Meta pixel
Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Endpoint operations Device management (MDM) Vulnerability management Integrations
Docs REST API Built-in queries Data tables SUPPORT Chat Hosting Release notes Get your license Contribute
Community
Chat News Podcasts Articles COMPANY Handbook Logos/artwork Why open source?
Pricing Start now
All platforms
Windows
Linux
macOS
ChromeOS
search

A menu icon Tables {{numberOfTablesDisplayed}}

right chevron down chevron

Tables{{numberOfTablesDisplayed}}

macOS logo Windows logo Linux logo macOS logo

yara

Triggers one-off YARA query for files at the specified path. Requires one of sig_group, sigfile, or sigrule.

Column Type Description
count integer Number of YARA matches
matches text List of YARA matches
path text The path scanned
Required in WHERE clause
pid_with_namespace integer Pids that contain a namespace
Not returned in SELECT * FROM yara.
Only available on Linux
sig_group text Signature group used
sigfile text Signature file used
sigrule text Signature strings used
Not returned in SELECT * FROM yara.
sigurl text Signature url
Not returned in SELECT * FROM yara.
strings text Matching strings
tags text Matching tags

Example

Look for files under /root that match a Yara signature. This example uses the EICAR test file.

SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
  'rule eicar {
  strings:
  $s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
  condition:
  all of them
}'
 ) AND matches='eicar';
Edit page

Need more help?

Slack logo Ask the community on Slack