Updated on March 29, 2024

Carbon Black Plugin for Threat Exchange

Carbon Black Plugin for Threat Exchange

This document explains how to configure Carbon Black with Threat Exchange in the Netskope Cloud Exchange platform. This integration allows for sharing of event driven intelligence that has been identified by Carbon Black Cloud or Netskope.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Secure Web Gateway subscription for URL sharing.
  • A Threat Prevention subscription for malicious file hash sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A Carbon Black Cloud License.
    • For ingest of event driven intelligence from Carbon Black: CBC NGAV or CBC EDR
    • For consumption of intelligence from Netskope: CBC EDR

Workflow

  1. Create a custom File Profile.
  2. Create a Malware Detection Profile.
  3. Create a Real-time Protection Policy.
  4. Create Carbon Black API credentials.
  5. Configure a Carbon Black Plugin.
  6. Configure sharing between Netskope and Carbon Black.
  7. Validate the Carbon Black Plugin.

Click play to watch a video.

 

Create a Secure Web Gateway Custom File Profile

  1. In the Netskope UI, go to Policies , select File , and click New File Profile.
    image3.jpeg
  2. Click File Hash in the left panel, select SHA256 from the File Hash dropdown list.
    image4.jpeg
  3. Enter a temporary value in the text field. Netskope does not support progressing without having a value in this field, and recommends entering a string of 64 characters that consists of the character f. For example, ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff. This will have a very low possibility of matching a valid file format.
    image5.jpeg
  4. Click Next.
  5. Enter a Profile Name and a Description. We recommend not having blank spaces in your profile name; use underscores for spaces.
    image4.png
  6. Click Save.
  7. To publish this profile into the tenant, click Apply Changes in the top right.

Create a Malware Detection Profile for Carbon Black

  1. In the Netskope UI, go to Policies, select Threat Protection , and click New Malware Detection Profile.
    image7.jpeg
  2. Click Next.

    Note

    For this configuration example, we will be using the intelligence for this list as a block list. Netskope does support inclusion of both allow and block lists in the threat profiles.

  3. Click Next again.
  4. Select the File Profile you created in the previous section and click Next.
    image6.png
  5. Enter a Malware Detection Profile name and click Save Malware Detection Profile.
    image7.png
  6. To publish this profile in the tenant, click Apply Changes in the top right.

Create a Real-time Threat Protection Policy for Carbon Black

  1. In the Netskope UI, go to Policies > Real-time Protection.

    Note

    The policy configured here is just an example. Modify as appropriate for your organization.

  2. Click New Policy and select Threat Protection.
    image10.jpeg
  3. For Source, leave the default (User = All Users)
  4. For Destination: select Category
  5. The Category section expands and allows you to search and select categories. Click Select All.

    When finished, click outside of the Category section.

    image13.jpeg
  6. When the Activities & Constraints section opens, click Edit.
  7. Select Upload and Download, and then click Save.
    image10.png
  8. For Profile & Action, click in the text field.
  9. Select the Malware Detection profile you created in the previous section.
    image11.png
  10. For the Severity Levels, change all of the Actions settings from Action: Alert to Action: Block.
    image12.png
  11. Select a template to choose which block message is sent to the user.
  12. For Set Policy, enter a descriptive Policy Name.
    image13.png
  13. Click Save in the top right to save the policy.
  14. Choose the To the top option when it appear. (Or appropriate location in your security policy)
  15. To publish this policy into the tenant, select Apply Changes in the top right.

Create Carbon Black API Credentials

  1. Log in to your Carbon Black Console.
  2. Copy the Carbon Black Console URL. You will need this when configuring the Carbon Black plugin for Cloud Threat Exchange.
  3. In the main window, go to Settings and select API Access. Select the Access Levels tab, and then click + Add Access Level.
  4. Enter a Name appropriate for your custom API roll.
  5. Select these scopes for access:
    • Alerts: ReadCustom Detections for Org.feeds: Create, Read, Update
    image16.png
  6. Click Save.
    image17.png
  7. With th proper Scopes defined, next generate an API key with this access. Select the API Keys tab on the top of the page, and then click + Add API Key.
    image18.png
  8. Enter a Name and Description that is appropriate for your environment.
  9. Pull Down the Access Level type and select Custom. Select the Role defined in step 4.
    image19.png
  10. Copy the Org Key that will be required during plugin configuration.
  11. Click Save. Copy the API ID, API Secret Key, and Org Key. Save these values for when you configure the Carbon Black plugin.
    image20.png

Configure the Carbon Black Plugin for CBC NGAV in Threat Exchange

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Carbon Black box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Enter a name appropriate for your integration.
    • Sync Interval: Leave default.
    • Aging Criteria: Leave default.
    • Override Reputation: Leave default.
    • Enable SSL verification: Enable if SSL verification is required for communication.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. Enter and select the Configuration Parameters on the second page:
    • Management URL: Enter your Management URL copied from the Carbon Black console when creating your API key.
    • API ID: Enter your API ID copied when creating your API key.
    • API Secret: Enter your API Secret copied when creating your API key.
    • Organization Key: Enter your Organization Key copied when creating your API key.
    • Minimum Severity: Leave default.
    • Reputation: Leave default.
    • Enable Tagging: Enable if tagging is required.
    • Initial Range (in days): Leave default.
  6. Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new Carbon Black plugin.

Configure the Carbon Black Plugin for CBC EDR in Threat Exchange

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Carbon Black box to open the plugin creation pages.
  3. Enter and select the Basic Information on the first page:
    • Configuration Name: Enter a name appropriate for your integration.
    • Sync Interval: Adjust the Sync Interval to appropriate value : Suggested is 5+ minutes.
    • Aging Criteria: Leave default.
    • Override Reputation: Leave default.
    • Enable SSL verification: Enable if SSL verification is required for communication.
    • Use System Proxy: Enable if the proxy is required for communication.
  4. Click Next.
  5. Enter and select the Configuration Parameters on the second page:
    • Management URL: Enter your Management URL copied from the Carbon Black console when creating your API key.
    • API ID: Enter your API ID copied when creating your API key.
    • API Secret: Enter your API Secret copied when creating your API key.
    • Organization Key: Enter your Organization Key copied when creating your API key.
    • Minimum Severity: Leave default.
    • Reputation: Leave default.
    • Enable Tagging: Enable if tagging is required.
    • Initial Range (in days): Leave default.
  6. Click Save in the top right corner. Go to Threat Exchange > Plugins to see your new Carbon Black plugin.

Configure Sharing for Netskope and Carbon Black

  1. Go to Threat Exchange and select Sharing. The Sharing page displays the existing relationships for each sharing configuration in grid view as shown below. The Sharing page also has inputs to configure new sharing from one plugin to another.
  2. Click Add Sharing Configuration, and in the Source Configuration dropdown list, select CBC NGAV.
    image7.png
  3. Select a Business Rule, and then select CBC EDR for the Destination Configuration. Sharing configurations are unidirectional. data obtained from one plugin is shared with another plugin. To achieve bi- or multi-directional sharing, configure each separately.
    image9.png
  4. Select a Target. Each plugin will have a different target or destination for the IoC.
  5. Click Save.
  6. Repeat steps 2-5, but select CBC EDR as the Source Configuration and Netskope as the Destination Configuration.
  7. Click Save.
  8. Repeat steps 2-5, but select Netskope as the Source Configuration and CBC EDR as the Destination Configuration.
  9. Click Save.

Adding a new sharing configuration on the active source poll will share the existing IoCs of the source configuration to the destination configuration. Whenever a new sharing configuration is built, all the active IoCs will also be considered for sharing if they match the source/destination combination.

Note

Plugins that do not have API for ingesting data cannot receive threat data. This is true of the installed plugin API Source, which provides a bucket associated with an API endpoint for remote 3rd-party systems to push data to. Once a Sharing policy has been added, it takes effect.

After a sharing configuration has been created, the sharing table will show the rule being invoked, the source system providing the potential IoC matches, the destination system that will receive matching IoC, and the target applicable to that rule. Multiple Sharing configurations can be made to support mapping certain IoC to multiple targets even on the system destination system.

Modify, Test, or Delete a Sharing Configuration

Each configuration supports 3 actions:

  • Edit the rule by clicking on the pencil icon.
  • Test the rule by clicking on the synchronization icon. This tests how many IoC will actually be sent to the destination system based on the timeframe and the rule.
  • Delete the rule by clicking on the garbage can icon.

Validate the Carbon Black Plugin

In order to validate the workflow, you must have Netskope Alerts and/or Carbon Black Cloud Events. These will be queried based on the polling interval previously configured in the plugins.

  1. Go to Threat Exchange and select Threat IoCs. You should see records from your Carbon Black plugin.
    image33.png
  2. In your Netskope tenant, go to Policies > File, select your custom File Profile, and click File Hash.
    image34.png
  3. In the Carbon Black console, go to Enforce > WatchLists and click Add Watchlist to check for the Watchlist created by the plugin.
  4. Add the required selected Watchlist and click Subscribe.
  5. Your Watchlist will start showing up in the Watchlist section. To check for the IoCs shared from the Netskope to Carbon Black, go to Enforce > WatchLists > Your Watchlist and click Reports.
  6. To generate the Alerts for your Watchlist. Click Take Action > Edit, enable the Alert on hit option, and then click Save.
  7. If data is not being brokered between the platforms, you can look at the audit logs in Threat Exchange. In Threat Exchange, go to Logging and look through the logs for errors.
Share this Doc

Carbon Black Plugin for Threat Exchange

Or copy link

In this topic ...