How does the Yara Connector and Yara Manager work with EDR servers?

• EDR Server: 7.7.x
• Yara Connector: 2.2.0
• Yara Manager: 2.2.0

Yara Components and Data Flow

1. Yara rules .yar files are read, compressed and loaded into memory.  New .yar files are included without restarting cb-yara-connector service. 
Component:  /etc/cb/integrations/cb-yara-connector/yara_rules/.YARA_RULES_xxxx

2. Read the Postgres database binary_status table every 15 minutes to identify new binary entries. 
Component:  Postgres DB table binary_status.

3. New binaries are stored on the EDR servers.  Yara Connector pulls a temporary copy of the new binary from the EDR servers.  
Component:  /var/cb/data/modulestore/

4. The binaries are analyzed against the Yara rules and recorded in Yara Connector’s Sqlite database.   
Component:  /var/cb/data/cb-yara-connector/feed_db/binary.db.   The binary.db-wal and binary.db-shm are helper files for binary.db.

5. If a binary matches a Yara rule, the information is stored in the Yara Connector’s JSON file.
Component: /var/cb/data/cb-yara-connector/feed.json

6. Every hour, Yara Connector performs an incremental synchronization between feed.json and Solr data.  A complete synchronization occurs daily.  Incremental and complete synchronizations can occur on demand from the Yara Feed tile.
Component: /var/cb/data/solr/   

7. The EDR Console uses API calls against the Solr data to extract the Yara alerts in Notifications, Process Searches and Yara Threat Reports.