Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
Integrations may require an API URL, which is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to the Authentication Guide.
Carbon Black partners with industry leaders to create integrated solutions helping you to achieve end-to-end protection across security systems. The Carbon Black Integration Network highlights our Partners and the solutions they have built using our Open APIs.
Members of the Carbon Black partner program can submit their products to Carbon Black for certification and promotion on our Integration Network. Learn more about the Carbon Black Partner Program here.
These connectors allow users to send notifications or alerts into a SIEM like Splunk or QRadar.
The Syslog Connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and:
The syslog connector can be automated on all Platforms. Please select your desired Operating System for more information.
The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine. The results from the engine and the metadata are consolidated and sent back to the Carbon Black Cloud where you can subscribe and monitor your environment in Watchlists.
The Carbon Black Cloud Binary Toolkit is designed to work on Python 3.6 and above.
For details on the expected performance for the CBC Binary Toolkit see the Performance Metrics wiki page here.
The wiki page will be updated with any changes or additional tests that may be run in the future.
There are two ways to use the Carbon Black Cloud Binary Toolkit. You can either:
The Threat Intel Module of CBAPI lets you integrate between Carbon Black Cloud Enterprise EDR and a threat intelligence source. The module includes an example for STIX/TAXII to import intel into Enterprise EDR Feeds, which are made actionable by subscribing Watchlists to those Feeds. Watchlists generate Alerts and Events when your endpoints encounter the IOCv2 described by the threat intelligence, including file hashes, IPv4 addresses, and other indicators.
The threat intel module can be used in the development of threat intelligence connectors, to further enhance the value you receive from Enterprise EDR. The
Results.py file contains a class to model threat intelligence in a way that the Carbon Black Cloud can ingest, and
ThreatIntel.py contains a class to send that intelligence to the Carbon Black Cloud. These two files are key to creating your own threat intelligence connector for Enterprise EDR.
For full lists of searchable fields that can be included in your own custom threat intelligence IOCv2’s, see the Enterprise EDR Event Search Fields API and Process Search Fields API pages of the Developer Network.
The Carbon Black Cloud Threat Intelligence Module is designed to work on Python 3.6 and above.
See the GitHub Readme Requirements section for instructions to install the requirements.
To use the STIX/TAXII example included with the threat intel module:
To use the Threat Intel module to develop your own connector: