This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Education Courses
No ratings

NetWitness Endpoint YARA Rules

ElenaKomarova
Employee
Employee

on ‎2017-01-09 03:01 PM - edited on ‎2022-04-29 06:23 AM by Frequent Contributor Frequent Contributor

 This Course is currently undergoing some updates, appreciate your patience as we are working on bringing for you the best training experience.

 

 

Netwitness-Education-2C (2).png

 

Access Training
for Customers/Partners

Access Training
for NetWitness Employees

 

 

Summary

The RSA NetWitness Endpoint YARA Rules on-demand learning provides an introduction to writing rules for RSA NetWitness Endpoint using YARA best practices.

 

Overview

This on-demand learning provides an introduction to writing rules for RSA NetWitness Endpoint using YARA. Students will gain familiarity with the YARA tool's syntax and functionality to write rules that optimize flexibility and minimize false positives.

 

Audience

All

 

Delivery Type

On-Demand Learning

 

Duration

1 hour

 

Prerequisite Knowledge / Skills

Students should have familiarity with:

  • Skills provided in the RSA NetWitness Endpoint Foundations course
  • Programming fundamentals
  • Knowledge of C Programming and Perl regular expressions desirable

 

Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Describe what YARA is and how it is used in RSA NetWitness Endpoint
  • List the types of Indicators of Compromise used by RSA NetWitness Endpoint 
  • List and describe common strains of malware
  • Use the various components that make up a YARA rule
  • Extract strings from malware samples for a basis of writing YARA rules
  • Write YARA rules that maximize the efficiency of the YARA engine, while reducing false positives
  • Research YARA rules from popular web sites
  • Integrate YARA rules with RSA NetWitness Endpoint
  •  Automate YARA rule creation

 

Course Outline

  • Overview
    • Describe what YARA is and how YARA is used in RSA NetWitness Endpoint
    • Define the types of IIOCs
    • Define the most common strains of malware

 

  • YARA Rules
    • Write YARA rules using:
      • Meta
      • Strings
      • Conditions
      •  Extract strings from malware sample
      • Run YARA on the command line

 

  • Optimizing your Rule
    • Tips for writing YARA rules
    • Using Regular Expressions
    • file size variable
    • include directives
    • Minimizing false positives
    • Performance considerations
    • Global and Private rules

 

  • Integrating YARA in RSA NetWitness Endpoint
    • Configure RSA NetWitness Endpoint to use your YARA rules

 

  • Additional Resources
    • Automate YARA rules generationList resources for
    • YARA software and documentation

 

If you have any questions, please contact your account manager or Contact Us directly!
Was this article helpful? Yes No
Version history
Last update:
‎2022-04-29 06:23 AM
Updated by:
Frequent Contributor Frequent Contributor
© 2022 RSA Security LLC or its affiliates. All rights reserved.