Threat Connect for EDR
Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
VMware Carbon Black EDR provides integration with ThreatConnect by retrieving Indicators of Compromise (IOCs) from specified communities. To support this integration, Carbon Black provides an out-of-band bridge that communicates with the ThreatConnect API.
To create a build for EL7, run:
FISH: ./gradlew build BASH: ./gradlew build
To create a build for EL8, run:
FISH: env DOCKERIZED_BUILD_ENV=centos8 ./gradlew build BASH: export DOCKERIZED_BUILD_ENV=centos8; ./gradlew build
Other common commands for ./gradlew:
runPyTest- Runs the python test suite
generatePepperReport- Generates a flake 8 based pepper report.
createVirtualEnv- Creates the appropriate python virtual environment to build and execute the connector. Can also be used for an IDE virtual environment.
runSmokeTest- Runs the available smoke tests.
Run the following commands as root on an EDR server or other RPM-based 64-bit Linux distribution server:
cd /etc/yum.repos.d curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo yum install python-cb-threatconnect-connector
After the software is installed via YUM, copy the
/etc/cb/integrations/threatconnect/connector.conf.example file to
/etc/cb/integrations/threatconnect/connector.conf. Edit this file and put the EDR API key into the
carbonblack_server_token variable and the Carbon Black EDR server’s base URL into the
Put the credentials for the ThreatConnect API account into the
secret_key variables. The
variable is the numeric API identifier that is issued by ThreatConnect, and the
secret_key is a long
alphanumeric + symbols secret key that is assigned to you. Special characters in the secret key do not have to be
escaped in the configuration file.
To receive IOCs from your organization as a source, enter your organization’s source name in
To specify which sources to pull from, enter your sources as a comma-separated list in
sources or use
to pull from all sources.
After you have the connector configured for your API access, start the ThreatConnect service: CentOS/Redhat 6:
service cb-threatconnect-connector start
systemctl start cb-threatconnect-connector
Errors, if any, will be logged to the file
If you suspect a problem, first review the ThreatConnect connector logs:
Note that there might be multiple files because the logger rolls over when the log file hits a certain size.
The GitHub repository is here.
- View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the VMware Carbon Black Community.
- Report bugs and change requests to Carbon Black Support