Partner Perspectives: More Effective Threat Hunting with ThreatConnect and Carbon Black

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Megan Horner is the Director of Product Marketing for ThreatConnect.

You’ll hear a lot in cybersecurity – and in technology in general – about the necessity of integrations. The more security solutions can communicate back and forth with what they find “in the wild” and how it compares to what’s hitting their actual network, the better positioned an organization is to get ahead of cyber threats. Carbon Black, specifically its product Cb Response, and ThreatConnect ® are a perfect example of how two technologies work together to bring verified indicators identified outside of an organization into that organization for detection and mitigation efforts.

Carbon Black is highly-effective at collecting unfiltered data from endpoints across its network of partners and customers. On the flip side, ThreatConnect collects intelligence via various external (and internal) data sources and combines all this information in one place to allow for in-depth analysis. They’re both data aggregators, but one is looking inwards, and one is looking out. It only makes sense to feed information from one to another to allow for continuous correlation of Indicators of Compromise (IoCs).

Integrating ThreatConnect and Cb Response

The integration between ThreatConnect and Cb Response allows users to take IoCs identified by ThreatConnect that meet a specified Threat Rating and send file hashes and IPs back to Cb Response for action.

You may be wondering, what is a Threat Rating? It’s a term used within the ThreatConnect Platform that is applied to indicators to categorize severity based on several factors as depicted to the right. This puts the control in the user’s hands on which IoCs they’re sending from ThreatConnect to Cb Response.

Sending the IoCs is essentially ThreatConnect saying, “Here is a known bad IoC. Check your endpoints to see if they’ve come across this.” Cb Response will then correlate the intel from ThreatConnect with the data that’s been collected from the endpoints and automatically take action based on if there are any correlations (or hits) found.

This integration allows Cb Response users to instantly hunt for targeted threat indicators they were tracking in ThreatConnect across Cb Response’s extensive network of endpoints. When a hit occurs, the full context of each hit – including associated threats, past observances or incidents, and community insight – is accessible to the analyst via ThreatConnect.

So how do you make the magic happen? It’s simple. Via the Cb Response Threat Intelligence Feeds interface, you are able to integrate the ThreatConnect App to immediately begin receiving relevant IoCs.

Looking Forward: New Carbon Black Playbook Apps in ThreatConnect

By the end of the year, ThreatConnect will have 16 New Carbon Black Playbook Apps that will execute the commands necessary for incident triage and response actions. As seen in the screenshot of the ThreatConnect Playbook Interface below, these are extremely straightforward, and do not require a lot of time to set up.

The above shows just one of the applications that you can potentially add to your Playbooks when the apps become available. The Playbook apps will leverage Cb Response’s ability to safely communicate and take actions on endpoints, such as:

  • Ban MD5 Hash
  • Create File on Sensor
  • Create Watchlist
  • Delete File from Sensor
  • Isolate Sensor
  • Unisolate Sensor
  • Kill Process by Sensor
  • Retrieve All Processes on a Sensor
  • Retrieve File by MD5
  • Retrieve File Info by Search
  • Retrieve File from Sensor
  • Retrieve Process Info by Search
  • Retrieve Sensor By ID
  • Retrieve Watchlist by ID
  • Retrieve Watchlist by Name
  • Update Watchlist by ID


Integrating ThreatConnect and Carbon Black enables analysts to organize their threat indicators as well as proactively hunt for past and present threats across their organization. With the addition of the Playbook Apps, immediate actions can be taken to stop and remediate potential threats at the endpoint based on external threat intelligence.


Together, ThreatConnect and Carbon Black provide a complete solution for SOC teams that enables them to detect threats and perform remediation quickly and precisely by utilizing tools that communicate with each other.

Visit ThreatConnect’s page on the Carbon Black Partner Locator for more information about this partnership.

The post Partner Perspectives: More Effective Threat Hunting with ThreatConnect and Carbon Black appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?