Threat Response - Integration With Carbon Black EDR

Threat Response supports integeration with Carbon Black. The following functionality is supported today:

• Manually isolate a host using Carbon Black
• Use Carbon Black EDR for IOC (Indicator Of Compromise) collection as an alternative to the native Proofpoint Threat Response PC Data Collection agent.

Support for Carbon Black EDR as IOC collector

Supported Carbon Black Versions

Threat Response supports Carbon Black server versions 5.x and 6.x for peforming IOC collection.

IOC Items collected

Using the Carbon Black server APIs, Threat Response collects the following IOC data:

• File system changes

• Network activity

• Processes

• Registry changes

Infection Analysis

Threat Response uses the IOCs collected from Carbon Black to identify any IOCs that match forensics event data resulting in an IOC Confidence score

Threat Response configuration

To configure host isolation with Carbon Black, a Threat Response admin user needs to perform the following steps:

1. Log in to Threat Response
2. Go to System Settings > Carbon Black
3. Define the following parameters
   1. URL: URL to reach Carbon Black
   2. API token: API token to use with every API request
4. Check Enabled
5. Test integration using Test settings button
6. Click Save

To configure Threat Response to use Carbon Black for IOC collection, first follow the instructions above to enable host isolation, then follow the steps below:

1. Log in to Threat Response
2. Go to System Settings > PC Data Collection
3. Change the Collection Method from “Collector” to “Carbon Black”
4. Define the desired Lookback Minutes (used when collecting File & Registry changes)
5. Optionally enable cross-incident correlations and/or automatic collections
6. Choose which IOCs to collect
7. Click Save