- Install the ThreatQuotient connector RPM Package on the CB Response Master server:
sudo rpm -ivh python-cb-threatq-connector-1.0.0-10.x86_64.rpm --ignoreos --nofiledigest
- Create a default credentials file here: /etc/carbonblack/credentials.response
a. mkdir /etc/carbonblack
b. touch /etc/carbonblack/credentials.response
a. vi /etc/carbonblack/credentials.response as below. (Note: the "token" value is an admin token found in the user Profile page of Web UI.)
- Add the file configuration
[default]
url=https://localhost:8443
token=12152549ec1cbfd8568346c034d89b1c12ed6df0
ssl_verify=False
- Configure the ThreatQ connector by copying the example configuration and editing it
cp /etc/cb/integrations/threatq/connector.conf.example /etc/cb/integrations/threatq/connector.conf
vi /etc/cb/integrations/threatq/connector.conf
- Here is a sample connector.conf:
[auth]
#------------------------------------------------------------------------------
# ThreatQ API configuration
#------------------------------------------------------------------------------
# This section allows global configuration options to be passed to the ThreatQ feed (IP address is at ThreatQuotient).
threatq_host=https://10.232.34.55
# You can specify multiple exports to pull from. Simply list them as a comme-delimited list # Make sure that the tokens are aligned with the IDs
# Example:
# threatq_export_tokens=export_token_1,export_token_2,export_token_3
# threatq_export_ids=export_id_1,export_id_2,export_id_3
# threatq_export_titles=VERY HIGH RISK Indicators,HIGH RISK Indicators,MEDIUM RISK Indicators
threatq_export_tokens={ThreatQuotient-provided-token-here}
threatq_export_ids={ThreatQuotient-provided-id-here}
threatq_export_titles="CarbonBlack High Confidence"
threatq_verify_ssl=false
#threatq_http_proxy=put.your.on.prem.proxy.here.com:8080
[bridge]
#------------------------------------------------------------------------------
# Core Configuration
#------------------------------------------------------------------------------
listener_port=6300
listener_address=127.0.0.1
feed_retrieval_minutes=60
#debug=1
# API key for an admin user of the Carbon Black server
carbonblack_server_token=12152549ec1cbfd8568346c034d89b1c12ed6df0
carbonblack_server_sslverify=false
# Only uncomment out the carbonblack_server_url below if you are running with a multihome configuation using port 8443 to override the default port of 443.
# carbonblack_server_url=https://localhost:8443
# If you need to use an HTTPS proxy to access the iSIGHT API server, uncomment and configure the https_proxy # variable below.
#https_proxy=http://proxyuser:proxypass@proxyhostname:proxyport
- Start the Connector Service
service cb-threatq-connector start