Carbon Black Cloud Threat Intelligence Connector

Posted on April 28, 2022

---

Overview

The Carbon Black Cloud Threat Intelligence connector allows the importing of threat intelligence data by using the STIX/TAXII standards.

This new version supports the major versions of STIX (1.2/2.0/2.1). In contrast to the previous version it is a standalone connector with improved usability and more features, rather than part of the CBC SDK.

Prerequisites

To use this connector you must have the following products:

• Carbon Black Cloud, Enterprise EDR
• Carbon Black Cloud Threat Intelligence Connector (GitHub)
• Third-Party Threat Intelligence data (STIX 1.x/2.x or TAXII 1.x/2.x)

Usage

We have created a detailed guide for you to follow in order to install and use the connector. The guide is located in the developer network here.

You will learn:

• Parsing of STIX Files (STIX 1.x / 2.x)
• Parsing STIX data out of TAXII Servers/Services (TAXII 1.x/2.x)
• Create Feeds in Carbon Black Cloud
• Create Watchlists in Carbon Black Cloud
• The mappings from STIX Objects to Carbon Black Cloud Indicator of Compromises (IOCs)
• How it all works together
• Installing the connector inside a Docker container with a CRON job setup
• Known problems with STIX/TAXII
• Helpful articles to help you understand better STIX and TAXII