IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Carbon Black HowTo - Create a Custom Feed

Carbon Black HowTo - Create a Custom Feed

The purpose of this document is to setup CarbonBlack Custom feeds for alerts in the form of IPv4, DNS and MD5 Hash. The process details how to produce a Carbon Black JSON feed file. Utilizing the CarbonBlack UI a feed will be generated to  retrieve this feed data.

Labels (1)
Attachments
Comments

What is the proper way to remove reports from a custom feed? I've tried using a feed with reports as an empty list, 

{
...
"reports": [],
...
}

but that did not work. How should the json be modified to get the report to disappear from the console?

ib

@swebb07g have you tried deleting the iocs and updating the timestamp rather than deleting the reports? Please see this article https://community.carbonblack.com/t5/Knowledge-Base/EDR-How-to-remove-IOCs-from-custom-feed-report/t...

Thanks, but it's no longer relevant to me.

Hi Guys,

I cannot find the script " gen_feed_from_raw_iocs.py" no where to initiate this process.

Is this method of adding a custom feed still relevant? And if so, where is this script?

 

Thanks in advance for any assistance! 

Hi Friends,
Found the script " gen_feed_from_raw_iocs.py" in the example -> raw folder.


When running the script i'm receiving the following exception:

-------------------------------
File "generate_feed_from_raw_iocs.py", line 67
except Exception, e:
^
SyntaxError: invalid syntax

----------------------------
When going over the code, I saw line 67 and changed the comma "," to "as"

Now I'm receiving this error:

-------------------------------------
File "generate_feed_from_raw_iocs.py", line 195
print "-> Missing option"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("-> Missing option")?

-------------------------------------

What am I missing here? What is the proper way of running this script? 


Thanks in advance for any assistance!

@NadavK What is the version of Python that you're running? Those scripts might require >3.5 .

Hi alpopov I have Python 3.8.1 

Hi,

This is an issue for us also. The fix indicates removing the queries/IOCs, but when you do that, you are left with "q=" as the query which matches everything.. CBR still thinks its a feed item and therefore doesn't delete it. If you try and remove that, the validation kicks in because that is not present. Overall, seems a terrible way to remove a feed item. Why not just offer a delete button. 

Can you please advise on the actual fix here. What specific section of the query/IOC JSON needs removing to completely remove it from the Feed? Alternatively, what is the suggested mechanism for updating a single report and query without creating a duplicate of the same report?

Hi All,

Can anyone assist?

 

I want to create a custom feed but having many issues when trying to run the script in the github:

https://github.com/carbonblack/cbfeeds/tree/master

 

 

Thanks! 

Article Information
Author:
Creation Date:
‎03-12-2015
Views:
10875
Contributors