Giters

larrycameron80 / cb-threatconnect-connector

Carbon Black - ThreatConnect Threat Intelligence Connector

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Carbon Black - ThreatConnect Connector

The ThreatConnect connector for Carbon Black Response is a simple python-daemon communicats with ThreatConnect's API and retrieve Indicators of Compromise and formats them as a Threat Intel Feed for Carbon Black Response.

Installing TC Agent (Centos/RHEL 6)

The TC agent must be installed on the same system as Cb Response.

  • Create directories

     mkdir -p /usr/share/cb/integrations/threatconnect

  • Download threatconnect Agent

     wget -O /usr/share/cb/integrations/ https://github.com/carbonblack/cb-threatconnect-connector/releases/download/2.0.0/tc_agent

  • Create threatconnect Agent Config File

Sample TC Agent Config

[general]
#
# CB Response configuration details.  This is used to create the feed in the CB Response UI automatically
# feed_url should be the same file path as is used in out-file parameter for tc_agent
#
cb_server_url=https://192.168.1.42
cb_server_token=
cb_server_ssl_verify=False


#
# This section allows global configuration options to be passed to the ThreatConnect feed.
# The API_KEY is an integer value and should not be enclosed in quotes.
# Utilize the API and Secret keys provided by ThreatConnect to access your specific community.
#

#
# Base URL for ThreatConnect
#
base_url=https://sandbox.threatconnect.com/api

access_id=

secret_key=

#
# The default organization to pull IOCs
#
default_org=Carbon Black

#
#
#
sources=Carbon Black

#
# This agent allows for the custom "CB Alert" type to be added to the Threat Connect feed.
#
ioc_types=CB Alert
#
# Maximum number of IOCs to put in feed.  CB Response has a limit to the number of threat reports in a feed for
# for performance reasons.
#
max_iocs=10000
  • copy and modify the above config to /etc/cb/integrations/threatconnect/threatconnect_agent.conf

Running threatconnect Agent Manually

./tc_agent --config-file=/etc/cb/integrations/threatconnect/threatconnect_agent.conf --out-file /usr/share/cb/integrations/threatconnect/tc.json --log-file /var/log/cb/integrations/tc.log

Example Cron Entry

Development Notes

threatconnect Agent Build Instructions (Centos 6)

Install Dependencies

  • zlib-devel
  • openssl-devel
  • sqlite-devel

Install Python 3.6

./configure --prefix=/usr/local --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
make
make altinstall

Create VirtualEnv

python3.6 -m venv venv-build
source ./venv-build/bin/activate
pip install -r requirements.txt

Create Executable

pyinstaller main.spec

Prepare a threatconnect.conf configuration file to setup the daemon, by following the provided example and the configuration subsection below.

You can run the threatconnnect connector by executing main.py with python or by building the executable for your system using the instructions below.

./tc_agent --config-file threatconnect.conf

The agent will begin polling threat connect periodically.

Configuration

The tc_agent is controlled by a simple conf file.

There is an example threatconnect.example.conf provided in the git repository.

The [general] stanza of the provided .conf file should include the required configuration paramters for accessing ThreatConnect - some of which are optional.

base_url=<string> controls the destination ThreatConnect endpoint

secret_key=<string> controls the secret key for ThreatConnect API access

access_id=<string> controls the acces id for ThreatConnect API access

defaulg_org=<string> controls the deafult org when filtering IOCS

sources=comma,deliminted,list controls the sources to query for, optional - defaults to all available

ioc_min=<int> controls the minimum IOC value to include, optional

ioc_types=comma,delimited,list controls the IOC Types to gather - defaults to 'File,Address,Host' - optional

custom_ioc_key controls the custom IOC field/key to look for when using CUSTOM IOCS Defaults to 'Query', optional

The following configuration options are for creating and presenting the Threat Inteligence Feed to CbR via REST API.

cbapi_key=<string> api key to use when access CBR api

cbapi_hostname=<string> fqdn to use when accessing CBR

cbapi_ssl_verify=<bool> True/False used to control ssl validation for CBR API - defaults to TRUE

feed_url feed url to use when advertising the feed to CBR

The following are optinal misc options: niceness=<int> controls os.nice of the daemon

debug=<bool> controls the debug logging of deamon set True/False

PyInstaller and Building the Agent as an Executable

Use pip to install the project requirements like: pip install -r requirements.txt

Use pyinstaller main.spec, the executable agent will be dist/tc_agent.

Run the agent and pass --config-file to supply the path to the configuration file

##Support Contact dev-support@carbonblack.com

About

Carbon Black - ThreatConnect Threat Intelligence Connector

License:MIT License

Languages

Language:Python 100.0%