Carbon Black Threat Intel provides a rich variety of intelligence and capabilities about files, domain names, IP addresses, and associated patterns of compromise, including IOCs, reputation, and attack classification.

Examples of these intelligence types include:

• Trust and threat ratings

• Domain/IP reputation and context

• Icon matching to help identify threats masquerading as files of another type

• Detection feeds of behavioral patterns of compromise

Some of this intelligence can be enabled or disabled through feeds listed on the Threat Intelligence Feeds page, and this information is added to process data as soon as the feed is received.

Other intelligence is made available to the Carbon Black EDR server when a process, pattern, or other IOC that is part of the Carbon Black Threat IntelCarbon Black Threat Intel database is viewed on the Process Analysis page. The information in these on-demand feeds includes the following:

• Damballa malware classification and context – Carbon Black Threat Intel provides an enhanced network-to-endpoint attack classification through its integration with Damballa’s threat intelligence on malicious destinations, advanced threat actor groups, and command-and-control communications. This information is added to attack classifications when a Process Analysis page containing a relevant domain name is displayed.

• Geolocation information for network connections – The location of addresses identified in both inbound and outbound connections is provided.

• Domain and IP reputation – Carbon Black Threat Intel computes a reputation score for domains using various inputs, information, and algorithms inside the cloud. This reputation score is displayed for domain names for which a score is available.