Run YARA rules task

Procedure

1. In the Trend Vision One console, go to XDR Threat Investigation → Forensics.
2. Click the name of the workspace that has the endpoints you want to triage.
3. Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
4. Click Run YARA Rules.

   Note You can also perform this response from the context menu in the Trend Vision One Search app, Workbench, and Observed Attack Techniques.

5. Configure the task.
   1. Use the radio buttons either to select existing YARA rules or to upload new rules.
      • Choose Select rules:
        1. Click Select YARA rules.
        2. Pause on a file to view its details.

           Important YARA rules details are only visible for and . See Traffic Light Protocol (TLP) for details.

        3. Select the rules.
        4. Click Continue.
        To add new YARA rules to the list:
        1. Go to YARA Rules on the Response Scripts tab of Response Management.
        2. Click Add YARA rules to upload a file and validate the rules' syntax.
      • Choose Upload rules:
        1. Click Upload file.
        2. Select a file that is in YARA or TXT format and is less than 1 MB in size.

        Tip Use Companion to generate YARA rules by clicking Generate YARA Rules ().

   2. Select the target type and specify related settings:
      • For Process targets, specify a Process name. If you do not specify a process name, Forensics scans all processes. Scanning all processes might take several minutes to complete.
      • For File targets:
        1. Specify the File location.
        2. Select a File size.
        3. Select a Scan setting.

           Important Selecting Scan all files and subfolders might cause performance issues.

   3. Validate your YARA rules by clicking Validate YARA rules.
   4. Specify a Description for the response or event.
   5. Click Create.
   6. Paste the verification code in Multi-factor authentication (MFA) required and click Submit.
      If authentication succeeds, the task appears in the Response Management Task List.

      Tip For response tasks created from the context menu in the Search app, click the View details in Forensics icon () in the Response Management Task List to go directly to Forensics → Query Results.

6. Monitor the task status.
   1. In the workspace that has the endpoints you are triaging, click View Query Results
   2. Select YARA.
   3. Locate the task using the Task name menu.
   4. View the task status.
      • In progress (): Trend Vision One sent the command and is waiting for a response.
      • Queued (): The managing server queued the command because the agent was offline.
      • Successful (): The command was successfully executed.
      • Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
   5. If the task is successful:
      1. Click the icon to open the Download File window.
      2. Copy and retain the password.
      3. Click Download to obtain the task archive file.