Rules and labels

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Using YARA Rules with RiskVision : Rules and labels

Rules and labels

YARA Rules | TRITON RiskVision | 02-Jun-2016

If a transaction analyzed by RiskVision contains patterns that match a YARA rule, one or more labels can be appended to the transaction. For your own YARA rules, you can specify the labels that are added.

In most cases, if a transaction contains a YARA rule match, but no other analytic flags the transaction as an incident, the transaction is discarded, and no record is added to the Configuration and Reporting Database.

If a transaction contains a YARA rule match, and another analytic flags the transaction as an incident, the labels appended to the transaction by the YARA Plugin are recorded as part of the incident.

These labels are listed in the Transaction Viewer's Details pane on the Incidents page in the RiskVision Local Manager.

If the YARA Plugin applies the OffBoxScanRequired label to a transaction, even if no other analytic flags the transaction as an incident, an incident record is added to the Configuration and Reporting Database.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Using YARA Rules with RiskVision : Rules and labels

Copyright 2016 Forcepoint LLC. All rights reserved.