Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Yara is not alerting on a binary that matches the rule
Environment
Carbon Black EDR: All Versions
Yara Connector: All Versions
Cause
Binary is not doing anything interesting outside of modload and is being suppressed
Resolution
By default sensor groups are set to "Recommended" retention. With this setting, binaries executed that do nothing more than modloads will not have their own process document (still searchable by cmdline or childproc via the parent document). If the binary in question is being suppressed, the product will not alert on the binary based on the yara feed.
For example, double clicking a process and closing shortly after may result in no alert if the process did nothing interesting. If the same process was opened, then a netconn for example was generated, an alert will come in for the match against Yara.
Additional Information
VMware Carbon Black support does not assist with writing Yara rules. Please utilize the user exchange for assistance with rule syntax.
Setting the retention setting to "Minimal" will alert anytime that process is executed, however this reduces the amount of stored event days in order to hold the individual process documents for those children.
The Yara connector itself is not responsible for the alerting, it scans the storefiles table in postgres for matches to the yara rule, then writes a new report to /var/cb/data/cb-yara-connector/feed.json, which is ingested every 1 hour during incremental feed sync. You can verify the report exists by searching in the feed on the Threat Intelligence page, or by running this command on the backend.
curl 'http://localhost:8080/solr/cbfeeds/select?q=id:"binary_<md5 hash lower case here>"'