table_name("yara")
description("Track YARA matches for files or PIDs.")
schema([
    Column("path", TEXT, "The path scanned",
        index=True, required=True),
    Column("matches", TEXT, "List of YARA matches",
        index=True),
    Column("count", INTEGER, "Number of YARA matches"),
    Column("sig_group", TEXT, "Signature group used",
        index=True, additional=True),
    Column("sigfile", TEXT, "Signature file used",
        index=True, additional=True),
    Column("strings", TEXT, "Matching strings"),
    Column("tags", TEXT, "Matching tags"),
])
implementation("yara@genYara")
examples([
  "select * from yara where path = '/etc/passwd'",
  "select * from yara where path LIKE '/etc/%'",
  "select * from yara where path = '/etc/passwd' and sigfile = '/etc/osquery/yara/test.yara'",
])