Carbon Black Plugin for Threat Exchange

Carbon Black Plugin for Threat Exchange

This document explains how to configure the Carbon Black plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows users to pull indicators of type SHA256 from the Carbon Black’s Alerts page. Additionally, this plugin also supports sharing of the indicators (IPv4, IPv6, Domain, MD5, SHA256) to the Carbon Black’s Watchlist page.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing.
  • A Threat Prevention subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A Carbon Black Cloud instance.
  • Connectivity to the following host: https://defense.conferdeploy.net.
CE Version Compatibility

Netskope CE: v4.2.0 and v5.0.1

Carbon Black Plugin Support
Fetched indicator types SHA256
Shared indicator types SHA256, MD5, Domain, IPv4, IPv6
Mappings
Severity Mapping for Pull
Netskope CE Severity Carbon Black Severity
Unknown 0
Low 1,2,3
Medium 4,5,6
High 7,8,9
Critical 10
Pull Mapping
Netskope CE Fields Carbon Black Fields
Value process_sha256
First Seen first_event_timestamp
Last Seen last_event_timestamp
Severity severity
Tags process_reputation
comments process_name
Push Mapping
Netskope CE Field Carbon Black Field
Value IOC Value
Permissions

API Scopes permissions.

Scope Read Write Update
org.alerts Yes No No
org.feeds Yes Yes Yes
API Details
List of APIs Used
API Endpoint Method Use Case
{cbc-hostname}/api/alerts/v7/orgs/{org_key}/alerts/_search POST Pull indicators.
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports POST Push indicators.
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds POST Create a feed.
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo GET Get feed details
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo PUT Update feed details
Pull Indicators

API Endpoint: {cbc-hostname}/api/alerts/v7/orgs/{org_key}/alerts/_search
Method: POST
Request Body:

{
    "rows": 2000,
    "criteria": {
        "minimum_severity": 1
    },
    "time_range": {
        "start": "2024-04-12T07:06:06.572000Z",
        "end": "2024-04-12T08:46:23.848713Z"
    },
    "start": 1,
    "sort": [
        {
            "field": "backend_timestamp",
            "order": "ASC"
        }
    ]
}
}

Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Request Endpoint:

{
    "results": [
        {
            "org_key": "ABCD1234",
            "alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234",
            "id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a",
            "type": "WATCHLIST",
            "backend_timestamp": "2023-04-03T08:48:47.211Z",
            "user_update_timestamp": "2023-04-13T11:55:20.860Z",
            "backend_update_timestamp": "2023-04-03T08:48:47.211Z",
            "detection_timestamp": "2023-04-03T08:46:52.302Z",
            "first_event_timestamp": "2023-04-03T08:44:43.552Z",
            "last_event_timestamp": "2023-04-03T08:44:43.552Z",
            "severity": 6,
            "reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"",
            "reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d",
            "threat_id": "19261158DBBF00775959F8AA7F7551A1",
            "primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0",
            "policy_applied": "NOT_APPLIED",
            "run_state": "RAN",
            "sensor_action": "ALLOW",
            "workflow": {
                "change_timestamp": "2023-04-13T11:55:20.860Z",
                "changed_by_type": "USER",
                "changed_by": "demouser@demoorg.com",
                "closure_reason": "NO_REASON",
                "status": "IN_PROGRESS"
            },
            "determination": {
                "change_timestamp": "1970-01-01T00:00:00.000Z",
                "value": "ALERT_CLASSIFICATION_UNKNOWN",
                "changed_by_type": "OPERATOR_UNKNOWN",
                "changed_by": null
            },
            "tags": null,
            "alert_notes_present": false,
            "threat_notes_present": false,
            "is_updated": false,
            "device_id": 18078555,
            "device_name": "DEMO\\DEMOMACHINE",
            "device_uem_id": "",
            "device_target_value": "MEDIUM",
            "device_policy": "Demo-policy",
            "device_policy_id": 12345678,
            "device_os": "WINDOWS",
            "device_os_version": "Windows 10 x64",
            "device_username": "DEMOMACHINE\\Administrator",
            "device_location": "UNKNOWN",
            "device_external_ip": "1.2.3.4",
            "device_internal_ip": "1.2.3.4",
            "mdr_alert": false,
            "report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123",
            "report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)",
            "report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.",
            "report_tags": [],
            "ioc_id": "abd-defg-123",
            "ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]",
            "watchlists": [
                {
                    "id": "lgaClyOmQ86ZwZttq3ZDxg",
                    "name": "Demo IOCs"
                }
            ],
            "process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609",
            "process_pid": 4540,
            "process_name": "c:\\windows\\system32\\taskhostw.exe",
            "process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad",
            "process_md5": "123a4566ab18f93b93d551cd10c1598e",
            "process_effective_reputation": "COMPANY_WHITE_LIST",
            "process_reputation": "TRUSTED_WHITE_LIST",
            "process_cmdline": "taskhostw.exe SYSTEM",
            "process_username": "DEMOSERVER\\DEMO",
            "process_issuer_": "Demo CA",
            "process_publisher": "Demo Publisher",
            "parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897",
            "parent_pid": 1724,
            "parent_name": "c:\\windows\\system32\\svchost.exe",
            "parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7",
            "parent_md5": "a123456789f632dc8d9404d83bc16316",
            "parent_effective_reputation": "TRUSTED_WHITE_LIST",
            "parent_reputation": "TRUSTED_WHITE_LIST",
            "parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
            "parent_username": "NT AUTHORITY\\SYSTEM",
            "childproc_guid": "",
            "childproc_username": "",
            "childproc_cmdline": ""
        }
    ],
    "num_found": 147,
    "num_available": 147
}
Push Indicators

