BinaryAlert utilizes a serverless architecture which is low-cost and easy to scale and maintain. While it’s helpful to understand how BinaryAlert works, keep in mind that Terraform manages all of these components so you don’t have to!
- The organization collects files and delivers them to their BinaryAlert S3 bucket. Files of interest could include executable binaries, email attachments, documents, etc.
- Every file uploaded to the S3 bucket is immediately queued for analysis (using S3 event notifications).
- A dispatching Lambda function runs every minute, grouping files into batches and invoking up to dozens of analyzers in parallel.
- Each analyzer scans its files using a list of pre-compiled YARA rules.
- YARA matches are saved to DynamoDB and an alert is sent to an SNS topic. You can subscribe to these alerts via StreamAlert, email, or any other supported SNS subscription.
- For retroactive analysis, a batching Lambda function enqueues the entire S3 bucket to be re-analyzed.
- Configurable CloudWatch alarms will trigger if any BinaryAlert component is behaving abnormally. This will notify a different SNS topic than the one used for YARA match alerts.