Back to Blogs

Carbon Black Cloud Threat Intelligence Connector

Posted on April 28, 2022


Overview

The Carbon Black Cloud Threat Intelligence connector allows the importing of threat intelligence data by using the STIX/TAXII standards.

This new version supports the major versions of STIX (1.2/2.0/2.1). In contrast to the previous version it is a standalone connector with improved usability and more features, rather than part of the CBC SDK.

Prerequisites

To use this connector you must have the following products:

  • Carbon Black Cloud, Enterprise EDR
  • Carbon Black Cloud Threat Intelligence Connector (GitHub)
  • Third-Party Threat Intelligence data (STIX 1.x/2.x or TAXII 1.x/2.x)

Usage

We have created a detailed guide for you to follow in order to install and use the connector. The guide is located in the developer network here.

You will learn:

  • Parsing of STIX Files (STIX 1.x / 2.x)
  • Parsing STIX data out of TAXII Servers/Services (TAXII 1.x/2.x)
  • Create Feeds in Carbon Black Cloud
  • Create Watchlists in Carbon Black Cloud
  • The mappings from STIX Objects to Carbon Black Cloud Indicator of Compromises (IOCs)
  • How it all works together
  • Installing the connector inside a Docker container with a CRON job setup
  • Known problems with STIX/TAXII
  • Helpful articles to help you understand better STIX and TAXII