Carbon Black EDR Connectors
Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
There are many integrations available to connect your EDR instance with other applications.
You can connect your EDR instance to other applications with the integrations listed below. The Supported Integrations are built and maintained by Carbon Black. You can also use integrations created by our partner companies or integrations built and supported by other developers in the Carbon Black Community.
Supported Integrations
| Name | GitHub Repo |
|---|---|
| Air Gap Feed (On-Prem only) | N/A |
| Air Gap Feed - pre EDR v7.4 (On-Prem only) | cb-airgap-feed |
| Event Forwarder | cb-event-forwarder |
| Lastline Connector | cb-lastline-connector |
| QRadar App | N/A |
| Splunk App | N/A |
| Taxii | cb-taxii-connector |
| Threat Intelligence Feeds | cbfeeds |
| ThreatConnect | cb-threatconnect-connector |
| Yara Connector | cb-yara-connector |
Partner Integrations
- View integrations from our partners on the Integration Network
- Learn how to become a partner
Community Integrations
These integrations are open source and community supported.
Installation
Unless otherwise specified, use the following installation instructions.
As root on your Carbon Black or other RPM based 64-bit Linux distribution server:
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
Then install the appropriate connector by executing:
yum install <connector-name>
Binary Detonation and Sandbox Connectors
These connectors submit binaries collected by EDR to a sandbox or “detonation” engine for analysis.
Checkpoint
The Checkpoint connector submits binaries collected by Carbon Black EDR to Checkpoint for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Checkpoint . Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.
This connector submits full binaries by default, and binaries may be shared with Checkpoint based on the configuration.
Connector Name: python-cb-checkpoint-connector
Cyphort
Carbon Black now integrates with Cyphort for inspection, analysis and correlation of suspicious binaries discovered at the endpoint. Now Carbon Black can submit unknown or suspicious binaries to Cyphort Core–a secure threat analysis engine, which leverages Cyphort’s multi-method behavioral detection technology and threat intelligence–to deliver threat scores used in Carbon Black to enhance detection, response and remediation efforts.
The Cyphort connector submits binaries collected by Carbon Black to a Cyphort appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Cyphort. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.
Connector Name: python-cb-cyphort-connector
Fortinet FortiSandbox
The Fortisandbox connector submits binaries collected by Carbon Black to a Fortinet Fortisandbox appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Fortisandbox. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.
This connector submits full binaries by default, and binaries may be shared with Fortinet based on the configuration on your Fortisandbox appliance.
Connector Name: python-cb-fortisandbox-connector
VirusTotal
The VirusTotal connector submits binaries collected by Carbon Black to VirusTotal for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by VirusTotal. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.
To use this connector, you must have a VirusTotal Private API key. You can apply for a private API key through the VirusTotal web interface.
Connector Name: python-cb-virustotal-connector
VMRay
Connector Name: python-cb-vmray-connector
WildFire
The Wildfire connector submits binaries collected by Carbon Black to a Wildfire appliance for binary analysis. The results are collected and placed into an Intelligence Feed on your Carbon Black EDR server. The feed will then tag any binaries executed on your endpoints identified as malware by Wildfire. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed.
Connector Name: python-cb-wildfire-connector
Intelligence Feeds
These connectors pull threat intelligence collected from other third party sources into the EDR server.
iSIGHT
This connector allows for the importing of iSIGHT threat intelligence feeds and tags documents matching any threat intelligence feeds in the Carbon Black database. The iSIGHT connector uses the ThreatScape v2 API as described at http://www.isightpartners.com/doc/sdk-bp-docs/#/ to retrieve threat intelligence from iSIGHT. The connector will create a Carbon Black feed for any iSIGHT threat intelligence hits, and queries for new threat indicators from iSIGHT’s ThreatScape API every hour by default.
Connector Name: python-cbisight-connector
ThreatExchange
Carbon Black provides integration with ThreatExchange by retrieving Indicators of Compromise (IOCs) from specified communities. To support this integration, Carbon Black provides an out-of-band bridge that communicates with the ThreatExchange API
Connector Name: python-cb-threatexchange-connector
Orchestration
EDR also supports integration with network appliances to retrieve alert data and optionally take action on affected endpoints.
InfoBlox
The Carbon Black Infoblox Secure DNS connector ingests reports via syslog from the Infoblox Secure DNS appliance and correlates them against data in the connected Carbon Black EDR server. The connector can then take one or more actions based on these reports, including killing the offending process from the endpoint, isolating the system from the network, and creating an alert for future followup.
Infoblox syslog events are sent to the connector, which can either run on its own host or on the Carbon Black EDR server itself. The connector then correlates the DNS information with Carbon Black to determine what process caused the DNS lookup. This correlation can only occur if the endpoint has attempted to establish a TCP or UDP connection with another host. A Carbon Black network connection event is only generated when a TCP SYN or UDP packet is sent to a target host, and these network connection events are used to correlate the DNS request against the Carbon Black data.
Connector Name: python-cb-infoblox-connector
Fidelis
Fidelis Network is a network detection and response (NDR) solution that combines Machine Learning with automated and manual anomaly detection techniques coupled with Deep Session Inspection to detect attacks. This is a bi-directional integration were Fidelis Network pushes alerts to the connector which creates a feed from the IOCs provided and polls Carbon Black EDR for matches, which will return the process(es) and the corresponding netconn and filewrites events.
Connector Name: python-cb-fidelis-bridge
FireEye
FireEye NX is a network based malware detection system. This is a uni-directional integration where the FireEye NX system will send alerts to the connector to create a feed from the provided IOCS.
Connector Name: python-cb-fireeye-connector
SIEM Plugins
The EDR server can also interoperate with several different SIEM systems. Carbon Black has built apps for two SIEMs: IBM QRadar and Splunk. These apps allow users to query and optionally take action on endpoints directly from the SIEM console.
In addition, events can be forwarded from the EDR server into SIEMs using the Event Forwarder.
Other Plugins
IBM BigFix
Juniper Sky ATP
The SkyATP connector for Carbon Black submits infected hosts detected by a CbR server to the Sky ATP infected hosts banned list.
Last modified on July 7, 2022