Technical Library
|
Support
Using YARA Rules with RiskVision
: Rules and labels
Rules and labels
YARA Rules | TRITON RiskVision | 02-Jun-2016
If a transaction analyzed by RiskVision contains patterns that match a YARA rule, one or more labels can be appended to the transaction. For your own YARA rules, you can specify the labels that are added.
In most cases, if a transaction contains a YARA rule match, but no other analytic flags the transaction as an incident, the transaction is discarded, and no record is added to the Configuration and Reporting Database.
If a transaction contains a YARA rule match, and another analytic flags the transaction as an incident, the labels appended to the transaction by the YARA Plugin are recorded as part of the incident.
These labels are listed in the Transaction Viewer's Details pane on the Incidents page in the RiskVision Local Manager.
If the YARA Plugin applies the OffBoxScanRequired label to a transaction, even if no other analytic flags the transaction as an incident, an incident record is added to the Configuration and Reporting Database.
Using YARA Rules with RiskVision
: Rules and labels
Copyright 2016 Forcepoint LLC. All rights reserved.