Hosts View - YARA Rules Tab

Note: The information in this topic applies to NetWitness Version 12.0 and later.

The YARA Rules tab lists the various YARA rules used for the scan and their status. To access this tab, select a host from the Hosts view and click the YARA Rules tab.

Workflow

What do you want to do?

User Role	I want to ...	Show me how
Threat Hunter	review hosts with highest risk score	Analyze Hosts Using the Risk Score
Threat Hunter	analyze hosts*	Investigating Hosts
Threat Hunter	perform adhoc scan*	Scan Hosts
Threat Hunter	review host details	Analyze Host Details
Threat Hunter	search on snapshot*	Search Files on Host
Threat Hunter	analyze processes	Investigating a Process
Threat Hunter	review reported anomalies	Analyze Anomalies
Threat Hunter	analyze risky users	Analyzing Risky Users
Threat Hunter	analyze events	Analyzing Events
Threat Hunter	download files for deeper analysis	Analyzing Downloaded Files
Threat Hunter	perform external lookups	Launch an External Lookup for a File
Threat Hunter	change file status or remediate	Changing File Status or Remediate
Threat Hunter	isolate host from network*	Isolating Hosts from Network
Threat Hunter	download MFT, system dump, or process dump*	Performing Host Forensics

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the YARA Rules tab:

Agent and Scan Details. You can view the following agent and scan details of the selected host:

Host name - Name of the host. For example, WIN-ABC.

Risk score - Risk score of the host.

Operating System - Operating system on which the agent is running (Linux, Windows, or Mac).

Agent Scan Status - Current status of the scan - Idle, Scanning, Starting Scan, or Stopping Scan. For more information, see Scan Hosts.

Agent Last Seen - Time when the agent last communicated with the Endpoint server.

Agent Version - Version of the agent. For example, 12.0.0.0.

More - Provides options to:

Start a scan for the selected hosts. For more information, see Scan Hosts.
Extracts host attributes and endpoint data to a JSON file of the selected snapshot. For more information, see Export Host Attributes.
Isolation host from the network. For more information, see Isolating Hosts from Network.
Download MFT to the server. For more information, see Performing Host Forensics.
Download System Dump to the server. For more information, see System and Process Memory Dump.
Perform remediation actions using the Remote Shell option. For more information, see Performing Host Forensics.

Snapshot Time - Lists scanned time stamps. To view the scan history, you can select the snapshot time from the drop-down menu.

Search on Snapshots. Lets you search on all snapshots (file name, file path, and SHA-256 checksum). For more information, see Search Files on Host.

YARA Rules Panel - Displays the following tabs:

YARA Rule: This tab lists all the YARA rules used for the scan.
Status: This tab displays the status of the YARA rules.

For Example: If the YARA rule is successfully loaded, the status is displayed as Loaded.

For more information on YARA Scans, see Analyze Files Using YARA section in Investigating Files topic.

NetWitness Community

Table of Contents

Product Resources

Hosts View - YARA Rules Tab

On this page