Importing Yara rules

You can import your existing Yara rules into IBM® QRadar® Incident Forensics and IBM QRadar Network Insights, and use those rules for matching and flagging malicious content. More than one Yara rule can exist in an imported file. Uploading a new Yara rules file replaces all existing Yara rules within the system. Upload existing rules in the new file to retain them.


  1. Click Main Menu > Admin and select Suspect Content Management.
  2. Click Select File.
  3. In the File Upload window, browse to the file you want to import and click Open.
    Important: Yara rule names must be unique.


You see a message when the Yara rule is imported successfully.

What to do next

Newly imported Yara rules are not applied retroactively. After you import the Yara rules, you must perform a full deployment for the changes to take effect.