Carbon Black Plugin for Threat Exchange
Carbon Black Plugin for Threat Exchange
This document explains how to configure the Carbon Black plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows users to pull indicators of type SHA256 from the Carbon Black’s Alerts page. Additionally, this plugin also supports sharing of the indicators (IPv4, IPv6, Domain, MD5, SHA256) to the Carbon Black’s Watchlist page.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Secure Web Gateway subscription for URL sharing.
- A Threat Prevention subscription for malicious file hash sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A Carbon Black Cloud instance.
- Connectivity to the following host: https://defense.conferdeploy.net.
CE Version Compatibility
Netskope CE: v4.2.0 and v5.0.1
Carbon Black Plugin Support
Fetched indicator types | SHA256 |
Shared indicator types | SHA256, MD5, Domain, IPv4, IPv6 |
Mappings
Severity Mapping for Pull
Netskope CE Severity | Carbon Black Severity |
---|---|
Unknown | 0 |
Low | 1,2,3 |
Medium | 4,5,6 |
High | 7,8,9 |
Critical | 10 |
Pull Mapping
Netskope CE Fields | Carbon Black Fields |
---|---|
Value | process_sha256 |
First Seen | first_event_timestamp |
Last Seen | last_event_timestamp |
Severity | severity |
Tags | process_reputation |
comments | process_name |
Push Mapping
Netskope CE Field | Carbon Black Field |
---|---|
Value | IOC Value |
Permissions
API Scopes permissions.
Scope | Read | Write | Update |
---|---|---|---|
org.alerts | Yes | No | No |
org.feeds | Yes | Yes | Yes |
API Details
List of APIs Used
API Endpoint | Method | Use Case |
---|---|---|
{cbc-hostname}/api/alerts/v7/orgs/{org_key}/alerts/_search | POST | Pull indicators. |
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports | POST | Push indicators. |
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds | POST | Create a feed. |
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo | GET | Get feed details |
{cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo | PUT | Update feed details |
Pull Indicators
API Endpoint: {cbc-hostname}/api/alerts/v7/orgs/{org_key}/alerts/_search
Method: POST
Request Body:
{ "rows": 2000, "criteria": { "minimum_severity": 1 }, "time_range": { "start": "2024-04-12T07:06:06.572000Z", "end": "2024-04-12T08:46:23.848713Z" }, "start": 1, "sort": [ { "field": "backend_timestamp", "order": "ASC" } ] } }
Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Request Endpoint:
{ "results": [ { "org_key": "ABCD1234", "alert_url": "https://defense.conferdeploy.net/alerts?s[c][query_string]=id:708d7dbf-2020-42d4-9cbc-0cddd0ffa31a&orgKey=ABCD1234", "id": "708d7dbf-2020-42d4-9cbc-0cddd0ffa31a", "type": "WATCHLIST", "backend_timestamp": "2023-04-03T08:48:47.211Z", "user_update_timestamp": "2023-04-13T11:55:20.860Z", "backend_update_timestamp": "2023-04-03T08:48:47.211Z", "detection_timestamp": "2023-04-03T08:46:52.302Z", "first_event_timestamp": "2023-04-03T08:44:43.552Z", "last_event_timestamp": "2023-04-03T08:44:43.552Z", "severity": 6, "reason": "Process taskhostw.exe was detected by the report \"Abnormally Large DNS Exchanges (exfil or zone transfer)\" in watchlist \"zzz_XDR Sample IOCs\"", "reason_code": "19261158-dbbf-3077-9959-f8aa7f7551a1:0cc402b0-ea96-35c6-8418-a2f07acf616d", "threat_id": "19261158DBBF00775959F8AA7F7551A1", "primary_event_id": "t6a_TNVuQb6seMjk_VyDsg-0", "policy_applied": "NOT_APPLIED", "run_state": "RAN", "sensor_action": "ALLOW", "workflow": { "change_timestamp": "2023-04-13T11:55:20.860Z", "changed_by_type": "USER", "changed_by": "demouser@demoorg.com", "closure_reason": "NO_REASON", "status": "IN_PROGRESS" }, "determination": { "change_timestamp": "1970-01-01T00:00:00.000Z", "value": "ALERT_CLASSIFICATION_UNKNOWN", "changed_by_type": "OPERATOR_UNKNOWN", "changed_by": null }, "tags": null, "alert_notes_present": false, "threat_notes_present": false, "is_updated": false, "device_id": 18078555, "device_name": "DEMO\\DEMOMACHINE", "device_uem_id": "", "device_target_value": "MEDIUM", "device_policy": "Demo-policy", "device_policy_id": 12345678, "device_os": "WINDOWS", "device_os_version": "Windows 10 x64", "device_username": "DEMOMACHINE\\Administrator", "device_location": "UNKNOWN", "device_external_ip": "1.2.3.4", "device_internal_ip": "1.2.3.4", "mdr_alert": false, "report_id": "Fm0YsPDyQ1Kp1Pdd6Lnd8w-abd-defg-123", "report_name": "Abnormally Large DNS Exchanges (exfil or zone transfer)", "report_description": "IOC leveraging