Threat Intelligence feeds that are updated by Carbon Black versus 3rd Parties
book
Article ID: 285690
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
What Threat Intelligence Feeds are updated by Carbon Black and which ones are updated by 3rd Parties?
Environment
EDR Server: All Versions
Threat Intelligence Feeds
Resolution
Carbon Black
Requires Binary Sharing
Reputation Trust
Reputation Threat
Does not require Binary Sharing to update
Advanced Threat
Early Access
Endpoint Visibility
Suspicious Feeds
Banning Events
Community
EMET Protection
Tamper Detection
Known IOC Feed
Cb Inspection (No longer supported)
3rd Party and Open Source
Requires Binary Sharing to update
NVD (National Vulnerability Database)
Does not require Binary Sharing to update
Abuse.ch
Alienvault Open Threat Exchange (OTX)
ThreatExchange
SANS
TOR
ThreatConnect
Att&ck Framework
Additional Information
3rd Party and Open Source are not owned or updated by the EDR product. The 3rd party provider is responsible for updating the feeds
The EDR tool utilizes a JSON format to receive the feed data and store it in Solr. Some of the 3rd party feeds utilize an API where the data is converted via a connector that converts to the correct JSON format. The update may fail if the vendor changes the API's or format they are sending in
Feeds that require sharing of binaries may not update. These only update if a suspected hash matches what is in the databases as possibly malicious.