Edit a YARA rule

Users can edit Yara rules that were created within their environment. Shared rules within Stairwell can only be edited by making a copy of the rule body and pasting it into a new custom rule. From there editing a rule is a straight forward operation.

Start by selecting the rule you wish to edit, and open it into the half-pane view:

Next click the pencil icon and make any changes needed, then select "Test Scan"

In this view you have the option of feeding in testing criteria for file that should and/or should not match the Yara rule.

Review the results of the scan to determine if the rule logic is working as expected. Click "Close" once you are satified with the results to return to the edit view earlier and press "Submit" to save the changes.

🚧

Warning

The platform with throw an error if you attempt to edit a shared rule from another environment you do not have write access to.