Environment
- CB Response Server: All versions
- CB Response Sensor: All versions
- ThreatQuotient Feed
Objective
Steps to integrate Threat Quotient Feed with Cb Response Server
Resolution
- Install the ThreatQuotient connector RPM Package on the CB Response Master server:
sudo rpm -ivh python-cb-threatq-connector-1.0.0-10.x86_64.rpm --ignoreos --nofiledigest
- Create a default credentials file here: /etc/carbonblack/credentials.response
a. mkdir /etc/carbonblack
b. touch /etc/carbonblack/credentials.response
a. vi /etc/carbonblack/credentials.response as below. (Note: the "token" value is an admin token found in the user Profile page of Web UI.)
- Add the file configuration
[default]
url=https://localhost:8443
token=12152549ec1cbfd8568346c034d89b1c12ed6df0
ssl_verify=False
- Configure the ThreatQ connector by copying the example configuration and editing it
cp /etc/cb/integrations/threatq/connector.conf.example /etc/cb/integrations/threatq/connector.conf
vi /etc/cb/integrations/threatq/connector.conf
- Here is a sample connector.conf:
[auth]
#------------------------------------------------------------------------------
# ThreatQ API configuration
#------------------------------------------------------------------------------
# This section allows global configuration options to be passed to the ThreatQ feed (IP address is at ThreatQuotient).
threatq_host=https://10.232.34.55
# You can specify multiple exports to pull from. Simply list them as a comme-delimited list # Make sure that the tokens are aligned with the IDs
# Example:
# threatq_export_tokens=export_token_1,export_token_2,export_token_3
# threatq_export_ids=export_id_1,export_id_2,export_id_3
# threatq_export_titles=VERY HIGH RISK Indicators,HIGH RISK Indicators,MEDIUM RISK Indicators
threatq_export_tokens={ThreatQuotient-provided-token-here}
threatq_export_ids={ThreatQuotient-provided-id-here}
threatq_export_titles="CarbonBlack High Confidence"
threatq_verify_ssl=false
#threatq_http_proxy=put.your.on.prem.proxy.here.com:8080
[bridge]
#------------------------------------------------------------------------------
# Core Configuration
#------------------------------------------------------------------------------
listener_port=6300
listener_address=127.0.0.1
feed_retrieval_minutes=60
#debug=1
# API key for an admin user of the Carbon Black server
carbonblack_server_token=12152549ec1cbfd8568346c034d89b1c12ed6df0
carbonblack_server_sslverify=false
# Only uncomment out the carbonblack_server_url below if you are running with a multihome configuation using port 8443 to override the default port of 443.
# carbonblack_server_url=https://localhost:8443
# If you need to use an HTTPS proxy to access the iSIGHT API server, uncomment and configure the https_proxy # variable below.
#https_proxy=http://proxyuser:proxypass@proxyhostname:proxyport
- Start the Connector Service
service cb-threatq-connector start
Additional Notes
- If you want to test the integration manually via CLI, once the service is running, run the following command:
curl -k http://127.0.0.1:6300/threatq/json?server_token=67avsn733FDICUFfTkYgqp7OP5qeyH4N
- Logging can be found here for troubleshooting: /var/log/cb/integrations/cb-threatq-connector/cb-threatq-connector.log
- The connector is NOT supported with CB Response Cloud
Related Content
