The Yara Connector analyzes new binaries against the current rules. If enabled, EDR alerts on the matched binaries.
The Yara Manager (optional) provides a easy method to manage the Yara Connector from the EDR Console. Check the KB "Installing and Configuring the Yara Manager".
A. Install Yara Component (derived from developer.carbonblack.com)
1. Create the Carbon Black open source repo
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
2. Install the cb-yara-connector
yum install python-cb-yara-connector
3. Install the cb-yara-manager (optional)
yum install python-cb-yara-manager
B. Configure and Enable Yara Connector (all environments)
1. Obtain an admin user token.
psql cb -p 5002 -c “select username, auth_token from cb_user where global_admin=true;”
2. Create the yara-configuration file
cd /etc/cb/integrations/yara/
mv connector.conf.example to yaraconnector.conf
vi /etc/cb/integrations/cb-yara-connector/yaraconnector.conf
3. Modify yaraconnector.conf
mode=standalone (for EDR cluster and EDR standalone environments distribution comms now use EDR redis)
cb_server_url=https://127.0.0.1
cb_server_token=< API TOKEN from step B1 GOES HERE >
broker_url=redis://127.0.0.1:6379
numb_days_binaries=365 (default is best; initial scan span)
database-scanning_interval=900 (default is best; cannot be less than 360)
4. Use the default rule (already included) to get cb-yara-connector working, then add rules later.
5. Start Yara-connector.
systemctl stop cb-yara-connector
systemctl status cb-yara-connector
systemctl start cb-yara-connector
6. Enable the Threat Intelligence Yara Feed tile.
EDR Console > Threat Intelligence > Yara tile
Click "Enabled".
Notifications > "Create Alert"