XDR fields to identify abnormally large DNS exchanges. The typical client DNS query to your DNS server is between 50-550 bytes. Large exchanges could be indicative of attack exfiltration or zone transfer attempts.", "report_tags": [], "ioc_id": "abd-defg-123", "ioc_hit": "netconn_application_protocol:DNS AND netconn_bytes_sent:[551 TO *]", "watchlists": [ { "id": "lgaClyOmQ86ZwZttq3ZDxg", "name": "Demo IOCs" } ], "process_guid": "ABCD1234-0113db5b-000011bc-00000000-1d966088928e609", "process_pid": 4540, "process_name": "c:\\windows\\system32\\taskhostw.exe", "process_sha256": "1234cd567ab3a577c4a13b907ad7375d27e74880b63f7371384f67d19197a0ad", "process_md5": "123a4566ab18f93b93d551cd10c1598e", "process_effective_reputation": "COMPANY_WHITE_LIST", "process_reputation": "TRUSTED_WHITE_LIST", "process_cmdline": "taskhostw.exe SYSTEM", "process_username": "DEMOSERVER\\DEMO", "process_issuer_": "Demo CA", "process_publisher": "Demo Publisher", "parent_guid": "ABCD1234-0113db5b-000006bc-00000000-1d94225f1bb0897", "parent_pid": 1724, "parent_name": "c:\\windows\\system32\\svchost.exe", "parent_sha256": "123ab451a82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7", "parent_md5": "a123456789f632dc8d9404d83bc16316", "parent_effective_reputation": "TRUSTED_WHITE_LIST", "parent_reputation": "TRUSTED_WHITE_LIST", "parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule", "parent_username": "NT AUTHORITY\\SYSTEM", "childproc_guid": "", "childproc_username": "", "childproc_cmdline": "" } ], "num_found": 147, "num_available": 147 }
Push Indicators
API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports
Method: POST
Request Body:
{ "reports": [ { "title": "Netskope CTE Threat Report", "description": "", "severity": 10, "timestamp": 1712302532, "iocs_v2": [ { "match_type": "equality", "field": "process_md5", "values": [ "dc3d905ed90bbc148bccd34fe0c94d2d" ], "id": "8400901781583914388" }, { "match_type": "equality", "field": "process_sha256", "values": [ "926a34fbae94ab7ed7fe9a596f0507031e19044c06cbbca245efb30d926ea1e5" ], "id": "8400901781583914388" }, { "match_type": "equality", "field": "ipv4", "values": [ "204.225.210.233" ], "id": "-8400901781583914388" }, { "match_type": "equality", "field": "dns", "values": [ "r3626a7uj.top" ], "id": "8400901781583914388" } ], "id": "8400901781583914388" } ] }
Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Request Endpoint:
https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports
Sample API Response:
200 OK { "success": true }
Create a Feed
API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Method: POST
Request Body:
{ "feedinfo": { "name": "tesmm123", "owner": "7DESJ9GN", "provider_url": "", "summary": "test", "category": "development" }, "reports": [] }
Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Endpoint: https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Sample API Response:
200 OK { "results": [ { "name": "testcrest", "owner": "7DeeJ9GN", "provider_url": "https://riu.service-now.com/", "summary": "Action based IOCs from Carbon Black Cloud Service Now App", "category": "external_threat_intel", "alertable": true, "source_label": null, "access": "private", "id": "rbWqcLoGRjSSoZg0LaC9iQ", "reports_count": null } ] }
Get Feed Details
API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Method: GET
Parameters:
include_public:true
Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Endpoint: https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Sample API Response:
200 OK { "results": [ { "name": "testcrest", "owner": "7DeeJ9GN", "provider_url": "https://riu.service-now.com/", "summary": "Action based IOCs from Carbon Black Cloud Service Now App", "category": "external_threat_intel", "alertable": true, "source_label": null, "access": "private", "id": "rbWqcLoGRjSSoZg0LaC9iQ", "reports_count": null } ] }
Update Feed Details
API Endpoint: {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo
Method: PUT
Request Body:
{ "name": "CTE Threat Feed new", "owner": "7D****GN", "provider_url": "", "summary": "val", "category": "development", "alertable": true, "source_label": null, "access": "private", "id": "TlXvOfFLS2WEdcvRBcYFTw", "reports_count": null }
Headers:
X-AUTH-TOKEN: “ABCDEFGHIJKLMNO123456789/ABCD123456”
Content-Type: “application/json”
API Request Endpoint: https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo
Sample API Response:
