Threat Connect for EDR

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

VMware Carbon Black EDR provides integration with ThreatConnect by retrieving Indicators of Compromise (IOCs) from specified communities. To support this integration, Carbon Black provides an out-of-band bridge that communicates with the ThreatConnect API.

Building

To create a build for EL7, run:

FISH: ./gradlew build
BASH: ./gradlew build

To create a build for EL8, run:

FISH: env DOCKERIZED_BUILD_ENV=centos8 ./gradlew build
BASH: export DOCKERIZED_BUILD_ENV=centos8; ./gradlew build

Other common commands for ./gradlew:

  • runPyTest - Runs the python test suite
  • generatePepperReport - Generates a flake 8 based pepper report.
  • createVirtualEnv - Creates the appropriate python virtual environment to build and execute the connector. Can also be used for an IDE virtual environment.
  • runSmokeTest - Runs the available smoke tests.

Installation Quickstart

Run the following commands as root on an EDR server or other RPM-based 64-bit Linux distribution server:

cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
yum install python-cb-threatconnect-connector

After the software is installed via YUM, copy the /etc/cb/integrations/threatconnect/connector.conf.example file to /etc/cb/integrations/threatconnect/connector.conf. Edit this file and put the EDR API key into the carbonblack_server_token variable and the Carbon Black EDR server’s base URL into the carbonblack_server_url variable.

Put the credentials for the ThreatConnect API account into the api_key and secret_key variables. The api_key variable is the numeric API identifier that is issued by ThreatConnect, and the secret_key is a long alphanumeric + symbols secret key that is assigned to you. Special characters in the secret key do not have to be escaped in the configuration file.

To receive IOCs from your organization as a source, enter your organization’s source name in default_org.

To specify which sources to pull from, enter your sources as a comma-separated list in sources or use * (asterisk) to pull from all sources.

After you have the connector configured for your API access, start the ThreatConnect service: CentOS/Redhat 6:

service cb-threatconnect-connector start

CentOS/Redhat 7/8:

systemctl start cb-threatconnect-connector

Errors, if any, will be logged to the file

/var/log/cb/integrations/cb-threatconnect-connector/cb-threatconnect-connector.log`.

Troubleshooting

If you suspect a problem, first review the ThreatConnect connector logs:

/var/log/cb/integrations/cb-threatconnect-connector/cb-threatconnect-connector.log.

Note that there might be multiple files because the logger rolls over when the log file hits a certain size.

Dev Install

The GitHub repository is here.

Support

  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the VMware Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support
Last modified on May 18, 2021