Enterprise EDR Integrations

Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.

Integrations may require an API URL, which is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to the Authentication Guide.

Carbon Black Integration Network

Carbon Black partners with industry leaders to create integrated solutions helping you to achieve end-to-end protection across security systems. The Carbon Black Integration Network highlights our Partners and the solutions they have built using our Open APIs.

Members of the Carbon Black partner program can submit their products to Carbon Black for certification and promotion on our Integration Network. Learn more about the Carbon Black Partner Program here.

SIEM Connectors

These connectors allow users to send notifications or alerts into a SIEM like Splunk or QRadar.


Carbon Black Cloud Syslog Connector

The Syslog Connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and:

  • Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system
  • Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream
  • Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols

Requirements

Installation

You can install the Syslog Connector using either PyPI or GitHub.

How to Automate

The syslog connector can be automated on all Platforms. Please select your desired Operating System for more information.


Carbon Black Cloud Binary Toolkit

The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine. The results from the engine and the metadata are consolidated and sent back to the Carbon Black Cloud where you can subscribe and monitor your environment in Watchlists.

Requirements

The Carbon Black Cloud Binary Toolkit is designed to work on Python 3.6 and above.

Carbon Black Cloud Requirements

Enterprise EDR

OS Specific Requirements

  • Windows users will need to have Microsoft Visual C++ 14.0 Build Tools installed in order to compile yara-python.
  • Linux users will need to have the python developer package installed in order to compile yara-python. If you receive compile errors, make sure you are on the latest gcc compiler version.
Linux Distribution Command
Amazon Linux/Centos/RHEL yum install python3-devel
Ubuntu apt-get install python3-dev
OpenSUSE/SUSE zypper install python3-devel

Python Package Requirements

  • argparse
  • cbapi
  • python-dateutil
  • pyyaml
  • requests
  • yara-python

Performance Metrics

For details on the expected performance for the CBC Binary Toolkit see the Performance Metrics wiki page here.

The wiki page will be updated with any changes or additional tests that may be run in the future.

Getting Started

There are two ways to use the Carbon Black Cloud Binary Toolkit. You can either:

  1. Run the Binary Analysis Tool using out-of-the-box functionality found in the User Guide
  2. Use the Toolkit to develop your own tool for processing binaries by following the Developer Guide

CBAPI Python Threat Intel Module

The Threat Intel Module of CBAPI lets you integrate between Carbon Black Cloud Enterprise EDR and a threat intelligence source. The module includes an example for STIX/TAXII to import intel into Enterprise EDR Feeds, which are made actionable by subscribing Watchlists to those Feeds. Watchlists generate Alerts and Events when your endpoints encounter the IOCv2 described by the threat intelligence, including file hashes, IPv4 addresses, and other indicators.

The threat intel module can be used in the development of threat intelligence connectors, to further enhance the value you receive from Enterprise EDR. The Results.py file contains a class to model threat intelligence in a way that the Carbon Black Cloud can ingest, and ThreatIntel.py contains a class to send that intelligence to the Carbon Black Cloud. These two files are key to creating your own threat intelligence connector for Enterprise EDR.

For full lists of searchable fields that can be included in your own custom threat intelligence IOCv2’s, see the Enterprise EDR Event Search Fields API and Process Search Fields API pages of the Developer Network.

Requirements

The Carbon Black Cloud Threat Intelligence Module is designed to work on Python 3.6 and above.

Carbon Black Cloud Requirements

Enterprise EDR

Python Package Requirements

  • cybox
  • dataclasses
  • cabby
  • stix
  • lxml
  • urllib3
  • cbapi
  • python_dateutil
  • PyYAML
  • schema

See the GitHub Readme Requirements section for instructions to install the requirements.

Getting Started

To use the STIX/TAXII example included with the threat intel module:

  • Run the TAXII connector using instructions found in the TAXII Readme

To use the Threat Intel module to develop your own connector:

Last modified on July 14, 2020