Recorded Future Sandbox - Custom Yara

Secops_threat.pngno_portal.pngCustom Yara

Under theOrganizationtab, select Yara from the submenu and selectNew Yara Rule.

Enter a name for the file and use the editor box to enter the Yara rule.

Metadata fields

Any metadata value can be provided in custom rules. However the following have particular uses within Triage:

  • description: This field is used as the 'title' of the signature, which appears in the main UI.
  • triage_description: Optional. This field is used to provide a more detailed description of the signature. In the UI, it is visible in the dropdown section of the signature.
  • triage_score: Optional - defaults to 1 if not defined. The score value that should be assigned to the signature. As a rough guideline:
  • 1-4 = Benign/informational
  • 5-7 = Possibly malicious
  • 8-9 = Likely malicious
  • 10 = Known bad
  • triage_tags: Optional. Used to define tags which are applied to the analysis as a whole. These are generally intended to define the class of malware - e.g.dropper,trojan,ransomwareetc. These can be used in Search to find samples with these tags applied using thetag:query. Note that these tags are also visible to anyone else who has access to your analyses.
  • triage_family: Optional. This is used to mark a sample as belonging to a particular malware family. The value defined here appears as a tag in the UI and can be used in Search with thefamily:query. Note that if this tag is defined then a sample will automatically receive a score of 10 regardless of the value set intriage_score.
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
1 out of 2 found this helpful

Articles in this section

See more