Detecting threats with YARA Rule Manager
Scan a raw payload, a file, or the results of an AQL query or Saved Search for threats.
About this task
Procedure
-
On the Investigate tab, choose a data source.
Choice Description Payload Select Payload if you want to scan a particular bit of text, such as a section of a log file. Advanced Search (AQL) Select Advanced Search (AQL) if you want to create an AQL query and scan the results of that query. Saved Search Select Saved Search if you want to scan the results of a saved search. Upload File Select Upload File if you want to upload a file to scan. - Choose rules from a namespace. Tip: You can repeat this step if you want to select rules from multiple namespaces.
- Choose a namespace.
- Set Rule selection to Entire namespace
or Selected rules.
Table 1. Choice Description Entire namespace Select Entire namespace if you want to scan your data with all of the rules in the namespace and return results based on what you selected for Sample must match. Selected rules Select Selected rules if you want to scan your data with only some of the rules that are available in the namespace. Select the rules from the Rule Selection drop-down menu. - Set Results must match to Any rule or
All rules.
Table 2. Choice Description Any rule Select Any rule if you want to scan your data with all of the rules in the namespace and return results that match one or more of the rules. All rules Select All rules if you want to scan your data with all of the rules in the namespace and return results that match all of the rules. - Click Add Namespace Selection to add the namespace and selected rules to the scan.
- Set Scan Configuration to Namespaces run individually
(any item can match) or Namespaces run together (all items must
match).
Table 3. Choice Description Namespaces run individually (any item can match) Select Namespaces run individually (any item can match) if you want to scan your data with all of the selected rules and return results that match one or more of the rules. Namespaces run together (all items must match) Select Namespaces run together (all items must match) if you want to scan your data with all of the selected rules and return results that match all of the rules. - Click Run Scan.