Sweeping your environment for finding the evil
What is Triage?
Triage Definition: The assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties.
The origin of the term triage goes back to World War II in which doctors had to prioritize the patients based on the severity of wounds they have. It goes pretty much the same for enterprise forensics.
Triage with YARA
AIR provides you with out-of-box examples for searching files, processes, strings, and other indicators of compromise using YARA rules.
Sweeping your environment against these indicators is as easy as creating a Triage Rule and assigning it to an endpoint or a group. This, in turn, creates a Triage Task assignment for each endpoint so that you can check whether or not the endpoint/group in question contains any of the traces indicated by the Triage Rule.