Introduction
Recorded Future for VWware Carbon Black Cloud Enterprise EDR uses Recorded Future's malicious risk lists to detect emerging threats in Carbon Black. Recorded Future pushes 3 feeds to Carbon Black (RecordedFutureRiskyIPs, RecordedFutureRiskyHashes and RecordedFutureRiskyDomains), and each feed has several reports (Malicious Risk Lists). The scheduled time for pushing the feeds can be set for each client. By default it’s 30 minutes (minimum) and it can be changed to any value.
The mappings for 'feeds' and 'reports' are:
- RecordedFutureRiskyIPs
- Actively Communicating C&C Server
- Current C&C Server
- Recently Reported by Insikt Group
- Recent Botnet Traffic
- Phishing Host
- Recent Positive Malware Verdict
- RecordedFutureRiskyDomains
- C&C DNS Name
- Recently Detected Malware Operation
- Recently Detected Phishing Techniques
- Recently Reported Fraudulent Content
- Recently Active Weaponized Domain
- Recently Reported by Insikt Group
- Recent COVID-19-Related Domain Lure: Malicious
- Recent Phishing Lure: Malicious
- RecordedFutureRiskyHashes
- Positive Malware Verdict
- Recently Active Targeting Vulnerabilities in the Wild
- Observed in Underground Virus Testing Sites
- Malware SSL Certificate Fingerprint
- Reported by Insikt Group
- Reported by DHS AIS
Setting Up Recorded Future for Carbon Black
Recorded Future for Carbon Black integration is set up through Recorded Future support. A support ticket should be submitted via our Integration Support ticket form with the following information:
- Integration Partner Category: Recorded Future Owned Integration
- Premier Integration: Carbon Black Cloud Enterprise EDR (Push)
- Select Your Problem: New Installation
- Integration Platform Version: Carbon Black Cloud Enterprise EDR (Push)
-
Ticket Description - Please include the following prerequisites:
- Valid Recorded Future API token
- Client's Carbon Black Server URL
- Client's Carbon Black API ID
- Client's Carbon Black API Secret Key
- Client's Carbon Black Org Key
*NOTE: Recorded Future for Carbon Black needs custom Access Level on the Carbon Black API token to function correctly. Clients who are looking to use this integration should create a custom access level in Carbon Black that includes Create, Read, Write access for feeds(org.feeds) and Read access for alerts (org.alerts). Clients should then use that custom access level when creating a Carbon Black API token.
SLA for client setup will be 12-24 working hours. The client will see Recorded Future data flowing into their Carbon Black Cloud platform once the connection has successfully been set up. Currently there aren’t data customization options for what feeds gets pushed into a client’s environment.
Additional Note:
Since Carbon Black is viewed through a web browser, Recorded Future's web browser extension may also be used to get on-demand enrichment of IOCs on the page.