Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The VMware Carbon EDR Operation for ThreatQuotient enables a ThreatQ user to query VMware Carbon Black EDR for matches found in Threat Reports, as well as blacklist hashes.

The operation provides the following actions:

• Threat Report Lookup - quires matches found in Threat Reports and Blacklist Hashes.  

The operation is compatible with the following indicator types:

• FQDN
• IP Address
• IPv6 Address
• MD5
• SHA-256

Installation

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Operation option from the Type dropdown (optional).
3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Carbon Black Response Host	The hostname/IP of your Carbon Black Response instance.
   API Key	The API key used to authenticate with Carbon Black Response.

5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

Change Log

• Version 1.2.1
  • Fixed an issue that caused errors in the Threat Report Lookup to appear as "local variable 'markup' referenced before assignment.
• Version 1.2.0
  • Added functionality for port selection, binary search, and process search.