Creating Yara analysis units

Yara analysis units consist of one or several Yara rules.

You must hold the Resources-Modify privilege to create analysis units.

SES Evolution agent version Compatible Yara versions
2.3 4.2.2 and 4.2.3
2.4 4.2.3

  1. Select the Security > Resources menu.

  2. In the left panel, click on + Add a resource.

  3. Select Yara scan, then the scan mode.

    • File scan to analyze files contained on agents,

    • Process scan to analyze memory on the processes that are executed on agents. Do note that this scan mode may detect the same pattern in several processes as memory from one process can be temporarily copied into other processes.
      The new unit will be added to the YARA category in the panel on the left. You will find the resources provided by Stormshield under the category Stormshield YARA.

  4. In the New analysis unit field, enter the name of your analysis, then a description below it if necessary.

  5. Click on Import files and select the *.yar, and *.rule files that you wish to use in this analysis unit. You can also import Yara Index files that reference other Yara files.

    If imported Yara files contain inconsistencies or are likely to affect performance, Error, Warning or Performance messages appear in the Compile resources area with a description. If an error occurs, you must fix the issue or remove the file in question as you will not be able to save the analysis unit.
    You can filter these messages by severity, Yara version or SES Evolution agent version if needed.

    Yara analysis units cannot be deleted while they are being used in a Yara task, scheduled scan or as an action when logs are generated in an SES Evolution rule.

    To obtain a local copy of the Yara files, if they were imported by another administrator, for example, click on and select a destination folder. You can then look up these files, edit them and import them into the same analysis unit or into another unit.

You can also import a .cab file directly from the menu in the panel on the left. Cab files contain the file(s) to be used in a Yara or IoC analysis unit as well as other data such as the title and description of the unit. In the same menu, the Export sub-menu makes it possible to export an analysis unit with all this information in a .cab file.

You can also import a .cab file directly from the menu in the panel on the left. Cab files contain the file(s) to be used in a Yara or IoC analysis unit as well as other data such as the title and description of the unit. In the same menu, the Export sub-menu makes it possible to export an analysis unit with all this information in a .cab file.