Introduction
VMWare Carbon Black Endpoint (hence referred to as "Carbon Black") thwarts attacks by analyzing billions of system events to understand what is normal in your environment, prevent attackers from abusing legitimate tools, and automate your investigation workflow to respond efficiently.
This extension allows you to search for recent events in your Carbon Black-enabled endpoints for activity specific to the Intelligence Card indicator. The extension is available on IP, domain, and hash Intelligence Cards.
Use Cases
Alert Triage
Recorded Future Intelligence Cards provide context around potential threats to your network. The Intelligence Card Extension for Carbon Black marries the external threat intelligence with your internal telemetry for fast and informed decisions. If there are references to the IP, domain, or hash within your Carbon Black endpoints, the most recent 30 events from the past 7 days will be returned to the extension. For example, you are looking at potentially malicious IP. Seeing many events of connections to the same IP may be cause for alarm. The extension allows you to see which hosts are connecting to the IP to identify if this is most likely an issue for one host or if there appears to be a more wide spread issue with more than 1 hosts connecting. The intent is to provide enough detail to make a quick decision of it you would like to investigate further.
Threat Hunting
Recorded Future Intelligence Cards provide context around potential threats to your network. If there are references to the IP, domain, or hash within your organization, the most recent 30 events will be returned to the extension. This provides enough context to facilitate a decision if you would like to investigate further.
Below is an example of the response from the IP Intelligence card for 8.8.8.8:
...
Example response when the IOC did not appear in any events over the past 7 days:
Configuration
To configure the extension for use, a user must be designated as an admin in Recorded Future, with access to the "Extensions" option in the "Tools" section of the main portal menu. From Carbon Black, you will need four pieces of information to enable the extension:
- API_ID
- API_Secret_Key
- Org_ID
- Org_Key
Below is a screen shot of the Carbon Black confirmation page.
Here is the specific permissions needed on the Carbon Black Cloud instance; note that changes should be made in the "Access Level" tab.
-
Alerts API: org.alerts READ
-
Search API: org.search.events CREATE READ
1. Go to Settings / API Access / Access Levels, click Add Access Level, set those permissions; then
2. Go to Settings / API Access / API Keys, click Add API Key, and for Access Level Type click "Custom". Then, in Custom Access Level, point to the new access level you just created.