How does the Yara Connector and Yara Manager work with EDR servers?
Yara Components and Data Flow
This is a article attached image
1. Yara rules .yar files are read, compressed and loaded into memory. New .yar files are included without restarting cb-yara-connector service. Component: /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES_xxxx
2. Read the Postgres database binary_status table every 15 minutes to identify new binary entries. Component: Postgres DB table binary_status.
3. New binaries are stored on the EDR servers. Yara Connector pulls a temporary copy of the new binary from the EDR servers. Component: /var/cb/data/modulestore/
4. The binaries are analyzed against the Yara rules and recorded in Yara Connector’s Sqlite database. Component: /var/cb/data/cb-yara-connector/feed_db/binary.db. The binary.db-wal and binary.db-shm are helper files for binary.db.
5. If a binary matches a Yara rule, the information is stored in the Yara Connector’s JSON file. Component: /var/cb/data/cb-yara-connector/feed.json
6. Every hour, Yara Connector performs an incremental synchronization between feed.json and Solr data. A complete synchronization occurs daily. Incremental and complete synchronizations can occur on demand from the Yara Feed tile. Component: /var/cb/data/solr/
7. The EDR Console uses API calls against the Solr data to extract the Yara alerts in Notifications, Process Searches and Yara Threat Reports.