Views:

Run custom YARA rules on the specified endpoints to support threat investigation and incident response.

Important
Important
This task is supported by the following services:
  • Trend Vision One
    • Windows agent
    • Linux agent
After creating a workspace and add endpoints to the workspace in the Forensics app, you can collect detailed evidence from potentially compromised endpoints for internal investigations into critical incidents that occurred on your network and may require further attention.

Procedure

  1. In the Trend Vision One console, go to XDR Threat InvestigationForensics.
  2. Click the name of the workspace that has the endpoints you want to triage.
    Note
    Note
    This task automatically adds all collected evidence to the workspace.
  3. Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
  4. Click Run YARA Rules.
    Note
    Note
    You can also run this response task from the context menu in the Trend Vision One Search app.
    The Run YARA Rules Task window appears.
  5. Configure the task.
    1. Use the radio buttons either to select existing YARA rules or to upload new rules.
      • Choose Select rules: Click Select YARA rules, select existing rules, and click Continue.
        To add new YARA rules to the selection list, go to YARA Rules on the Response Scripts tab of Response Management. Click Add YARA rules to upload a file and validate the rules' syntax.
      • Choose Upload rules: Click Upload file and select a file that is in YARA or TXT format and is less than 1 MB in size.
        Tip
        Tip
        Use Companion to generate YARA rules by clicking Generate YARA Rules (companion_icon=ebfb1301-169d-4687-b329-7c6b4e235192.png).
    2. Select either Process or File as the target type and specify related settings:
      • For Process targets, specify a Process name
      • For File targets, specify the File location, select a File size, and select a Scan setting
      Important
      Important
      If you do not specify a process name, Forensics scans all processes. Scanning all processes might take several minutes to complete.
      Selecting Scan all files and subfolders as your Scan setting might cause performance issues.
    3. Validate your YARA rules by clicking Validate YARA rules.
    4. Specify a Description for the response or event.
    5. Click Create.
    6. In the Multi-factor authentication (MFA) required window, paste the verification code and click Submit.
      If authentication succeeds, the task appears in the Response Management Task List.
  6. Monitor the task status.
    1. In the workspace that has the endpoints you are triaging, click View Query Results
    2. Select YARA.
    3. Locate the task using the Task name menu.
    4. View the task status.
      • In progress (in_progress=GUID-A55897DB-3DEA-4F5C-B7F9-70B3D7FB9EDE=1=en-us=Low.jpg): Trend Vision One sent the command and is waiting for a response.
      • Queued (queued=GUID-65C0DF81-E50D-4D51-9602-2E9B7A0E5F14=1=en-us=Low.jpg): The managing server queued the command because the agent was offline.
      • Successful (successful=GUID-1E31AD86-DE2E-48B5-85F7-7C78A3E8BB11=1=en-us=Low.jpg): The command was successfully executed.
      • Unsuccessful (error=5cc21722-7ceb-480c-b9c2-a47d420cf1cc.jpg): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
    5. If the task is successful, click the download_icon=5c7476c2-cf15-4572-b7cd-5fc67a57d22f.png icon to open the Download File window, copy and retain the password, and click Download to obtain the task archive file.