This section describes how to manage threat intelligence feeds.

On the Threat Intelligence Feeds page, you can:

• View the available feeds and get more information about them

• Enable or disable feeds

• Configure alerts and logging for feeds

• Change the rating used to calculate the severity assigned to IOCs from a feed

• Sync one or all feeds

• Check for new feeds

• Add a new feed

• Delete user-defined feeds

• Search for threat reports

Carbon Black Threat Intel feeds are feeds that Carbon Black EDR makes available from Carbon Black EDR sources and third-party partners. These feeds can be enabled and (in some cases) disabled, but they cannot be deleted from the page.

Certain reports come from Carbon Black Threat Intel as on-demand feeds, and these do not provide their data until a process on the Process Analysis page matches their information. See On-Demand Feeds from VMware CB Threat Intel for more details.

The EMET Protection and Banning Events feeds send their respective events to the Carbon Black EDR server regardless of whether they are enabled, but they must be enabled if you want to configure alerts and logging.

• To view the Threat Intelligence Feed page, on the navigation bar, click Threat Intelligence.

  The Threat Intelligence Feeds page appears:

  

  The Tamper Detection feed is enabled by default. It alerts on endpoint activity that indicates tampering with sensor activity:

  You must enable other feeds. See Enable and Configure a Threat Intelligence Feed. See Creating and Adding New Threat Intelligence Feeds for information about adding user-defined feeds.