200 OK { "name": "CTE Threat Feed new", "owner": "IRRRR", "provider_url": "", "summary": "val", "category": "development", "alertable": true, "source_label": null, "access": "private", "id": "TlX*********BcYFTw", "reports_count": null }
Performance Matrix
Here is the performance reading conducted by pulling and sharing 100K indicators from/to Carbon Black on a Large CE Stack with the below specifications:
Stack details | Size: Large RAM: 32 GB CPU: 16 Cores |
Indicators fetched from Carbon Black | ~14K per minute |
Indicators shared with Carbon Black | ~100K per minute |
User Agent
netskope-ce-5.0.1-cte-carbon-black-v1.1.0
Workflow
- Create a custom File Profile.
- Create a Malware Detection Profile.
- Create a Real-time Protection Policy.
- Get your Carbon Black API Credentials.
- Configure the Carbon Black plugin.
- Configure sharing between Netskope and Carbon Black.
- Validate the Carbon Black plugin.
Click play to watch a video.
- In the Netskope UI, go to Policies , select File , and click New File Profile.
- Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
- Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character
f
. For example,ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
. This will have a very low possibility of matching a valid file format. - Click Next.
- Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
- Click Save.
- To publish this profile into the tenant, click Apply Changes in the top right.
- In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
- Click Next.
Note
For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.
- Click Next again.
- Select the File Profile you created in the previous section and click Next.
- Enter a Malware Detection Profile name and click Save Malware Detection Profile.
- To publish this profile in the tenant, click Apply Changes in the top right.
- In the Netskope UI, go to Policies > Real-time Protection.
Note
The policy configured here is just an example. Modify as appropriate for your organization.
- Click New Policy and select Threat Protection.
- For Source, leave the default (User = All Users)
- For Destination: select Category
- The Category section expands and allows you to search and select categories. Click Select All.
When finished, click outside of the Category section.
- When the Activities & Constraints section opens, click Edit.
- Select Upload and Download, and then click Save.
- For Profile & Action, click in the text field.
- Select the Malware Detection profile you created in the previous section.
- For the Severity Levels, change all of the Actions settings from
Action: Alert
toAction: Block
. - Select a template to choose which block message is sent to the user.
- For Set Policy, enter a descriptive Policy Name.
- Click Save in the top right to save the policy.
- Choose the To the top option when it appear. (Or appropriate location in your security policy)
- To publish this policy into the tenant, select Apply Changes in the top right.
- Log in to your Carbon Black Console.
- Copy the Carbon Black Console URL. You will need this when configuring the Carbon Black plugin for Cloud Threat Exchange.
- Go to Settings > API Access > Access Levels and click Add Access Level.
- Enter a Name and Description appropriate for your custom API roll.
- Select these scopes for access:
- Notation Name org alerts: Read
- Alerts: Read
- Custom Detections for Org.feeds: Create, Read, Update
- Click Save. After a few seconds, Access Level will be visible.
- With the proper Scopes defined, next generate an API key with this access. Select the API Keys tab on the top of the page, and then click Add API Key.
- Enter a Name and Description that is appropriate for your environment.
- For Access Level type, select Custom. Select the Access Level that was created in Access Level.
- Click Save. Copy the API ID, API Secret Key, and Org Key. Save these values for when you configure the Carbon Black plugin.
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the Carbon Black 1.1.0 (CTE) box to open the plugin creation pages.
- Enter and select the Basic Information on the first page:
- Configuration Name: Enter a name appropriate for your integration.
- Sync Interval: Interval to fetch data from this plugin source. Adjust the Sync Interval to appropriate value. Recommended is 5+ minutes.
- Aging Criteria: Expire indicators after a specific time. Leave default.
- Override Reputation: Set value to override reputation of indicators received for this configuration. Leave empty to keep the default.
- Enable SSL verification: Enable if SSL verification is required for communication.
- Use System Proxy: Enable if the proxy is required for communication.
- Click Next.
- Enter and select the Configuration Parameters on the second page:
- Management URL: Enter your Management URL copied from the Carbon Black console when creating your API key.
- API ID: Enter your API ID copied when creating your API key.
- API Secret: Enter your API Secret copied when creating your API key.
- Organization Key: Enter your Organization Key copied when creating your API key.
- Minimum Severity: Leave default.
- Reputation: Leave default.
- Enable Tagging: Enable if tagging is required.
- Enable Polling: Enable/Disable polling Threat IOCs from Carbon Black. Disable if you only need to push Threat IoCs to Carbon Black.
- Initial Range (in days): Number of days to pull the data for the initial run. Leave default.
- Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new Carbon Black plugin.
Configure a Threat Exchange Business Rule for Carbon Black
Business Rule is used to filter out the indicators that are to be shared. In order to share IoCs with Carbon Black, create a business rule using the following steps:
- In Threat Exchange go to Business Rules and click Create New Rule.
- Add the Rule name and select the fields through which you want to filter the IoCs.
- Click Save.
- Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
- Click Add Sharing Configuration, and in the Source Configuration dropdown list, select CTE Netskope.
- Select a Business Rule, and then select CTE Carbon Black for the Destination Configuration. Sharing configurations are unidirectional. Data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
- Select a Target. Each plugin will have a different target or destination for the IoC.
- Click Save.
- Repeat steps 2-5, but select CTE Carbon Black as the Source Configuration and CTE Netskope as the Destination Configuration.
- Click Save.
Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.
Note
Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.
After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.
Modify, Test, or Delete a Sharing Configuration
Each configuration supports 3 actions:
- Edit the rule by clicking on the pencil icon.
- Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
- Delete the rule by clicking on the garbage can icon.
Validate the Carbon Black Plugin
Validate the Pull
Indicators from Carbon Black are pulled from the Alerts page.
- Click on the icon shown below for a particular alert to view the details.
- As shown, SHA-256 will be the value of Carbon Black IoC in CE.
- Indicators stored in CE can be verified from the Threat Exchange > Threat IoCs page.
- Search the Carbon Black IoCs by filtering indicators for Carbon Black.
Example: Add a query on the Threat IoCs page, like sources.source Is equal <plugin configuration name>. - You can also verify the indicators pulled in CE from the logs available on the Logging page.
Validate the Push
- Shared IoCs to Netskope/CrowdStrike can be verified from logs available on the Logging page of Netskope CE.
- IoCs shared on Carbon Black can be verified from the Enforce > Watchlist page. Click Add Watchlists.
- Now search for the Feed name. Click on the Feed name that was provided while configuring the sharing. Click CTE Feed Carbon Black Demo. Click Subscribe.
- Now search for the Feed name that was subscribed. Click on the Feed. Go to the Reports Page and click Netskope CTE Threat Report.
- All the shared URLs (IPv4, IPv6, and Domain), md5, and sha256 will be visible.
Troubleshooting
Unable to Configure the Plugin.
If you are unable to configure the Carbon Black plugin, it could be due to one of these reasons:
- The API ID and/or API Secret is incorrect.
- The API Access is incorrect.
To solve these issues:
- Provide correct API ID, API Secret. To get the correct credentials, follow the Get your Carbon Black API Credentials steps.
- Provide correct scopes to the API Key. To know how to provide correct scopes, follow the Get your Carbon Black API Credentials steps.
Unable to share the data on the Carbon Black
If you are unable to share the data on the Carbon Black platform, it could be due to Access is not as needed.
To solve this issue:
- Provide correct scopes to the API Key. To know how to provide correct scopes, follow the Get your Carbon Black API Credentials steps.
Unable to Validate the data on the Carbon Black
If you are unable to view the data on the Carbon Black platform, it could be due to the Feed name that was provided while configuring sharing is not present in the watchlist.
To solve this issue, follow these steps:
- Subscribe to the Feed.
- To know how to subscribe to the Feed, follow the Validate the Push steps.
Known Behavior
- If the limit, like 1K IOCs per report, or 10K reports per feed is exceeded, it will prevent the edit or searching of IoCs on the report. Refer to the linked documentation below to know the sharing limit on the Carbon Black platform.
https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/feed-api/ - After a New batch of IoCs are shared to the Feed, the old IoC’s will be replaced by the newly shared IoC’s.