yara

Track YARA matches for files or PIDs.

Table schema

Name Type Description
path TEXT The path scanned
matches TEXT List of YARA matches
count INTEGER Number of YARA matches
sig_group TEXT Signature group used
sigfile TEXT Signature file used
strings TEXT Matching strings
tags TEXT Matching tags

Query examples

select * from yara where path = '/etc/passwd'
select * from yara where path LIKE '/etc/%'
select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'