Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Get started Built-in checks Raw data App library Tutorials & guides API SUPPORT Chat Contribute Release notes "Why is Fleet on my computer?" Get your license
Stories
What people are saying News Ask around Take a tour COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
All platforms
Windows
Linux
macOS
ChromeOS
search

A menu icon Tables {{numberOfTablesDisplayed}}

right chevron down chevron

Tables{{numberOfTablesDisplayed}}

macOS logo Windows logo Linux logo macOS logo

yara

Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.

Column Type Description
count integer Number of YARA matches
matches text List of YARA matches
path text The path scanned
Required in WHERE clause
pid_with_namespace integer Pids that contain a namespace
Not returned in SELECT * FROM yara.
Only available on Linux
sig_group text Signature group used
sigfile text Signature file used
sigrule text Signature strings used
Not returned in SELECT * FROM yara.
sigurl text Signature url
Not returned in SELECT * FROM yara.
strings text Matching strings
tags text Matching tags

Example

Look for files under /root that match a Yara signature. This example uses the EICAR test file.

SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
  'rule eicar {
  strings:
  $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
  condition:
  all of them
}'
 ) AND matches='eicar';
Edit page

Need more help?

Slack logo Ask the community on Slack