Carbon Black EDR Connectors

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

There are many integrations available to connect your EDR instance with other applications.

You can connect your EDR instance to other applications with the integrations listed below. The Supported Integrations are built and maintained by Carbon Black. You can also use integrations created by our partner companies or integrations built and supported by other developers in the Carbon Black Community.

Supported Integrations

Name GitHub Repo
Air Gap Feed (On-Prem only) N/A
Air Gap Feed - pre EDR v7.4 (On-Prem only) cb-airgap-feed
Event Forwarder cb-event-forwarder
Lastline Connector cb-lastline-connector
QRadar App N/A
Splunk App N/A
Taxii cb-taxii-connector
Threat Intelligence Feeds cbfeeds
ThreatConnect cb-threatconnect-connector
Yara Connector cb-yara-connector

Partner Integrations

Community Integrations

These integrations are open source and community supported.

Installation

Unless otherwise specified, use the following installation instructions.

As root on your Carbon Black or other RPM based 64-bit Linux distribution server:

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

Then install the appropriate connector by executing:

yum install <connector-name>

Binary Detonation and Sandbox Connectors

These connectors submit binaries collected by EDR to a sandbox or “detonation” engine for analysis.

Checkpoint

The Checkpoint connector submits binaries collected by Carbon Black EDR to Checkpoint for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Checkpoint . Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

This connector submits full binaries by default, and binaries may be shared with Checkpoint based on the configuration.

Connector Name: python-cb-checkpoint-connector

Cyphort

Carbon Black now integrates with Cyphort for inspection, analysis and correlation of suspicious binaries discovered at the endpoint. Now Carbon Black can submit unknown or suspicious binaries to Cyphort Core–a secure threat analysis engine, which leverages Cyphort’s multi-method behavioral detection technology and threat intelligence–to deliver threat scores used in Carbon Black to enhance detection, response and remediation efforts.

The Cyphort connector submits binaries collected by Carbon Black to a Cyphort appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Cyphort. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

Connector Name: python-cb-cyphort-connector

Fortinet FortiSandbox

The Fortisandbox connector submits binaries collected by Carbon Black to a Fortinet Fortisandbox appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Fortisandbox. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

This connector submits full binaries by default, and binaries may be shared with Fortinet based on the configuration on your Fortisandbox appliance.

Connector Name: python-cb-fortisandbox-connector

VirusTotal

The VirusTotal connector submits binaries collected by Carbon Black to VirusTotal for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by VirusTotal. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

To use this connector, you must have a VirusTotal Private API key. You can apply for a private API key through the VirusTotal web interface.

Connector Name: python-cb-virustotal-connector

VMRay

Connector Name: python-cb-vmray-connector

WildFire

The Wildfire connector submits binaries collected by Carbon Black to a Wildfire appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Wildfire. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

Connector Name: python-cb-wildfire-connector

Intelligence Feeds

These connectors pull threat intelligence collected from other third party sources into the EDR server.

iSIGHT

This connector allows for the importing of iSIGHT threat intelligence feeds and tags documents matching any threat intelligence feeds in the Carbon Black database. The iSIGHT connector uses the ThreatScape v2 API as described at http://www.isightpartners.com/doc/sdk-bp-docs/#/ to retrieve threat intelligence from iSIGHT. The connector will create a Carbon Black feed for any iSIGHT threat intelligence hits, and queries for new threat indicators from iSIGHT’s ThreatScape API every hour by default.

Connector Name: python-cbisight-connector

ThreatExchange

Carbon Black provides integration with ThreatExchange by retrieving Indicators of Compromise (IOCs) from specified communities. To support this integration, Carbon Black provides an out-of-band bridge that communicates with the ThreatExchange API

Connector Name: python-cb-threatexchange-connector

Orchestration

EDR also supports integration with network appliances to retrieve alert data and optionally take action on affected endpoints.

InfoBlox

The Carbon Black Infoblox Secure DNS connector ingests reports via syslog from the Infoblox Secure DNS appliance and correlates them against data in the connected Carbon Black EDR server. The connector can then take one or more actions based on these reports, including killing the offending process from the endpoint, isolating the system from the network, and creating an alert for future followup.

Infoblox syslog events are sent to the connector, which can either run on its own host or on the Carbon Black EDR server itself. The connector then correlates the DNS information with Carbon Black to determine what process caused the DNS lookup. This correlation can only occur if the endpoint has attempted to establish a TCP or UDP connection with another host. A Carbon Black network connection event is only generated when a TCP SYN or UDP packet is sent to a target host, and these network connection events are used to correlate the DNS request against the Carbon Black data.

Connector Name: python-cb-infoblox-connector

Fidelis

Fidelis Network is a network detection and response (NDR) solution that combines Machine Learning with automated and manual anomaly detection techniques coupled with Deep Session Inspection to detect attacks. This is a bi-directional integration were Fidelis Network pushes alerts to the connector which creates a feed from the IOCs provided and polls Carbon Black EDR for matches, which will return the process(es) and the corresponding netconn and filewrites events.

Connector Name: python-cb-fidelis-bridge

FireEye

FireEye NX is a network based malware detection system. This is a uni-directional integration where the FireEye NX system will send alerts to the connector to create a feed from the provided IOCS.

Connector Name: python-cb-fireeye-connector

SIEM Plugins

The EDR server can also interoperate with several different SIEM systems. Carbon Black has built apps for two SIEMs: IBM QRadar and Splunk. These apps allow users to query and optionally take action on endpoints directly from the SIEM console.

In addition, events can be forwarded from the EDR server into SIEMs using the Event Forwarder.

Other Plugins

IBM BigFix

Juniper Sky ATP

The SkyATP connector for Carbon Black submits infected hosts detected by a CbR server to the Sky ATP infected hosts banned list.


Last modified on July 7, 2022