Run custom YARA rules on the specified endpoints to support threat investigation and incident response.
ImportantThis task is supported by the following services:
|
After creating a workspace and add endpoints to the workspace in the Forensics app, you can collect detailed evidence from potentially compromised endpoints for
internal investigations into critical incidents that occurred on your network and
may require further attention.
Procedure
- In the Trend Vision One console, go to .
- Click the name of the workspace that has the endpoints you want to triage.
Note
This task automatically adds all collected evidence to the workspace. - Select one or more endpoints from the list. Selected endpoints must all use the same operating system.
- Click Run YARA Rules.
Note
You can also run this response task from the context menu in the Trend Vision One Search app.The Run YARA Rules Task window appears. - Configure the task.
- Use the radio buttons either to select existing YARA rules or to upload new rules.
-
Choose Select rules: Click Select YARA rules, select existing rules, and click Continue.To add new YARA rules to the selection list, go to YARA Rules on the Response Scripts tab of Response Management. Click Add YARA rules to upload a file and validate the rules' syntax.
-
Choose Upload rules: Click Upload file and select a file that is in YARA or TXT format and is less than 1 MB in size.
Tip
Use Companion to generate YARA rules by clicking Generate YARA Rules ().
-
- Select either Process or File as the target type and specify related settings:
-
For Process targets, specify a Process name
-
For File targets, specify the File location, select a File size, and select a Scan setting
Important
If you do not specify a process name, Forensics scans all processes. Scanning all processes might take several minutes to complete.Selecting Scan all files and subfolders as your Scan setting might cause performance issues. -
- Validate your YARA rules by clicking Validate YARA rules.
- Specify a Description for the response or event.
- Click Create.
- In the Multi-factor authentication (MFA) required window, paste the verification code and click Submit.If authentication succeeds, the task appears in the Response Management Task List.
Tip
For response tasks created from the context menu in the Search app, click the View details in Forensics icon () in the Response Management Task List to go directly to .
- Use the radio buttons either to select existing YARA rules or to upload new rules.
- Monitor the task status.
- In the workspace that has the endpoints you are triaging, click
- Select YARA.
- Locate the task using the Task name menu.
- View the task status.
-
In progress (): Trend Vision One sent the command and is waiting for a response.
-
Queued (): The managing server queued the command because the agent was offline.
-
Successful (): The command was successfully executed.
-
Unsuccessful (): An error or time-out occurred when attempting to send the command to the managing server, the agent is offline for more than 24 hours, or the command execution timed out.
-
- If the task is successful, click the icon to open the Download File window, copy and retain the password, and click Download to obtain the task archive file.