as simple as writing a few keywords to search for any matches or to search inside a specific yaml property, or both.
- +keywords means the word must appear (AND operation)
- -keywords means the keyword must not appears in the search result (Not operation)
Search all rules that contain the keyword '7zip'.
Yaml property search with AND operator, searching for any rule that has the word 'powershell AND obfuscation' in the title property.
Search for WMI persistence related rules and exclude any rule having WMI in the falsepositive property.
Yaa can index nested properties and make them searchable by specifying the nested property name prefixed with a dot.
Files matching the search criteria can be exported to a differnet directory
yaa is built for searching inside detection rule projects such as SigmaHQ, however it can be used with any similar project. To index a yaml project, use the command index.
% git clone https://github.com/SigmaHQ/sigma.git
% ./yaa index sigma/rules/
% git clone https://github.com/alwashali/yaa.git
% go build yaa.go
% ./yaa
NAME:
Yaa - Yaml Searach for Humans
USAGE:
Yaa [global options] command [command options] [arguments...]
COMMANDS:
search, s
index, i Path to yaml folder
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--help, -h show help