Perform the following procedure to enable and configure a threat intelligence feed.

Procedure

  1. On the navigation bar, click Threat Intelligence.
  2. Locate the feed and click Enabled.
  3. Configure the feed using the following options and controls:

    Field/Menu

    Description

    More info

    Link to the feed provider’s website for technical information about the feed and general information about the provider and its products.

     (Rating)

    Rating of this threat intelligence feed by the community of Carbon Black EDR users. The default rating is three stars. You can click a star to modify the rating of this feed on your server. The rating affects the severity assigned to alerts coming from this feed, which can affect the order of alerts if they are sorted by severity.

    Enabled

    If selected, the threat intelligence feed is enabled; otherwise it is disabled.

    Note: Most feeds also require that you select Enable Alliance Communication on the Sharing page. Also, feeds that upload data from your server require that you opt into hash sharing with that feed. See Threat Intelligence Data Sharing Settings.

    Email Me on Hit

    IOCs from this feed that reference a process or binary that is recorded on this Carbon Black EDR server cause an email alert to be sent to the logged-in console user. See Enabling Email Alerts.

    Note: Only Carbon Black EDR Global Administrators or Carbon Black Hosted EDR Administrators can change this setting.

    Notifications menu

    • Create Alert – Indicators from this feed that reference a process or binary that is recorded on this Carbon Black EDR server cause a console alert. See Enabling Console Alerts.

    • Log to Syslog – IOCs from this feed that reference a process or binary that is recorded on this Carbon Black EDR server are included in Syslog output from this Carbon Black EDR server. See the Carbon Black EDR Integration Guide for details on configuring SYSLOG output.

    Note: Only Carbon Black EDR Global Administrators or Carbon Black Hosted EDR Administrators can change this setting.

    Process Matches

    Link to the Process Search page with the results of a search that shows each process that matches IOCs from this feed. See Process Search and Analysis.

    Binary Matches

    Link to the Binary Search page with the search results showing each binary that matches IOCs from this feed. See Binary Search and Analysis.

    Threat Reports

    Link to the Threat Reports search page filtered to show any Threat Reports from this feed. See Searching for Threat Reports.

    Actions menu

    The Actions menu includes the following commands:

    • Create Watchlist – Creates a Watchlist, which is a saved search whose results are processes or binaries that match IOCs that this feed reports.

    • Incremental Sync – Adds report data from this feed that has been observed since the previous synchronization.

    • Full Sync – Rewrites all report data from this feed.