You can create and add new threat intelligence feeds to a Carbon Black EDR server.

A threat intelligence feed can be created in any language that allows for building JSON, or you can build it by hand. One way to build a feed is to use the Carbon Black Feeds API (CBFAPI), which is located on github at:

https://github.com/carbonblack/cbfeeds.

The CBFAPI is a collection of documentation, example scripts, and a helper library to help create and validate Carbon Black EDR feeds. Regardless of how a feed is created, the feed file must match the feed structure (or schema) that the Feed Structure section of the CBFAPI documentation defines.

You have several options about the specification you provide when adding a new feed to a Carbon Black EDR server. The minimum requirement is that you provide a URL to the feed.

Add a New Threat Intelligence Feed

Perform the following procedure to add a newly created threat intelligence feed.

Prerequisites

Confirm that the feed you have created follows the Feed Structure instructions in the CBFAPI documentation on github.

Procedure

  1. On the navigation bar, select Threat Intelligence.
  2. On the Threat Intelligence Feeds page, click Add New Feed.
  3. In the Edit Alliance Feed dialog box, do one of the following:
    • To add a feed from a URL, click the Add from URL tab and complete the following settings:
      Table 1.
      Field Description
      Feed URL Enter the URL for the feed that will be providing IOC reports.
      Use Proxy

      Select this option to use a proxy for the feed URL. The configuration for this proxy must be configured in advance by Carbon Black Technical Support.
      Validate Server Cert Select this option to require a validation check on the feed server’s certificate.
      Show/Hide Feed Server Authentication Options

      If the server that is providing the feed requires authentication, click the Show ServerAuthentication Options link and provide the following authentication information:

      • Username

      • Password

      • Public Cert

      • Private Key
    • To manually add a feed, click the Add Manually tab and complete the following settings:

      Field

      Description

      Name

      Enter the feed name to appear in the panel.

      Feed URL

      Enter the URL that the Carbon Black EDR server will use to sync the data in the feed.

      Provider URL

      Enter the URL to the page to open when the user clicks More Info on the feed panel.

      Summary

      Enter the text that will appear in the panel to describe this feed.

      Use Proxy

      If the Carbon Black EDR server must access the feed URL through a proxy, the proxy is added in the proxy field.

      Validate Server Cert

      Indicates if the Carbon Black EDR server should validate the Feed Server certificate.

      Show/Hide Feed Server Authentication Options

      If the server providing the feed requires authentication, click the Show ServerAuthentication Options link and provide the following authentication information:

      • Username

      • Password

      • Public Cert

      • Private Key
  4. Click Save.
    If the settings you entered provide access to a feed server, the new feed appears on the Threat Intelligence Feeds page.