Carbon Black Cloud Threat Intel Module
The Threat Intel Module lets you integrate between Carbon Black Cloud Enterprise EDR and a threat intelligence source. The module includes an example for STIX/TAXII to import intel into Enterprise EDR Feeds, which are made actionable by subscribing Watchlists to those Feeds. Watchlists generate Alerts and Events when your endpoints encounter the IOCv2 described by the threat intelligence, including file hashes, IPv4 addresses, and other indicators.
The threat intel module can be used in the development of threat intelligence connectors, to further enhance the value you receive from Enterprise EDR. The results.py file contains a class to model threat intelligence in a way that the Carbon Black Cloud can ingest, and threatintel.py contains a class to send that intelligence to the Carbon Black Cloud. These two files are key to creating your own threat intelligence connector for Enterprise EDR.
For full lists of searchable fields that can be included in your own custom threat intelligence IOCv2’s, see the Enterprise EDR Event Search Fields API and Process Search Fields API pages of the Developer Network.
Requirements
- Enterprise EDR
Installation
- You can install the Threat Intel Module using GitHub.
Getting Started
To use the STIX/TAXII example included with the threat intel module:
- Run the TAXII connector using instructions found in the TAXII Readme
To use the Threat Intel module to develop your own connector:
- See the
CustomizationandWriting a Custom Threat Intelligence Polling Connectorsection of the Threat Intelligence Readme. results.pyandthreatintel.pycontain useful classes to be used in the development of threat intel connectors.
Give Feedback
New survey coming soon!
Last modified on February 24, 2021