Integrate a Carbon Black Response Cloud Device

Configure a Carbon Black Response cloud device to receive IOCs from Threat Command. When you add the device to Threat Command, it will be configured to receive IOCs.

Add a Carbon Black Response cloud device to Threat Command

Add a cloud device to Threat Command.

Prerequisites

  • You have the credentials to access the device.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.

To add a cloud device to Threat Command:

  1. Log in to Threat Command at https://dashboard.ti.insight.rapid7.com
  2. From the main menu, select Automation -> Integrations. add cloud device
  3. From the Integrations page, click Cloud.
  4. Click Add new device.
  5. In the Add New Cloud Device dialog, type a user-defined name for the device.
    The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
  6. Select the Device type.
    The default device IOCs limit is displayed.
  7. (Optional) You can change the IOCs limit.
  8. Click Add.
  9. To verify that the new device is added, refresh the Automation > Integrations page.
    The new device is added to the cloud integrations device list. Next to the device name, there is a red dot, indicating that communication has not yet been established. The dot will change to green when the device is synchronized. If the device cannot synchronize for more than 48 hours, an email warning is sent to the account administrator.

Configure a Carbon Black Response cloud device to pull IOCs

After a device has been added, you must enable the pulling of IOCs by the Carbon Black Response device from Threat Command.

Before you begin, ensure:

  • You have the device login credentials.
  • The device has been added.
  • You have administrative credentials to access Threat Command with a subscription to the Automation and TIP modules.
  • An IOC group for this device exists in Threat Command.
    Creating IOC groups is described in Create an IOC group

Threat Command supports IOC groups of domains, IP addresses, and MD5 file hashes only.

To configure a Carbon Black Response cloud device:

  1. Log in to the Carbon Black management console.

  2. Navigate to Threat Intelligence.

  3. Click Add New Feed.  
    temporary placeholder

  4. From Threat Command, copy the Carbon Black device URL and authentication details into Carbon Black:

    1. From Threat Command, select Automation > Integrations.
    2. From the Cloud  device list, select the Carbon Black Response  device.
    3. From the top of the page, click Device Details.
      temporary placeholder
    4. Paste the full Feed URL from Threat Command into the Carbon Black Edit Alliance Feed dialog:
      temporary placeholder
    5. From the Threat Command Settings > Subscriptionpage, copy and paste these values:
      • Copy the Threat Command Account ID to the Carbon Black Username.
      • Copy the Threat Command API key to the Carbon Black Password.
        For more information about generating, revoking, and displaying these credentials, see API key, account ID, and appliance key.
    6. Click Save.
      temporary placeholder
    7. In the feed, select Enabled.

  5. In the Carbon Black management console, verify that IOCs are being received: 
    temporary placeholder