Manage YARA Rules

YARA rules are the backbone of custom detection in Stairwell. You can manage rules through the Stairwell UI or bulk-upload them using the Swell CLI. This page covers every rule management operation in one place.

Create a YARA Rule

Via the Stairwell UI

1. Log in to Stairwell.
2. Select the target Environment using the top-left environment selector.
3. Click Rules in the sidebar navigation.
4. Click + New Rule in the top-right area beneath the query bar.
5. Write your YARA rule in the editor that appears on the right.
6. (Optional) Test your rule before saving:
   1. Click Test Scan.
   2. Enter MD5, SHA-1, or SHA-256 hashes of files that should (or should not) match.
   3. Click Scan to validate the rule logic.
7. Click Create to save the rule.

Via the Swell CLI

Use the upload command to bulk-import YARA rules into your environment.

Command:

./swell yara upload --environment_id <your_environment_id> <path>

Common flags:

Examples:

# Upload a single rule file
./swell yara upload --environment_id <id> "path/to/rule.yar"

# Upload and overwrite an existing rule with the same name
./swell yara upload --environment_id <id> --replace_existing_rules "path/to/rule.yar"

# Upload all rules in a folder
./swell yara upload --environment_id <id> "path/to/folder/"

# Recursively upload rules across nested folders
./swell yara upload -r --environment_id <id> "path/to/parent-folder/"

Edit a YARA Rule

You can edit YARA rules that were created within your environment. Shared rules from other environments cannot be edited directly -- copy the rule body into a new custom rule first.

1. Navigate to Rules and select the rule you want to edit.
2. Open the rule in the half-pane view.
3. Click the pencil icon to enter edit mode.
4. Make your changes to the rule body.
5. (Optional) Click Test Scan to validate. You can provide hashes of files that should and should not match, then review the results.
6. Click Close on the test results when satisfied, then click Submit to save.

Note: The platform will return an error if you attempt to edit a shared rule from an environment you do not have write access to.

Enable or Disable a Rule

Toggling rules on or off lets you control detection coverage without permanently removing rule logic. Disabling a noisy rule reduces alert volume while preserving it for future use.

Single rule:

1. Navigate to Rules and select the target rule.
2. Use the toggle switch at the top-right of the rule body pane to enable or disable it.

Multiple rules at once:

1. Select the checkboxes next to each rule you want to change.
2. Click the three-dot menu at the top-right corner of the rule listing pane.
3. Choose Enable or Disable.

Note: Inactive rules are hidden by default. Uncheck Hide inactive rules in the rules list to display them.

Delete a Rule

Deletion is permanent and cannot be undone. If you may need the rule logic later, consider disabling the rule instead.

Important: You can only delete rules created by your organization within your environment. Shared rules cannot be deleted.

Single rule:

1. Navigate to Rules and select the rule you want to remove.
2. Click the trash icon.
3. Confirm the deletion when prompted.

Multiple rules at once:

1. Select the checkboxes next to each rule you want to delete.
2. Click the three-dot menu at the top-right corner of the rule listing pane.
3. Choose Delete and confirm.

Search for a Rule

A consistent and intuitive naming convention for custom rules makes searching significantly easier.

1. Navigate to Rules from the left sidebar.
2. Enter a keyword in the Filter rules by keyword search field. By default, this searches across all active rules in all shared rule environments, including your own.
3. (Optional) Uncheck Hide Inactive Rules to include disabled rules in the results.
4. (Optional) Check or uncheck rule sets in the left panel to include or exclude specific collections.
5. Select a rule to view its metadata and body.

Note: Due to licensing restrictions, certain rule sets (including Pro Rules) do not display the rule body.