API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports
Method: POST
Request Body:

{
    "reports": [
        {
            "title": "Netskope CTE Threat Report",
            "description": "",
            "severity": 10,
            "timestamp": 1712302532,
            "iocs_v2": [
                {
                    "match_type": "equality",
                    "field": "process_md5",
                    "values": [
                        "dc3d905ed90bbc148bccd34fe0c94d2d"
                    ],
                    "id": "8400901781583914388"
                },
                {
                    "match_type": "equality",
                    "field": "process_sha256",
                    "values": [
                        "926a34fbae94ab7ed7fe9a596f0507031e19044c06cbbca245efb30d926ea1e5"
                    ],
                    "id": "8400901781583914388"
                },
                {
                    "match_type": "equality",
                    "field": "ipv4",
                    "values": [
                        "204.225.210.233"
                    ],
                    "id": "-8400901781583914388"
                },
                {
                    "match_type": "equality",
                    "field": "dns",
                    "values": [
                        "r3626a7uj.top"
                    ],
                    "id": "8400901781583914388"
                }
            ],
            "id": "8400901781583914388"
        }
    ]
}

Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Request Endpoint:

https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports

Sample API Response:

200 OK
{
    "success": true
}
Create a Feed

API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Method: POST
Request Body:

{
    "feedinfo": {
        "name": "tesmm123",
        "owner": "7DESJ9GN",
        "provider_url": "",
        "summary": "test",
        "category": "development"
    },
    "reports": []
}

Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Endpoint: https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Sample API Response:

200 OK
{
    "results": [
        {
            "name": "testcrest",
            "owner": "7DeeJ9GN",
            "provider_url": "https://riu.service-now.com/",
            "summary": "Action based IOCs from Carbon Black Cloud Service Now App",
            "category": "external_threat_intel",
            "alertable": true,
            "source_label": null,
            "access": "private",
            "id": "rbWqcLoGRjSSoZg0LaC9iQ",
            "reports_count": null
        }
 ]
}
Get Feed Details

API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Method: GET
Parameters:
include_public:true
Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Endpoint: https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Sample API Response:

200 OK
{
    "results": [
        {
            "name": "testcrest",
            "owner": "7DeeJ9GN",
            "provider_url": "https://riu.service-now.com/",
            "summary": "Action based IOCs from Carbon Black Cloud Service Now App",
            "category": "external_threat_intel",
            "alertable": true,
            "source_label": null,
            "access": "private",
            "id": "rbWqcLoGRjSSoZg0LaC9iQ",
            "reports_count": null
        }
 ]
}
Update Feed Details

