Carbon Black Cloud Threat Intelligence Connector

Posted on April 28, 2022


The Carbon Black Cloud Threat Intelligence connector allows the importing of threat intelligence data by using the STIX/TAXII standards.

This new version supports the major versions of STIX (1.2/2.0/2.1). In contrast to the previous version it is a standalone connector with improved usability and more features, rather than part of the CBC SDK.


To use this connector you must have the following products:

  • Carbon Black Cloud, Enterprise EDR
  • Carbon Black Cloud Threat Intelligence Connector (GitHub)
  • Third-Party Threat Intelligence data (STIX 1.x/2.x or TAXII 1.x/2.x)


We have created a detailed guide for you to follow in order to install and use the connector. The guide is located in the developer network here.

You will learn:

  • Parsing of STIX Files (STIX 1.x / 2.x)
  • Parsing STIX data out of TAXII Servers/Services (TAXII 1.x/2.x)
  • Create Feeds in Carbon Black Cloud
  • Create Watchlists in Carbon Black Cloud
  • The mappings from STIX Objects to Carbon Black Cloud Indicator of Compromises (IOCs)
  • How it all works together
  • Installing the connector inside a Docker container with a CRON job setup
  • Known problems with STIX/TAXII
  • Helpful articles to help you understand better STIX and TAXII