Posted on June 26, 2020
We are happy to announce the 1.0 release of the Carbon Black Cloud Binary Toolkit.
The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine. The results from the engine and the metadata are consolidated and sent back to the Carbon Black Cloud where you can subscribe and monitor your environment in Watchlists.
This is for customers and partners using Carbon Black Cloud Enterprise EDR who send binaries to the UBS and have a suite of YARA rules or another analysis engine to use with the binaries.
There were no major changes from the Alpha release in May. Changes that did occur include:
Minor Bug Fixes
Completion of end to end testing on a variety of operating systems including CentOS, Ubuntu, OpenSUSE and Windows Server 2019
Scale testing — see information about scale and performance here
Out of the box, it can be installed using pip install and then configured to:
Watchlists can also subscribe to Feeds for continued monitoring.
The state is stored in memory and is managed by SQLite persistence store by default. This enables continuation of processing after failures and deduplication of hashes for analysis across multiple executions.
The YARA Rules engine is an example of an analysis engine that can be used with the Binary Toolkit. The YARA-python library runs in-process and is ready for your rules to be added. To add a different engine or move to an out-of-process engine, see the Developer Guide.
The toolkit also provides a base that allows you to extend, which helps reduce the time required to create integrations for analyzing Carbon Black Cloud binaries. See the Developer Guide for information on how to use a different analysis engine or change the datastore used for state management.