This section describes how to manage threat intelligence feeds.
On the Threat Intelligence Feeds page, you can:
View the available feeds and get more information about them
Enable or disable feeds
Configure alerts and logging for feeds
Change the rating used to calculate the severity assigned to IOCs from a feed
Sync one or all feeds
Check for new feeds
Add a new feed
Delete user-defined feeds
Search for threat reports
Carbon Black Threat Intel feeds are feeds that Carbon Black EDR makes available from Carbon Black EDR sources and third-party partners. These feeds can be enabled and (in some cases) disabled, but they cannot be deleted from the page.
Certain reports come from Carbon Black Threat Intel as on-demand feeds, and these do not provide their data until a process on the Process Analysis page matches their information. See On-Demand Feeds from VMware CB Threat Intel for more details.
The EMET Protection and Banning Events feeds send their respective events to the Carbon Black EDR server regardless of whether they are enabled, but they must be enabled if you want to configure alerts and logging.
To view the Threat Intelligence Feed page, on the navigation bar, click Threat Intelligence.
The Threat Intelligence Feeds page appears:
The Tamper Detection feed is enabled by default. It alerts on endpoint activity that indicates tampering with sensor activity:
You must enable other feeds. See Enable and Configure a Threat Intelligence Feed. See Creating and Adding New Threat Intelligence Feeds for information about adding user-defined feeds.