Carbon Black Cloud Threat Intel Module
The Threat Intel Module lets you integrate between Carbon Black Cloud Enterprise EDR and a threat intelligence source. The module includes an example for STIX/TAXII to import intel into Enterprise EDR Feeds, which are made actionable by subscribing Watchlists to those Feeds. Watchlists generate Alerts and Events when your endpoints encounter the IOCv2 described by the threat intelligence, including file hashes, IPv4 addresses, and other indicators.
The threat intel module can be used in the development of threat intelligence connectors, to further enhance the value you receive from Enterprise EDR. The
results.py file contains a class to model threat intelligence in a way that the Carbon Black Cloud can ingest, and
threatintel.py contains a class to send that intelligence to the Carbon Black Cloud. These two files are key to creating your own threat intelligence connector for Enterprise EDR.
For full lists of searchable fields that can be included in your own custom threat intelligence IOCv2’s, see the Enterprise EDR Event Search Fields API and Process Search Fields API pages of the Developer Network.
- Enterprise EDR
- You can install the Threat Intel Module using GitHub.
To use the STIX/TAXII example included with the threat intel module:
- Run the TAXII connector using instructions found in the TAXII Readme
To use the Threat Intel module to develop your own connector:
- See the
Writing a Custom Threat Intelligence Polling Connectorsection of the Threat Intelligence Readme.
threatintel.pycontain useful classes to be used in the development of threat intel connectors.
Use this form to give us feedback about this site or any of the documentation.
Last modified on February 24, 2021