EDR: How to set up a test Cbtaxii Threat Intelligence feed
search cancel

EDR: How to set up a test Cbtaxii Threat Intelligence feed

book

Article ID: 286278

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to set up a test Cbtaxii Threat Intelligence feed

Environment

  • EDR: All Supported Versions 
 

Resolution

  1. On the EDR server, create the file CbOpenSource.repo 
cd /etc/yum.repos.d
curl -O https://opensource.carbonblack.com/release/x86_64/CbOpenSource.repo
  1. Install the connecter
sudo yum install python-cbtaxii
  1. Use the supplied sample configuration file as the basis of the configuration file:
cp /etc/cb/integrations/cbtaxii/cbtaxii.conf.example /etc/cb/integrations/cbtaxii/cbtaxii.conf
  1. From here, one or more TAXII services can be configured. An example configuration file can be seen here
  2. Once the cbtaxii.conf file has been fully configured, run the cbtaxii command:
/usr/share/cb/integrations/cbtaxii/cbtaxii -c /etc/cb/integrations/cbtaxii/cbtaxii.conf
  1. After 10 minutes or so, check the Threat Intel page and verify there is a new CBtaxii feed that has been created.

Additional Information

  • This script can take a long time to run depending on the amount of data available from the TAXII services that has been configured.
  • This script logs everything to /var/log/cb/integrations/cbtaxii/cbtaxii.log
  • To confirm if the credentials work and to list the available collections, execute the same command in step 5 with -l (lowercase-L):
/usr/share/cb/integrations/cbtaxii/cbtaxii -c /etc/cb/integrations/cbtaxii/cbtaxii.conf -l
  • To troubleshoot issues related to the CBtaxii feed, the cbtaxii connector logs can be found in /var/log/cb/integrations/cbtaxii/cbtaxii.log
Powered by Wolken Software