Carbon Black Open Source Threat Intelligence

March 29, 2022

Are you like me?

Do you love Enterprise EDR's robust data collection, and the fantastic out-of-the-box threat intel feeds provided – but wish you had a bit more threat intelligence to overlay, to further harness the power of the raw visibility provided?

Well, fret not, the person reading this! CB Open Source Intel is here to help!

Disclaimer: This app was created and submitted by a member of the developer community. All sample content and code in this blog are licensed to you by the sample’s author. VMware does not guarantee the samples, nor will they be able to provide support should issues arise; they are provided “AS IS”.

Source

The intention of this blog post is to provide a high-level overview of the tool, and the capabilities possessed therein.

However, if you want to read exact details on the setup process, feeds available, or simply watch the videos of the app in action – please see the GitHub repo link provided here : https://github.com/ncomeau/CB_Open_Source_Intel.

App Overview

CB Open Source Intel is an app that was developed to optimally run on macOS – however, there are instructions in the aforementioned GitHub repository, which take into account considerations for Windows and Linux for allowing the app to function as expected on those OSes.

Under the hood, the app leverages python code (specifically python3) to call Carbon Black’s REST API, to perform the variety of functions accessible within the app. All these capabilities are served up utilizing a pretty UI – which utilizes a python-kivy framework for rendering and constructing the UI. 

Functionally, CB Open Source Intel consists of 3 primary components:

1.     Custom Threat Intel Import

2.     Watchlist Management

3.     CBR (EDR) to EEDR Query Converter

1. Custom Threat Intel Import

This is far and away from the focal point of the app. This module encapsulates a combination of open-source 3rd party threat intelligence and internally curated threat intel from several of our Solution Engineering team members.

image 127

Figure 1: Open-Source Threat Intel offered. For a full breakdown of the open-source threat intel provided, please see here.

image 128

Figure 2: Internal Threat Intel offered. For a full breakdown of the internally curated threat intel, please see here.

Although the predominant value-add of this module is indeed the robust threat intel itself, to overlay on verbose data provided by EEDR, the secondary value-add is the ease in which importing said intel can be done. Rather than having to worry about proper formatting, or which API routes to leverage, you can simply click the “Import” button, and the magic will happen in the background!

The threat intel feeds are not linked to the direct source they are pulled from, but any desired updates to the feeds can be done on-demand within the app.

Lastly, all of the reports/IOCs comprised within each threat intel feed are tagged with any applicable intel (i.e. the attacks it has been associated with if that information is present), as well as the name of the feed itself. The reason this is beneficial to mention is that you are not purely relegated to utilizing the full feed itself. Rather, you navigate to the “Watch List Builder” section within the CBC UI, and mix and match imported reports/IOCs as you so choose!

2. Watchlist Management

While the focal point of the tool is most certainly the importing of Threat Intel, I figured that being able to manage said imported threat intel might prove handy as well - enter Watchlist Management!

For those of you unfamiliar with EEDR…well, then this app probably is not for you lol. Nevertheless; a "Feed" is a collection of threat intelligence. However, when you enable a "Feed", either for alerting or overlaying on the data in your unique environment, it then becomes a "Watchlist". Not all "Watchlists" come from "Feeds", as you can have custom-created "Watchlists" as well – which is denoted by the "tools" icon in the app.

Given the above; not only does the app allow you to import the Threat Intel Feed, but you can enable those newly imported Threat Intel Feeds, as Watchlists, in your environment, directly from the app! Furthermore, you can control the ability to enable and/or alert on ALL Threat Intel, and Watchlists, available in your EEDR environment!

image 129

Figure 3: Watchlist manager – view of currently enabled, but not alerted on, Watchlists within an org.

image 130

Figure 4: Watchlist manager – options for actions to take on a newly-imported threat intel feed.

3. CBR (EDR) to EEDR Query Converter

Lastly, we have the optional module of CBR (EDR) to EEDR Query Converter. When toggled on via the login page, the UI dynamically updates and adds the ability to access this module on the home page.

This optional module enables patrons of EDR (formerly CB Response/CBR) looking to migrate to EEDR, to convert any supported custom Watchlist you might have, into the EEDR equivalent!

image 131

Figure 5: CBR Converter – input for conversion and new Watchlist + Report creation.

Conclusion

As aforementioned, for any additional detail on the feeds offered, the setup process, or merely watching silly or instructional videos of the app in action, please visit the associated GitHub repository here: https://github.com/ncomeau/CB_Open_Source_Intel

Overall, the intended utilization of this project is for internal use – but can be leveraged by customers as well if desired, understanding the disclaimer cited at the onset. However, the real intent of this application is to showcase the immense possibilities when leveraging the robust REST API of the Carbon Black Cloud, and how security is about community, not one single source of truth. 

Associated Content

From the action bar MORE button.

Filter Tags

Blog Opinion EPP