API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo
Method: PUT
Request Body:

{
    "name": "CTE Threat Feed new",
    "owner": "7D****GN",
    "provider_url": "",
    "summary": "val",
    "category": "development",
    "alertable": true,
    "source_label": null,
    "access": "private",
    "id": "TlXvOfFLS2WEdcvRBcYFTw",
    "reports_count": null
}

Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Request Endpoint: https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo

Sample API Response:

200 OK
{
    "name": "CTE Threat Feed new",
    "owner": "IRRRR",
    "provider_url": "",
    "summary": "val",
    "category": "development",
    "alertable": true,
    "source_label": null,
    "access": "private",
    "id": "TlX*********BcYFTw",
    "reports_count": null
}
Performance Matrix

Here is the performance reading conducted by pulling and sharing 100K indicators from/to Carbon Black on a Large CE Stack with the below specifications:

Stack details Size: Large
RAM: 32 GB
CPU: 16 Cores
Indicators fetched from Carbon Black ~14K per minute
Indicators shared with Carbon Black ~100K per minute
User Agent

netskope-ce-5.0.1-cte-carbon-black-v1.1.0

Workflow

  1. Create a custom File Profile.
  2. Create a Malware Detection Profile.
  3. Create a Real-time Protection Policy.
  4. Get your Carbon Black API Credentials.
  5. Configure the Carbon Black plugin.
  6. Configure sharing between Netskope and Carbon Black.
  7. Validate the Carbon Black plugin.

Click play to watch a video.

 

Create a Secure Web Gateway Custom File Profile

  1. In the Netskope UI, go to Policies , select File , and click New File Profile.
    image3.jpeg
  2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
    image4.jpeg
  3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
    image5.jpeg
  4. Click Next.
  5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
    image4.png
  6. Click Save.
  7. To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile for Carbon Black

  1. In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
    image7.jpeg
  2. Click Next.

    Note

    For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.

  3. Click Next again.
  4. Select the File Profile you created in the previous section and click Next.
    image6.png
  5. Enter a Malware Detection Profile name and click Save Malware Detection Profile.
    image7.png
  6. To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-time Threat Protection Policy for Carbon Black

  1. In the Netskope UI, go to Policies > Real-time Protection.

    Note

    The policy configured here is just an example. Modify as appropriate for your organization.

  2. Click New Policy and select Threat Protection.
    image10.jpeg
  3. For Source, leave the default (User = All Users)
  4. For Destination: select Category
  5. The Category section expands and allows you to search and select categories. Click Select All.

    When finished, click outside of the Category section.

    image13.jpeg
  6. When the Activities & Constraints section opens, click Edit.
  7. Select Upload and Download, and then click Save.
    image10.png
  8. For Profile & Action, click in the text field.
  9. Select the Malware Detection profile you created in the previous section.
    image11.png
  10. For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
    image12.png
  11. Select a template to choose which block message is sent to the user.
  12. For Set Policy, enter a descriptive Policy Name.
    image13.png
  13. Click Save in the top right to save the policy.
  14. Choose the To the top option when it appear. (Or appropriate location in your security policy)
  15. To publish this policy into the tenant, select Apply Changes in the top right.

Get your Carbon Black API Credentials

  1. Log in to your Carbon Black Console.
  2. Copy the Carbon Black Console URL. You will need this when configuring the Carbon Black plugin for Cloud Threat Exchange.
  3. Go to Settings > API Access > Access Levels and click Add Access Level.
  4. Enter a Name and Description appropriate for your custom API roll.
  5. Select these scopes for access:
    • Notation Name org alerts: Read
    • Alerts: Read
    • Custom Detections for Org.feeds: Create, Read, Update
    image16.png
  6. Click Save. After a few seconds, Access Level will be visible.
  7. With the proper Scopes defined, next generate an API key with this access. Select the API Keys tab on the top of the page, and then click Add API Key.
  8. Enter a Name and Description that is appropriate for your environment.
  9. For Access Level type, select Custom. Select the Access Level that was created in Access Level.
  10. Click Save. Copy the API ID, API Secret Key, and Org Key. Save these values for when you configure the Carbon Black plugin.

