Triage Thursday

Custom Yara Support


Welcome back to another entry in our Triage Thursday update blog series. We’ve got a bit of a special one today, as we’re pleased to be able to announce a major new feature for Triage. In this post we’ll take a look at the new feature, and demonstrate how to use it.

So what is this new feature? Well you’ve probably already seen the title but you can now use your own custom Yara rules in Triage analyses! Add your rules through our new in-browser editor, and they will be run against analysis files just like our own built-in rules.

This feature is available to all private cloud users, and to Researcher accounts only on the public Triage server.


Triage supports most features of Yara but there are a few things you should be aware of to get the most out of the new system.

Like the built-in rules, custom Yara is run against not only the submitted sample, but also dropped files and memory dumps created by Triage during behavioural analysis. This allows you to - for example - target the binary after it has been unpacked during execution, or match particular DLLs or secondary payloads downloaded by the initial sample.

It should also be noted that currently rules can only be run against new submissions, and can not be used in Search queries. Support for hunting in existing analyses will be made available in future updates.

As mentioned above, the custom Yara feature is now available to all Private Cloud users. It is also available free of charge to those with Researcher accounts on the public server.

You can find the Yara editor in the top menu on Triage, replacing the old Profiles option - it will look slightly different depending on whether you are using the private or public cloud.

In this section you will find all available options related to your account and/or Organisation - analysis profiles, user management, and of course Yara.

Creating Custom Rules

Under the Organization tab (private cloud) or Researcher tab (public cloud), select Yara from the submenu and select New Yara Rule. Enter a name for the file and use the editor box to write your rule.

In general Triage’s Yara support follows the same format as any Yara rule. You can also include any metadata you want, but there are certain values recommended to ensure that the signature is fully displayed in the Triage interface and reports:

When finished, select Save in the bottom right of the screen. The editor will notify you of any errors or warnings which might affect your rule - you can make any required modification and click Update to save.

And that’s it! Once it’s saved it will be run against any new analyses you create, with the output visible in the Triage UI and usable in Search.

We hope that this feature will be useful to many of you using Triage, and help you to get more out of the platform. We’ll be continuing to expand on this in the future, with support for searching existing analyses with custom Yara already planned.

If you have any feedback or suggestions about this or other improvements, please do get in touch. You can reach us through the contact form on our website, on Twitter, or by using the Feedback button within the Triage UI.

If you would like access to this new feature but currently are not registered as a Researcher, you can apply to have your account upgraded free of charge in the account settings page - we will review your application as quickly as possible. We just ask that you provide some additional information through the registration form to help us understand your usage.

Not signed up yet? Register for your free account here.

You may also like: