Create Custom Feeds and Ingest Third-Party Feeds into Enterprise EDR

Introduction

Learn how to create custom feeds using Postman and how to configure the Enterprise EDR TAXII connector using our Python SDK. This connector allows for the importing of STIX data by querying one or more TAXII services, retrieving that data, and pushing the data into Enterprise EDR. Watch the below video for a step-by-step tutorial on how to ingest 3rd-party feeds.

 

Prerequisites

To enable the integration, you must have the below products:

  • Carbon Black Cloud, Enterprise EDR
  • Developer network (Python and API)
  • Threat intel Module (GitHub)
  • Subscription to 3rd party threat intel.

Carbon Black Cloud Configuration

In order to use the API, we need to create an API key with the relevant custom permissions, which have been listed below:

Permission (.notation name)

operation

org.feeds

Create, Read, Update, Delete

In the Carbon Black Cloud, to create custom permissions navigate to Settings > API Access > Access Level > Add Access Level. To create API Key, go to Settings > API Access > API Keys. For more information on creating custom access levels please refer to User Guide.

Graphical user interface, application</p>
<p>Description automatically generated

Create Empty Feed

Once you have created the API, you can use this key to create the new empty feed that the threat intel module will update the 3rd party IOCs into. To do this, use the following API call:

POST {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds

With the following body:

{

"feedinfo": {

        "name": "[string]",

        "owner": "[CBC ORG Key]",

        "provider_url": "[string]",

        "summary": "[string]",

        "category": "[string]",

        "source_label": null

        },

    "reports": []

}

For more information on the body and schema, please refer to our API guide.

Once created, the new feed will have a unique Feed ID. This will be required when setting the config file in the Threat Intel Module. To get the Feed ID, use the following API call to get all information on all feeds

GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds

Then locate and take note of the ID for the newly created feed within the feed information.

Subscribe to Feed

To use the Threat Intel Module, a subscription to a TAXII service is required. The service will provide information that will be used in the Threat Intel Module to fetch and publish data into the newly created feed.

Configure Threat Intel Module

Now that the feed has been created, we need to install and configure the Threat Intel Module.

The Threat Intel Module has two main uses:

  • Report Validation, each report to be sent to the Carbon Black Cloud should be validated before sending. The Enterprise EDR report format is JSON.
  • Pushing Reports to an Enterprise EDR Feed

The Threat Intel Module is on GitHub and once installed, the config.yml file will need to be configured with the details provided by the 3rd Party Feed Provider. The below options are mandatory within config.yml:

Value

Description

Example

feed_id:

The feed_id of the ThreatHunter Feed you want to send ThreatIntel to

7wP8BEc2QsS8ciEqaRv7Ad

site:

The address of the site (only server IP or DNS; don't put https:// or a trailing slash.

limo.anomali.com

discovery_path:

The path of the site for discovering what services are available is supplied by your taxii provider.

/api/v1/taxii/taxii-discovery-service/

collection_management_path:

The path of the site for listing what collections are available to you is supplied by your taxii provider.

/api/v1/taxii/collection_management/

poll_path:

the path of the site for polling a collection, this is supplied by your taxii provider.

/api/v1/taxii/poll/

use_https:

If you require HTTPS for your TAXII service connection, set it to true. Defaults to true.

 

ssl_verify:

By default, we validate SSL certificates. Change to false to turn off SSL verification.

 

start_date:

The start date for which to start requesting data. Use %y-%m-%d %H:%M:%S format.

2019-01-01 00:00:00

Once the config.yml has been configured, we need to run the module. For a one time run, use the following:

[roo@localhost threat_intelligence] python stix_taxii.py

If reports do not show up, use the stix.log file for troubleshooting.

Summary and Additional Resources

Additional Resources

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/11/30

  • The guide was published.

About the Author and Contributors

Raj has over fifteen years of consulting experience in Cyber Security. Raj has vast experience in multiple security disciplines which has been gained while working at the two biggest resellers in the UK. Supporting their customers, he has worked as a consultant at many major UK and European companies, providing support with design, implementation, best practices, and testing, utilizing current and newly purchased security products. At VMware, Raj has worked as a Professional Services Consultant, a Solution Architect and is now using his extensive knowledge and experience in his Technical Marketing role. His focus in Technical Marketing is on securing the distributed workforce.

  • Raj Sahota, Senior Technical Marketing Architect, Network and Advanced Security Business Group, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Security Business Unit Technical Marketing at sbu_tech_content_feedback@vmware.com.

 

 

 

Filter Tags

VMware Carbon Black Cloud Enterprise EDR Document Reference Architecture Intermediate Architect