Configure the Carbon Black Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Carbon Black 1.1.0 (CTE) box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Enter a name appropriate for your integration.
    • Sync Interval: Interval to fetch data from this plugin source. Adjust the Sync Interval to appropriate value. Recommended is 5+ minutes.
    • Aging Criteria: Expire indicators after a specific time. Leave default.
    • Override Reputation: Set value to override reputation of indicators received for this configuration. Leave empty to keep the default.
    • Enable SSL verification: Enable if SSL verification is required for communication.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. Enter and select the Configuration Parameters on the second page:
    • Management URL: Enter your Management URL copied from the Carbon Black console when creating your API key.
    • API ID: Enter your API ID copied when creating your API key.
    • API Secret: Enter your API Secret copied when creating your API key.
    • Organization Key: Enter your Organization Key copied when creating your API key.
    • Minimum Severity: Leave default.
    • Reputation: Leave default.
    • Enable Tagging: Enable if tagging is required.
    • Enable Polling: Enable/Disable polling Threat IOCs from Carbon Black. Disable if you only need to push Threat IoCs to Carbon Black.
    • Initial Range (in days): Number of days to pull the data for the initial run. Leave default.
  6. Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new Carbon Black plugin.

Configure a Threat Exchange Business Rule for Carbon Black

Business Rule is used to filter out the indicators that are to be shared. In order to share IoCs with Carbon Black, create a business rule using the following steps:

  1. In Threat Exchange go to Business Rules and click Create New Rule.
  2. Add the Rule name and select the fields through which you want to filter the IoCs.

  3. Click Save.

Configure Threat Exchange Sharing for Carbon Black

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select CTE Netskope.
  3. Select a Business Rule, and then select CTE Carbon Black for the Destination Configuration. Sharing configurations are unidirectional. Data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
  4. Select a Target. Each plugin will have a different target or destination for the IoC.
  5. Click Save.
  6. Repeat steps 2-5, but select CTE Carbon Black as the Source Configuration and CTE Netskope as the Destination Configuration.
  7. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

Note

Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.
  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
  • Delete the rule by clicking on the garbage can icon.

Validate the Carbon Black Plugin

 

Validate the Pull

Indicators from Carbon Black are pulled from the Alerts page.

  1. Click on the icon shown below for a particular alert to view the details.
  2. As shown, SHA-256 will be the value of Carbon Black IoC in CE.
  3. Indicators stored in CE can be verified from the Threat Exchange > Threat IoCs page.
  4. Search the Carbon Black IoCs by filtering indicators for Carbon Black.
    Example: Add a query on the Threat IoCs page, like sources.source Is equal <plugin configuration name>.
  5. You can also verify the indicators pulled in CE from the logs available on the Logging page.

Validate the Push

  1. Shared IoCs to Netskope/CrowdStrike can be verified from logs available on the Logging page of Netskope CE.
  2. IoCs shared on Carbon Black can be verified from the Enforce > Watchlist page. Click Add Watchlists.
  3. Now search for the Feed name. Click on the Feed name that was provided while configuring the sharing. Click CTE Feed Carbon Black Demo. Click Subscribe.

  4. Now search for the Feed name that was subscribed. Click on the Feed. Go to the Reports Page and click Netskope CTE Threat Report.
  5. All the shared URLs (IPv4, IPv6, and Domain), md5, and sha256 will be visible.

Troubleshooting

Unable to Configure the Plugin.

If you are unable to configure the Carbon Black plugin, it could be due to one of these reasons:

  • The API ID and/or API Secret is incorrect.
  • The API Access is incorrect.

To solve these issues:

Unable to share the data on the Carbon Black

If you are unable to share the data on the Carbon Black platform, it could be due to Access is not as needed.

To solve this issue:

Unable to Validate the data on the Carbon Black

If you are unable to view the data on the Carbon Black platform, it could be due to the Feed name that was provided while configuring sharing is not present in the watchlist.

To solve this issue, follow these steps:

  1. Subscribe to the Feed.
  2. To know how to subscribe to the Feed, follow the Validate the Push steps.

Known Behavior

Share this Doc

Carbon Black Plugin for Threat Exchange

Or copy link

In this topic ...