Run YARA Rules task

Procedure

1. In the Trend Vision One console, go to XDR Threat Investigation → Forensics.
2. Click the name of the workspace that contains the endpoints from which you want to collect evidence.

   Note This task automatically adds all collected evidence to the workspace.

3. Execute your YARA rules.
   1. Click Run YARA Rules.
   2. Specify a task name.
   3. Specify the target to be scanned.

      Important If you do not specify any process name, all processes are scanned. Scanning all processes may take several minutes to complete.

   4. Upload your YARA rules to the Forensics app.
   • Upload a text file that contains your YARA rules.
   • Paste your YARA rules to the text area.
   1. (Optional) Validate your YARA rules by clicking Validate Rules.
   2. (Optional) Specify a Description for the response or event.
   3. Click Create.
      Trend Vision One creates the task and displays the current task status in Response Management.
4. Monitor the task status.
   1. Open Response Management.
   2. (Optional) Locate the task using the Search field or by selecting Run YARA Rules from the Action drop-down menu.
   3. View the task status.
      • In progress (): Trend Vision One sent the command and is waiting for a response.
      • Queued (): The managing server queued the command because the agent was offline.
      • Successful (): The command was successfully executed.
      • Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.