Using the Carbon Black Cloud Threat Intelligence Connector

The connector requires you to have a Feed and a Watchlist in Carbon Black Cloud. You can use the create-feed and create-watchlist commands to create these items.

The connector resides between the Carbon Black Cloud and your TAXII providers as shown in the following figure:

Threat Intelligence Connector architecture

The ingested data is in JSON or XML format depending on the TAXII Server and the STIX version. STIX 2.x content is served in a JSON format and STIX 1.x is served in XML format.

When the script is being executed, it first gets the configuration for the TAXII Servers and tries to create python clients. It passes the client for each TAXII Server together with the user specifics: collections, api_roots, begin_date, end_date, added_after to the STIX Parsers. Specifics are based on the server version.

The STIX Parsers gather all of the STIX objects that Carbon Black Cloud supports. The current supported objects are Indicator (STIX 1.x, 2.x) and ObservedData (STIX 1.x). The following tables show the supported mappings.

Table 1. Mappings for Indicator (STIX 1.x)
Field	Carbon Black Cloud Field	Description
`AddressObj (ipv4-addr)`	`netconn_ipv4`	IPv4 address
`AddressObj (ipv6-addr)`	`netconn_ipv6`	IPv6 address
`DomainNameObj`	`netconn_domain`	Domain name (target FQDN)
`FileObj (hashes.SHA256)`	`process_hash`	The hash of the file
`FileObj (hashes.MD5)`	`process_hash`	The hash of the file
`FileObj (file_name)`	`process_name`	The name of the file
`URIObj`	`netconn_domain`	The URI address

Table 2. Mappings for the Indicator pattern (STIX 2.x)
Field	Carbon Black Cloud Field	Description
`ipv4-addr:value`	`netconn_ipv4`	IPv4 address
`ipv6-addr:value`	`netconn_ipv6`	IPv6 address
`file:hashes. 'SHA-256'`	`process_hash`	The SHA-256 hash of the file
`artifact:hashes. 'SHA-256'`	`process_hash`	The SHA-256 hash of the file
`file:hashes. 'MD5'`	`process_hash`	The MD5 hash of the file
`artifact:hashes. 'MD5'`	`process_hash`	The MD5 hash of the file
`url:value`	`netconn_domain`	The URL address
`domain-name:value`	`netconn_domain`	Domain name (target FQDN)

After the successful parsing of the data into IOCs (Indicator of Compromises), the results are sent to the final stage of importing them into Carbon Black Cloud. There, the script logic determines the number of Reports to create together with the Feeds. (In most cases, there is one feed).

The logic follows these Carbon Black Cloud limits:

Maximum of 1,000 IOCs in a Report
Maximum of 10,000 Reports in a Feed
Maximum of 10,000,000 IOCs in a Feed

In a case where those limitations are surpassed, the connector will create a new feed with the remaining results. The name will be the same as the first feed but the Part will be 2 or more.