Monitor a YARA rule
Learn how to continuously monitor YARA rules for newly matched infrastructure.
Monitoring a YARA rule continuously evaluates Validin’s collected HTTP telemetry and updates the All Matches tab whenever new content matches the rule, allowing you to review recent detections.
You can also enable retrohunting to check for historical matches.
Rule validityMonitoring depends on the rule’s validity. Rules with syntax errors or unresolved dependencies cannot be monitored.
Enable monitoring for a YARA rule
To begin monitoring a rule, open the rule and configure tracking.
- Open a Project.
- Select the YARA Rules tab.
- Select a rule to open its detail view.
- Use the Tracking control to enable monitoring.
- Confirm the rule saves with an active tracking version, displayed as Tracking vX.
Once enabled, Validin evaluates new HTTP responses against the rule as they enter the platform.
Rule eligibilityEnsure your rule has a stable condition with low false positives before enabling monitoring to reduce noise.
Review monitored results
To inspect monitored matches, use the rule’s built-in views.
- Open the YARA rule being monitored.
- Select the All Matches tab to view live match results.
- Review newly observed entries using the First Seen and Last Seen timestamps.
Results appear in a table with the following fields:
| Field | Description |
|---|---|
| Host/IP | The host or resolved IP address where a match was recorded. |
| Port | Destination port for the HTTP request. |
| Response/Path | The path and URL segment where the match occurred. |
| Title | Extracted HTML title of the matched page. |
| Bytes Received | Size of the returned payload. |
| First Seen | When the matched content was first observed. |
| Last Seen | Most recent observation of the matched resource. |
Selecting a row opens the enriched HTTP event. This includes HTML source, certificate metadata, JARM fingerprint, response banners, and additional artifacts useful for investigation.
Monitor historical matches with retrohunting
To extend monitoring beyond new telemetry, run periodic retrohunts.
- Open the YARA rule.
- Select New Retro to initiate a historical scan.
- Review results in the Retrohunt section of the rule.
Detecting infrastructure shiftRetrohunting supplements live monitoring by identifying older artifacts matched by the rule.
Update a monitored rule
Monitoring continues only if the rule remains valid and saved. When updating a monitored rule, Validin applies version control to preserve the previous tracking state. This ensures rule evolution is captured while maintaining monitoring continuity.
- Edit the YARA rule in the Rule Editor.
- Select Save to update the rule.
- Confirm the updated tracking version (for example, Tracking v2).
Stop monitoring a rule
Monitoring can be disabled without removing the rule from the Project.
Monitoring stops immediately and no further matches are recorded.
- Open the YARA rule.
- Select the Tracking control to disable monitoring.
- Confirm that tracking information is no longer displayed.
Updated about 1 month ago