Latest Updates: Getting Started with CB LiveOps APIs

CB Response Integrations

The connectors & integrations developed by Carbon Black all have similar installation instructions. Unless otherwise specified:

As root on your Carbon Black or other RPM based 64-bit Linux distribution server:

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo

Then install the appropriate connector by executing:

yum install <connector-name>

Binary Detonation/Sandbox Connectors

These connectors submit binaries collected by CB Response to a sandbox or “detonation” engine for analysis.

Cyphort

Carbon Black now integrates with Cyphort for inspection, analysis and correlation of suspicious binaries discovered at the endpoint. Now Carbon Black can submit unknown or suspicious binaries to Cyphort Core–a secure threat analysis engine, which leverages Cyphort’s multi-method behavioral detection technology and threat intelligence–to deliver threat scores used in Carbon Black to enhance detection, response and remediation efforts.

The Cyphort connector submits binaries collected by Carbon Black to a Cyphort appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black server. The feed will then tag any binaries executed on your endpoints identified as malware by Cyphort. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

Connector Name: python-cb-cyphort-connector

LastLine

The LastLine connector submits binaries collected by Carbon Black to a LastLine appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black server. The feed will then tag any binaries executed on your endpoints identified as malware by LastLine. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

Connector Name: python-cb-lastline-connector

VirusTotal

The VirusTotal connector submits binaries collected by Carbon Black to VirusTotal for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black server. The feed will then tag any binaries executed on your endpoints identified as malware by VirusTotal. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

To use this connector, you must have a VirusTotal Private API key. You can apply for a private API key through the VirusTotal web interface.

Connector Name: python-cb-virustotal-connector

VMRay

Connector Name: python-cb-vmray-connector

WildFire

The Wildfire connector submits binaries collected by Carbon Black to a Wildfire appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black server. The feed will then tag any binaries executed on your endpoints identified as malware by Wildfire. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.

Connector Name: python-cb-wildfire-connector

Yara

Yara is the linga franca of malware analysts. With a robust language to define byte strings and clean, well-designed interfaces, many IR and security operations shops keep the results of their analysis in a local repository of yara rules.

However, monitoring activity across your network for matches to your yara rules is difficult. If possible at all, it usually involves infrequent, time-consuming scans. Since Carbon Black collects all executed binaries and has a robust API, it is possible to configure your Carbon Black server to act as a “Yara Monitor” and automatically trigger notification for any binary executed across your network matching any of your Yara rules.

Connector Name: python-cb-yara-connector

Intelligence Feeds

These connectors pull threat intelligence collected from other third party sources into the CB Response server.

iSIGHT

This connector allows for the importing of iSIGHT threat intelligence feeds and tags documents matching any threat intelligence feeds in the Carbon Black database. The iSIGHT connector uses the ThreatScape v2 API as described at http://www.isightpartners.com/doc/sdk-bp-docs/#/ to retrieve threat intelligence from iSIGHT. The connector will create a Carbon Black feed for any iSIGHT threat intelligence hits, and queries for new threat indicators from iSIGHT’s ThreatScape API every hour by default.

Connector Name: python-cbisight-connector

STIX/TAXII

This connector allows for the importing of STIX data by querying one or more TAXII services and retrieving that data and then converting it into CB feeds using the CB JSON format for IOCs. The job queries for available STIX/TAXII data that is newer than the last time it asked, and by default runs every hour.

For each TAXII service, available “collections” are enumerated and a Carbon Black Feed is created. For example, if you have two TAXII services and each exposes two collections, you will have four CB feeds as a result of this connector.

Connector Name: python-cbtaxii

ThreatConnect

Carbon Black provides integration with ThreatConnect by retrieving Indicators of Compromise (IOCs) from specified communities. To support this integration, Carbon Black provides an out-of-band bridge that communicates with the ThreatConnect API.

Connector Name: python-cb-threatconnect-bridge

ThreatExchange

Carbon Black provides integration with ThreatExchange by retrieving Indicators of Compromise (IOCs) from specified communities. To support this integration, Carbon Black provides an out-of-band bridge that communicates with the ThreatExchange API.

Connector Name: python-cb-threatexchange-connector

Orchestration

CB Response also supports integration with network appliances to retrieve alert data and optionally take action on affected endpoints.

InfoBlox

The Carbon Black Infoblox Secure DNS connector ingests reports via syslog from the Infoblox Secure DNS appliance and correlates them against data in the connected Carbon Black server. The connector can then take one or more actions based on these reports, including killing the offending process from the endpoint, isolating the system from the network, and creating an alert for future followup.

Infoblox syslog events are sent to the connector, which can either run on its own host or on the Carbon Black server itself. The connector then correlates the DNS information with Carbon Black to determine what process caused the DNS lookup. This correlation can only occur if the endpoint has attempted to establish a TCP or UDP connection with another host. A Carbon Black network connection event is only generated when a TCP SYN or UDP packet is sent to a target host, and these network connection events are used to correlate the DNS request against the Carbon Black data.

Connector Name: python-cb-infoblox-connector

Fidelis

Fidelis XPS is a network analyzer device that uses a Deep Session Inspection technology to detect attacks. This is a bi-directional integration were Fidelis XPS pushes alerts to the connector which creates a feed from the IOCs provided and polls CB Enterprise Response for matches, which will return the process(es) and the corresponding netconn and filewrites events.

Connector Name: python-cb-fidelis-bridge

FireEye

FireEye NX is a network based malware detection system. This is a uni-directional integration where the FireEye NX system will send alerts to the connector to create a feed from the provided IOCS.

Connector Name: python-cb-fireeye-connector

SIEM Plugins

The CB Response server can also interoperate with several different SIEM systems. Carbon Black has built apps for two SIEMs: IBM QRadar and Splunk. These apps allow users to query and optionally take action on endpoints directly from the SIEM console.

In addition, events can be forwarded from the CB Response server into SIEMs using the Event Forwarder.

IBM Qradar

The CB Response IBM QRadar app is live on the IBM X-Force App Exchange.

Splunk Active Response App

A Splunk app with support for the new Active Response Framework is still under development. The source code for the Splunk app is available on GitHub and will be posted on Splunkbase soon.

Other Plugins

IBM BigFix

Juniper Sky ATP

The SkyATP connector for Carbon Black submits infected hosts detected by a CbR server to the Sky ATP infected hosts blacklist.

Last modified on September 21, 2017