YARA Workflow improvements and faster analysis with improved indicator summaries
Takeaways
- New, high-fidelity, summaries for domains and IPs on the Search page
- Refreshed Projects UI for clearer investigations
- YARA workflow improvements: easier filtering, deletion, and intelligent ordering of latest results
- YARA exits beta on December 1st; billing officially begins on January 1st
Domain and IP Summaries on Search
Validin’s Search page is often the very first touchpoint for an analyst, whether investigating an inbound alert, validating an indicator, or exploring possible overlaps with known infrastructure.
We’ve significantly expanded the summary view inside the Search page, giving analysts a clearer, more structured snapshot of domains and IPs, all without leaving the summary tab.
What’s new in the summary panel:
The registration block now surfaces registrar details and registration age. Resolution data highlights:
- Last-seen resolution timestamp
- Current IPs (with ASN and geolocation flags)
- Latest Nameservers
This context makes it easier to identify when domains are currently active, recently registered, and whether they warrant further investigation.
The newest HTTP/S response is now displayed directly within the summary, with:
- Full request URI
- Response code
- Length of received content
- Page title
- Favicon, including the format and hash
“View Full HTML” allows Enterprise customers to immediately expand the full response without navigating to another page.
The left sidebar provides quick contextual information:
- Which project(s) the indicator belongs to
- Domain/IP usage classification
- Pivot cardinality metrics and informational attributes
- Quick navigation to related hosts, subdomains, and IP neighbors
Figure 1. Updated domain/IP summary panel with registration, resolution, HTTP/S context, and left-side metadata
Refreshed Projects UI
Projects remain the central workspace where teams coordinate threat investigations, manage YARA detection logic, track indicators, and monitor infrastructure changes.
We’ve refreshed the projects experience to make it cleaner, more consistent, and more powerful. Every project now includes a fully integrated sidebar that provides essential context and summarization for each section within a project.
1. Always-Relevant Context
The sidebar is context-aware, meaning the information it displays changes dynamically based on the tab you are viewing (Indicators, YARA Rules, Alerts, etc.).
- Benefit: The data you see is always relevant to your current workflow, eliminating the need to search for necessary details.
2. Instant Project Snapshot
A core set of project details is always visible at the top of the sidebar, providing a stable, persistent overview of the project’s status, regardless of the tab you are on.
- Includes: Description, settings, and other key information about tracked indicators and live YARA rules.
- Benefit: Get a clear understanding of the project at a glance even when switching views.
3. Quick Indicator Analysis
When you are in the Indicators tab, the sidebar surfaces immediate insights into your dataset’s makeup:
- Indicator Distribution: See the breakdown of indicator types (Domains, IP Addresses, Hashes, Strings).
- Tag Analysis: Review a breakdown of all applied tags.
- Top Contributors: See a list of which team members added the most indicators.
- Benefit: You can quickly evaluate the content in your projects and understand what you’re looking at
Figure 2. Updated Projects UI with the new sidebar that includes summaries for the tags and types of indicators
YARA Workflow Improvements
We’ve continued to enhance the YARA experience in Validin, focusing on workflow efficiency and clarity based on feedback from early adopters. These updates make it easier to identify meaningful infrastructure changes, monitor rule activity, and manage large sets of results.
New Match Table Columns
To help analysts better distinguish genuinely new infrastructure from previously observed indicators, we’ve added five new columns to the YARA results table: Match Time, Last Match Time, First Seen, Last Seen and Count.
The Match Time column represents when the match was detected with YARA. While similar to the Response Date column, the time at which the host was crawled for the matched response, Match Time is especially helpful when reviewing retro hunts where match timestamps do not align with crawl times. For example, to surface matches derived from a retro hunt, sort by Match Time (descending) to see the latest matches from your retro hunt no matter when they were actually crawled by Validin.
Because the match table is dynamic, the values shown in the calculated columns depend on how the table is currently grouped. When you choose which columns to display from the View menu, Validin automatically groups matches by the selected columns and computes all calculated values within each group.
- First Seen is the earliest Response Date seen for that group
- Last Seen is the latest Response Date seen for that group
- Last Match Time is the latest Match Time seen for that group
- Count is the total number of matches within that group
This grouping behavior allows analysts to pivot between high-level and highly granular views simply by adjusting visible columns.
For example, if you select only Host and First Seen in the View menu, the table groups results by host. Sorting by First Seen (descending) instantly highlights infrastructure appearing for the first time today. Adding fields like IP or Response Title would create more specific grouping and recalculate all values accordingly.
Figure 3. New Table of YARA Matches with First Seen, Last Seen, and Last Match Time columns (Host/IPs and Titles are hidden to preserve security)
Improved YARA Rule Activity Visibility from the Projects Page
Within any Validin Project, the YARA tab now provides a cleaner layout and two new columns designed for rapid triage: Activity and First Seen Today.
- Activity displays a compact seven-day sparkline showing match volume over the past week.
- First Seen Today shows the latest newly observed domain detected today for that rule, along with a count of how many others have appeared.
Together, these provide immediate visibility into evolving infrastructure, helping analysts prioritize emerging threats without drilling into individual match tables.
Figure 4. Updated view for the YARA tab in a Project, that includes the new columns: ‘Activity’ and ‘First Seen Today’
Deleting YARA Matches
Analysts can now delete YARA matches directly from the results table. Select the checkbox for any row and click the trash icon in the header to remove it. For bulk cleanup, adjust the table view to group or filter by specific rule versions or hosts, then delete in batches.
YARA Exiting Beta
Over the past 2 months, we’ve developed a Validin-native YARA-X integration as a feature in collaboration with our enterprise partners. Validin’s YARA-X integration enables users to run their own YARA-X rules across Validin’s vast repository of host response data, approximately 5TB and 850 million host responses every day. We’re excited to announce that after iterating on extensive feedback from our enterprise customers, we’re officially transitioning YARA out of beta. As part of this progressi on, we’re announcing billing and displaying to users how much each YARA run will cost. We won’t officially begin billing until January 1st, giving users 30 days to evaluate their usage and understand how this feature will affect usage.
Billing for YARA will be as follows:
-
Tracking a YARA rule in realtime: 3 API Queries / hour
-
Running a retrohunt on a YARA rule: 6 API Queries / hour
Request A Demo
Validin’s mission is to give analysts a clear, operational view of attacker infrastructure. With improved search summaries, a more structured Projects workspace, and ongoing YARA enhancements, investigations become faster and analyst workflows become simpler.
Contact us to learn more about these updates or explore Validin Enterprise.