September 2023 (Version 6.43.0-1)
YARA detection rules
YARA rules are queries you can use to scan endpoints for patterns of malicious behavior. Use the YARA detection rules feature to generate custom alerts and security incidents based on the results of these scans.
This feature is available for Windows and Linux endpoints with the following BEST versions:
Windows: 220.127.116.118 or newer
Linux: 18.104.22.1688 or newer
To create YARA rules, go to Incidents > Custom detection rules, click the Add rule button, and then click YARA. Follow the on-screen instructions.
After you create a YARA detection rule, you cannot convert it into another type of detection rule.
From the Custom detection rules grid, you can enable or disable YARA detection rules, or start on-demand scans by clicking the 151926_1.png vertical ellipsis button and then selecting the Scan option.
Clicking a YARA detection rule from the Custom detection rules grid brings up the YARA details panel. From this panel, you can switch to the Search and Incidents sections to view the alerts and incidents generated by the rule.
The Parameter filter is now available in the Incidents section. It contains a series of criteria you can use to further filter your grid results and create highly customized smart views.
The Incidents > Custom Rules section has been divided into two sections: Custom detection rules and Custom exclusion rules.
The grids and rule configuration pages have a new design.
Rule settings now include targets. You can now decide whether to apply the rule to the entire company or to specific groups by endpoint tags.
Clicking a grid entry brings up the details panel of the rule. It contains information about the rule, options for navigating rules and for editing the current rule. For custom detection rules, you can use the View alerts and View incidents buttons to switch to the Search and Incidents sections.
In the Incidents > Search section, you can now look up both custom detection rules and custom exclusion rules by using the other.rule_id field in your search query. You can still use the other.exclusion_id field to identify existing alerts for the next 90 days, after which the field will be deprecated.
The Custom detection rules and the Custom exclusion rules sections are now available to Partners even if they do not have an active EDR license on their account.
Partners can now control rules for their managed companies and can use the Company filter in the grid to view the rules created for each company. Customers can also view the rules Partners have applied on their company.
When switching to a new Partner, all custom rules created by the former Partner are disabled. The new Partner will not be able to view the rules applied by the former Partner.
Companies switching from a trial license to a monthly subscription will automatically have the Email redaction setting disabled.
New BEST for Linux installation packages are now available for systems with ARM architecture (AArch64).
Minor UI changes to the Add company and Edit company windows, including a different order for the Add-ons displayed in the Licensing tab.
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”