CB Response: How to set up a Threat Quotient / ThreatQ Feed
search cancel

CB Response: How to set up a Threat Quotient / ThreatQ Feed

book

Article ID: 290866

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

​​​​​Steps to integrate Threat Quotient Feed with Cb Response Server

Environment

  • CB Response Server: All versions
  • CB Response Sensor: All versions
  • ThreatQuotient Feed

Resolution

  1. Install the ThreatQuotient connector RPM Package on the CB Response Master server:  
sudo rpm -ivh python-cb-threatq-connector-1.0.0-10.x86_64.rpm --ignoreos --nofiledigest
  1. Create a default credentials file here: /etc/carbonblack/credentials.response 
a. mkdir /etc/carbonblack 
b. touch /etc/carbonblack/credentials.response 
a. vi /etc/carbonblack/credentials.response as below. (Note: the "token" value is an admin token found in the user Profile page of Web UI.)
  1. Add the file configuration
[default]
url=https://localhost:8443
token=12152549ec1cbfd8568346c034d89b1c12ed6df0
ssl_verify=False
  1. Configure the ThreatQ connector by copying the example configuration and editing it 
cp /etc/cb/integrations/threatq/connector.conf.example /etc/cb/integrations/threatq/connector.conf 
vi /etc/cb/integrations/threatq/connector.conf
  1. Here is a sample connector.conf:
[auth]
#------------------------------------------------------------------------------
#    ThreatQ API configuration
#------------------------------------------------------------------------------

# This section allows global configuration options to be passed to the ThreatQ feed (IP address is at ThreatQuotient).
threatq_host=https://10.232.34.55
# You can specify multiple exports to pull from. Simply list them as a comme-delimited list # Make sure that the tokens are aligned with the IDs 
# Example:
# threatq_export_tokens=export_token_1,export_token_2,export_token_3
# threatq_export_ids=export_id_1,export_id_2,export_id_3
# threatq_export_titles=VERY HIGH RISK Indicators,HIGH RISK Indicators,MEDIUM RISK Indicators 
threatq_export_tokens={ThreatQuotient-provided-token-here}
threatq_export_ids={ThreatQuotient-provided-id-here}
threatq_export_titles="CarbonBlack High Confidence"
threatq_verify_ssl=false
#threatq_http_proxy=put.your.on.prem.proxy.here.com:8080
[bridge]
#------------------------------------------------------------------------------
#    Core Configuration
#------------------------------------------------------------------------------
listener_port=6300
listener_address=127.0.0.1
feed_retrieval_minutes=60
#debug=1

# API key for an admin user of the Carbon Black server 
carbonblack_server_token=12152549ec1cbfd8568346c034d89b1c12ed6df0
carbonblack_server_sslverify=false

# Only uncomment out the carbonblack_server_url  below if you are running with a multihome configuation using port 8443 to override the default port of 443.
# carbonblack_server_url=https://localhost:8443

# If you need to use an HTTPS proxy to access the iSIGHT API server, uncomment and configure the https_proxy # variable below.
#https_proxy=http://proxyuser:proxypass@proxyhostname:proxyport
  1. Start the Connector Service 
service cb-threatq-connector start

Additional Information

  • If you want to test the integration manually via CLI, once the service is running, run the following command: 
curl -k http://127.0.0.1:6300/threatq/json?server_token=67avsn733FDICUFfTkYgqp7OP5qeyH4N
  • ​​Logging can be found here for troubleshooting: /var/log/cb/integrations/cb-threatq-connector/cb-threatq-connector.log
  • The connector is NOT supported with CB Response Cloud