Run YARA Rules task

Procedure

1. In the Trend Vision One console, go to XDR Threat Investigation → Forensics.
2. Click the name of the workspace that has the endpoints you want to triage.

   Note This task automatically adds all collected evidence to the workspace.

3. Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
4. Click Run YARA Rules.
5. Select the operating system of your endpoints.
6. Configure the task.
   1. Specify a task name.
   2. Specify the target.

      Important If you do not specify any process name, Forensics scans all processes. Scanning all processes may take several minutes to complete.

   3. Upload your YARA rules to Forensics.
      • Upload a text file with your YARA rules.
      • Paste your YARA rules to the text area.
   4. Validate your YARA rules by clicking Validate Rules.
   5. Specify a Description for the response or event.
   6. Click Create.
7. Monitor the task status.
   1. In the workspace that has the endpoints you are triaging, click View Query Results
   2. Select YARA.
   3. Locate the task using the Task name menu.
   4. View the task status.
      • In progress (): Trend Vision One sent the command and is waiting for a response.
      • Queued (): The managing server queued the command because the agent was offline.
      • Successful (): The command was successfully executed.
      • Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.