The Threat Intel Module lets you integrate between Carbon Black Cloud Enterprise EDR and a threat intelligence source. The module includes an example for STIX/TAXII to import intel into Enterprise EDR Feeds, which are made actionable by subscribing Watchlists to those Feeds. Watchlists generate Alerts and Events when your endpoints encounter the IOCv2 described by the threat intelligence, including file hashes, IPv4 addresses, and other indicators.
The threat intel module can be used in the development of threat intelligence connectors, to further enhance the value you receive from Enterprise EDR. The
results.py file contains a class to model threat intelligence in a way that the Carbon Black Cloud can ingest, and
threatintel.py contains a class to send that intelligence to the Carbon Black Cloud. These two files are key to creating your own threat intelligence connector for Enterprise EDR.
For full lists of searchable fields that can be included in your own custom threat intelligence IOCv2’s, see the Enterprise EDR Event Search Fields API and Process Search Fields API pages of the Developer Network.
To use the STIX/TAXII example included with the threat intel module:
To use the Threat Intel module to develop your own connector: