API Reference
Trust CenterTourStatusPageSupport

ScanYaraRule

post
https://app.stairwell.com/v1/yaraRules:scan

Runs an ad-hoc YARA rule against the historical object corpus and returns the matches. Combines two discovery paths automatically: candidate-file lookup using Stairwell's partial binary indexes, and variant discovery for any SHA256/SHA1/MD5 literals named in the rule body. Results are returned synchronously when the scan finishes or when max_matches is reached.

The scan's environment scope is controlled by the request's environments field — an empty list means "every environment the caller can read." The rule is NOT persisted; use CreateYaraRule for that. This endpoint is for quick evaluation of a rule body against history.

Recent Requests
Log in to see full request history
TimeStatusUser Agent
Retrieving recent requests…
LoadingLoading…
Body Params

Request message for ScanYaraRule RPC.

string
required

The YARA rule source code to evaluate. Must compile cleanly (run against CreateYaraRule's canary path or a test-scan UI first if unsure).

environments
array of strings

Environments to scope the scan to, as resource names (e.g. "environments/VXKCDN-..."). Intersected with the caller's readable environments; any env the caller can't read is silently dropped. If empty, the scan covers every environment the caller can read — useful for operators with broad visibility who want corpus-wide coverage without enumerating envs by hand. A fully-disjoint list (caller can't read any of them) yields PermissionDenied.

environments
int32

Maximum number of matches to return before terminating the scan. The scan returns as soon as this cap is reached, with cap_reached=true in the response. Default 1000; maximum 100000.

boolean

If true, the response also includes "potential missed" objects — files that look similar to what the rule matched but that the rule itself did not match. Useful for rule tuning: these are the likely-false-negatives worth reviewing. Capped at 500 entries per scan. Off by default because it makes responses take slightly longer.

Response

Updated 20 days ago

Language
Credentials
Header
LoadingLoading…
Response
Click Try It! to start a request and see the response here! Or choose an example:
application/json

Updated 20 days ago