VMware Carbon Black EDR

The integration between ThreatConnect and Carbon Black Response allows users to take IOCs identified by ThreatConnect that meet a specified threat rating and send file hashes and IPs back to Carbon Black Response for action. Once ThreatConnect sends the IOC, Carbon Black Response will then correlate the intel from ThreatConnect with the data that’s been collected from the endpoints and automatically take action based on if there are any correlations (or hits) found. The integration allows users to instantly hunt for targeted IOCs they were tracking in ThreatConnect across Carbon Black Response’s extensive network of endpoints. When a hit occurs, the full context of each hit – including associated threats, past observations or incidents, and community insight – is accessible to the analyst via ThreatConnect. With the Playbooks Apps, users are automatically able to take the following actions:

• Ban MD5 Hash
• Create File on Sensor
• Create Watchlist
• Delete File on Sensor
• Isolate Sensor
• Unisolate Sensor
• Kill Process by Sensor
• Retrieve All Processes on Sensor
• Retrieve File by MD5
• Retrieve File Info by Sensor
• Retrieve File from Sensor
• Retrieve Process Info by Search
• Retrieve Sensor BY ID
• Retrieve Watchlist by ID
• Retrieve Watchlist by Name
• Update Watchlist by ID

This app can be found in the ThreatConnect App Catalog under Carbon Black Response.