Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black HowTo - Create a Custom Feed

Carbon Black HowTo - Create a Custom Feed

The purpose of this document is to setup CarbonBlack Custom feeds for alerts in the form of IPv4, DNS and MD5 Hash. The process details how to produce a Carbon Black JSON feed file. Utilizing the CarbonBlack UI a feed will be generated to  retrieve this feed data.

Labels (1)
Attachments
Comments

What is the proper way to remove reports from a custom feed? I've tried using a feed with reports as an empty list, 

{
...
"reports": [],
...
}

but that did not work. How should the json be modified to get the report to disappear from the console?

ib

@swebb07g have you tried deleting the iocs and updating the timestamp rather than deleting the reports? Please see this article https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-remove-IOCs-from-custom-feed-report/t...

Thanks, but it's no longer relevant to me.

Hi Guys,

I cannot find the script " gen_feed_from_raw_iocs.py" no where to initiate this process.

Is this method of adding a custom feed still relevant? And if so, where is this script?

 

Thanks in advance for any assistance! 

Hi Friends,
Found the script " gen_feed_from_raw_iocs.py" in the example -> raw folder.


When running the script i'm receiving the following exception:

-------------------------------
File "generate_feed_from_raw_iocs.py", line 67
except Exception, e:
^
SyntaxError: invalid syntax

----------------------------
When going over the code, I saw line 67 and changed the comma "," to "as"

Now I'm receiving this error:

-------------------------------------
File "generate_feed_from_raw_iocs.py", line 195
print "-> Missing option"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("-> Missing option")?

-------------------------------------

What am I missing here? What is the proper way of running this script? 


Thanks in advance for any assistance!

@NadavK What is the version of Python that you're running? Those scripts might require >3.5 .

Hi alpopov I have Python 3.8.1 

Hi,

This is an issue for us also. The fix indicates removing the queries/IOCs, but when you do that, you are left with "q=" as the query which matches everything.. CBR still thinks its a feed item and therefore doesn't delete it. If you try and remove that, the validation kicks in because that is not present. Overall, seems a terrible way to remove a feed item. Why not just offer a delete button. 

Can you please advise on the actual fix here. What specific section of the query/IOC JSON needs removing to completely remove it from the Feed? Alternatively, what is the suggested mechanism for updating a single report and query without creating a duplicate of the same report?

Hi All,

Can anyone assist?

 

I want to create a custom feed but having many issues when trying to run the script in the github:

https://github.com/carbonblack/cbfeeds/tree/master

 

 

Thanks! 

Article Information
Author:
Creation Date:
‎03-12-2015
Views:
10782
Contributors