This section describes threat intelligence feeds that can be enabled on a Carbon Black EDR server to enhance the verification, detection, visibility, and analysis of threats on your endpoints.
Threat intelligence feeds are streams of reports about IOCs and patterns of behaviors found in the wild by a variety of services and products. One or more feeds can be integrated into the Carbon Black EDR server and console to enhance the verification, detection, visibility, and analysis of threats on your endpoints.
The source of a feed may be from:
-
Carbon Black Threat Intel and the Carbon Black Threat Research Team
-
A third-party Carbon Black partner
-
The information and analysis collected by:
-
Carbon Black Threat Intel Reputation
-
Carbon Black App Control threat detection tools
-
-
Shared data collected from Carbon Black EDR customer enterprises
You can also create new feeds if needed. Some feeds do not require data collection from your server, while others require that you share information from your enterprise back to the feed provider to improve community intelligence data.
Available feeds appear on the Threat Intelligence Feeds page. You can enable or disable any feed on that page. The Carbon Black EDR server supports the following types of IOCs:
-
Binary MD5s
-
Binary SHA-256s
-
IPv4 addresses
-
IPv6 addresses
-
JA3 fingerprints
-
JA3S fingerprints
-
DNS names
-
Query-based feeds using the Carbon Black EDR process/binary search syntax to define an IOC
When a feed is enabled and IOCs from it are received, the following information and capabilities are added in Carbon Black EDR:
-
Feed results added to process and binary records – If an IOC from a feed report matches processes or binaries reported by sensors on your endpoints, the feed results are added to the records for those processes/binaries in Carbon Black EDR. You can search and filter for processes or binaries using a feed report or score. For example, you can create a table of all processes whose National Vulnerability Database score is greater than 4.
-
Feed-based watchlists – You can create a Carbon Black EDR Watchlist that tags a process or binary found on one of your endpoints when the score of a feed matches a specified score or falls within a specified score range.
-
Feed-based alerts – You can configure console and email alerts when a process or binary, which is the subject of a specified feed report, is identified on an endpoint.
-
Links to feed sources – You can link back to the source of a feed for more information, which can range from a general feed description to specific details about an IOC reported by that feed.
-
Threat Report Search – You can search for individual threat reports from any feed that is or has been enabled.
Threat Intelligence Feed Scores
The threat intelligence feed score spectrum is as follows:
- A negative 100 (-100) score means a feed is extremely trustworthy (not malicious in any way). These scores are rare.
- A positive 100 (100) score means that a feed is extremely malicious.
Most scores will be within the 0-100 range.
Firewall Configuration for Feeds
To receive all threat intelligence that is available from Carbon Black Threat Intel, you must allow SSL access (port 443) through your firewall to the following domains:
- api.alliance.carbonblack.com:443
- threatintel.bit9.com:443
Blocking either of these domains will prevent your Carbon Black EDR server from receiving intelligence from specific feeds as well as data, such as IP location and icon matching for files.