YARA detection rules
Overview
YARA rules are queries you can use to scan endpoints for patterns of malicious behavior. Use the YARA detection rules feature to generate custom alerts and security incidents based on the results of these scans. You can create a maximum of 50 YARA rules while enrolled in the Early Access program. This feature is available for macOS, Windows and Linux endpoints with x64 architecture, who have the BEST client configured with the Local Scan mode.
Note
YARA detection rules is not available for Linux endpoints with ARM64 architecture.
Find this new feature by going to the Incidents > Custom detection rules page. When adding a new rule, click the YARA button, to switch to the YARA rule definition.
Eligibility
To use this feature, you must meet the following requirements:
The company type is Customer.
The EDR license is active.
Licenses that offer only deployment in EDR (Report only) mode are not supported.
The following checkbox is not selected in the My company page: Your Bitdefender partner can assist you with security management.
The supported endpoint types are macOS, Windows and Linux devices that have the following version of BEST or newer: version 7.9.5.318 for BEST Windows and 7.0.3.2248 for BEST Linux, 7.16.42.200016 for macOS.
Enroll for the YARA detection rules add-on by going to the My company > Early access tab.
Creating YARA detection rules
To create a YARA rule, follow these steps:
Log in to GravityZone Control Center.
Go to the Incidents > Custom detection rules page from the left side menu.
Click Add rule.
To switch to YARA rule definition, click the YARA button.
Enter your rule query and click Check rule. If there are any errors in the rule syntax, you will receive error messages or warnings. Hover over the highlighted lines to get more detailed information on what needs to be fixed.
You can enter up no more than 30,000 characters per YARA rule. Only ASCII characters are supported.
Important
Before writing YARA rules, refer to the YARA Performance Guidelines and Writing YARA rules documentation. Following these guidelines can minimize potential performance issues for the endpoints being scanned.
The YARA detection rules feature does not support the use of the include directive, by which the content of external files is included during the process of compiling the rule.
Click Next.
In the Rule configuration section, add a rule name, a rule description, and rule-related tags. Rule tags can help you identify, group, and sort for rules as needed.
If you do not have a tag that suits your rule, you can click the Create tag button, and add one.
The On-access scanning option processes only files that are 50MB or smaller. To scan bigger files, you may opt for an on-demand scan.
Use the On-access scanning option after careful consideration, as this feature may cause performance issues for the endpoints being scanned. That is why we recommend that this type of rules be configured only by skilled security analysts who can write highly specific queries.
Note
This option uses the same on-access scanning settings as defined in the policy applied to the endpoint. It does not supersede the existing policy. YARA rules are report-only, the actions configured in the On-Access policy are not enforced.
Enabling this option, generates both alerts and incidents as a result of YARA scans. You can view the alerts in the Search page, and the incidents in the Incidents page.
If you do not enable this option, you can run YARA rules on demand. However, on-demand scans for YARA rules do not generate incidents, only alerts.
Note
Here are the maximum number of alerts and incidents that can get generated:
The total active YARA detection rules listed in the Custom detection rules grid can generate a maximum of 100 unique incidents per hour. If the event that triggered the YARA detection already has an active incident, the incident will be automatically updated, and the detection will not count towards the 100 limit.
The total active YARA detection rules listed in the Custom detection rules grid can generate a maximum of 5000 alerts per hour.
A YARA query can contain multiple YARA rules. For each YARA rule entered in a query, a maximum of 1000 alerts can be generated per hour.
In the Rule outcome section, select the appropriate severity level for the generated alerts.
Click Next.
In the Rule targets window, select which endpoints the rule will scan. You can select the entire company or specific endpoint tags. These tags are created and managed in Network > Tags Management.
When you select the Endpoint tags option, you can choose the tags from the list in the left-side menu, and your current selection of tags will appear in the right-side menu.
Click Save.
Note
After you create a YARA rule, you cannot convert it into a basic rule.
If you create YARA rules and then opt out of the YARA detection rules program, your YARA rules will disappear from the Custom detection rules grid. If you enroll in the program again, your YARA rules will be displayed in the grid, but you will need to enable them.
YARA rules in the Custom rules grid
Filtering for YARA rules
You can view your YARA rules by going to Incidents > Custom detection rules. Look in the Rule type column for YARA
values.
To filter the grid for YARA rules, follow these steps:
Click the More button above the rule grid.
Select the Rule type checkbox.
Click Apply.
This adds the Rule type filter above the grid.
Click the Rule type filter and select the YARA checkbox.
Click Apply.
Enabling or disabling YARA rules
To enable YARA rules, follow these steps:
Select the rules in the grid, and click the Change status button above the grid.
Click Enable and confirm your choice.
To disable YARA rules, follow these steps:
Select the rules in the grid, and click the Change status button above the grid.
Click Disable and confirm your choice.
Viewing YARA rules details
Clicking one of the YARA rules in the grid opens its Details panel. The Details panel for YARA rules contains information related to the rule name, ID, description, YARA query and other rule details.
The Copy all to clipboard button makes it easy to copy the entire YARA query to clipboard.
The View alerts and View incidents options redirect you to the Incidents and the Search section, respectively. Prefilled queries run automatically to retrieve all the alerts or incidents generated by the YARA rule.
The Edit rule button brings up the rule definition window, where you can change the rule details.
Performing on-demand scans
To perform an on-demand scan, follow these steps:
You can start an on-demand scan in two different ways:
In the Details panel of a detection rule, click the Scan button.
In the Custom detection rules grid, click the vertical ellipsis button at the right end of the grid entry, and click Scan.
In the Define local targets window, specify the folders or disk drives to scan.
The Specific folders field does not support wildcard characters, but it does support system variables.
Click Scan.
Note
On-demand scans generate only alerts, not incidents. You can view the generated alerts in the Incidents > Search page by using the
other.rule_id
field in your query.
A task is generated for this scan. You can view it in Network > Tasks.
You can view detailed results of the scan in the Network > Endpoint details > Scan Logs tab.
A record of the scan, together with its details and results, is also available in Accounts > User Activity.
Submitting feedback
You can submit feedback by sending an email to [email protected].