VMware Carbon Black

The integration between ThreatConnect and Carbon Black Response allows users to take IOCs identified by ThreatConnect that meet a specified threat rating and send file hashes and IPs back to Carbon Black Response for action. Once ThreatConnect sends the IOC, Carbon Black Response will then correlate the intel from ThreatConnect with the data that’s been collected from the endpoints and automatically take action based on if there are any correlations (or hits) found. The integration allows users to instantly hunt for targeted IOCs they were tracking in ThreatConnect across Carbon Black Response’s extensive network of endpoints. When a hit occurs, the full context of each hit - including associated threats, past observations or incidents, and community insight - is accessible to the analyst via ThreatConnect. With the Playbooks Apps, users are automatically able to take the following actions:

• Ban MD5 Hash
• Create File on Sensor
• Create Watchlist
• Delete File on Sensor
• Isolate Sensor
• Unisolate Sensor
• Kill Process by Sensor
• Retrieve All Processes on Sensor
• Retrieve File by MD5
• Retrieve File Info by Sensor
• Retrieve File from Sensor
• Retrieve Process Info by Search
• Retrieve Sensor BY ID
• Retrieve Watchlist by ID
• Retrieve Watchlist by Name
• Update Watchlist by ID

This app can be found in the ThreatConnect App Catalog under Carbon Black Response.

This Playbook template will allow you to deploy a Yara rule to Carbon Black's Yara Manager. The Playbook uses a User Action Trigger which presents a button on the Details page of Signature groups that, when pressed, will gather the contents of the Signature and SCP them over via SSH to the host running the Yara Manager. SSH is required because there is currently no API endpoint for uploading Yara rules.

This app can be found in the ThreatConnect App Catalog under the name: Deploy Yara Rule to CarbonBlack