Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black HowTo - Create a Custom Feed

Carbon Black HowTo - Create a Custom Feed

The purpose of this document is to setup CarbonBlack Custom feeds for alerts in the form of IPv4, DNS and MD5 Hash. The process details how to produce a Carbon Black JSON feed file. Utilizing the CarbonBlack UI a feed will be generated to  retrieve this feed data.

Labels (1)

What is the proper way to remove reports from a custom feed? I've tried using a feed with reports as an empty list, 

"reports": [],

but that did not work. How should the json be modified to get the report to disappear from the console?


@swebb07g have you tried deleting the iocs and updating the timestamp rather than deleting the reports? Please see this article

Thanks, but it's no longer relevant to me.

Hi Guys,

I cannot find the script "" no where to initiate this process.

Is this method of adding a custom feed still relevant? And if so, where is this script?


Thanks in advance for any assistance! 

Hi Friends,
Found the script "" in the example -> raw folder.

When running the script i'm receiving the following exception:

File "", line 67
except Exception, e:
SyntaxError: invalid syntax

When going over the code, I saw line 67 and changed the comma "," to "as"

Now I'm receiving this error:

File "", line 195
print "-> Missing option"
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("-> Missing option")?


What am I missing here? What is the proper way of running this script? 

Thanks in advance for any assistance!

@NadavK What is the version of Python that you're running? Those scripts might require >3.5 .

Hi alpopov I have Python 3.8.1 


This is an issue for us also. The fix indicates removing the queries/IOCs, but when you do that, you are left with "q=" as the query which matches everything.. CBR still thinks its a feed item and therefore doesn't delete it. If you try and remove that, the validation kicks in because that is not present. Overall, seems a terrible way to remove a feed item. Why not just offer a delete button. 

Can you please advise on the actual fix here. What specific section of the query/IOC JSON needs removing to completely remove it from the Feed? Alternatively, what is the suggested mechanism for updating a single report and query without creating a duplicate of the same report?

Hi All,

Can anyone assist?


I want to create a custom feed but having many issues when trying to run the script in the github:




Article Information
Creation Date: