Skip to main content

Generate a Carbon Black alliance feed in JSON format from a git repository

Project description

Introduction

This tool converts technical indicators (IOCs) and search queries into the JSON format required for a Carbon Black alliance feed. This can be imported into your Carbon Black server manually or by adding a Threat Intelligence feed, which will regularly update.

It was written by David Cannings (@edeca) and released by NCC Group under the AGPL.

The latest code can be found in the Github repository.

Why would I use it?

This tool is useful if:

  • You want to synchronise watch lists across multiple Carbon Black servers.
  • You want to share indicators (and you don't have a central threat intel platform).

Quick start

To get started you will need:

  • A configuration file (see examples/config.yaml)
  • At least one data file (see examples/data/)

First install the tool in a virtual environment:

# Create a new virtual environment
$ python3 -m venv hydrocarbon_venv

# Activate the virtual environment
$ . hydrocarbon_venv/bin/activate  # On Windows run hydrocarbon_venv\Scripts\activate.ps1

# Instal the module
$ pip install hydrocarbon 

Now generate a JSON file with feed data:

# Generate JSON from the example data 
$ hydrocarbon --config examples\config.yaml --data examples\data --output feed.json

You can optionally provide two logos (100x100 and 370x97) to be included in the feed data. These wll be displayed in the web UI, for example:

# Generate JSON from the example data 
$ hydrocarbon --config examples\config.yaml --data examples\data --output feed.json \
              --icon-large examples\large.jpg --icon-small examples\small.jpg

INSERT IMAGE

The tool can be used from within your own Python scripts, see the FAQ.

FAQ

Why integrate with git?

The Carbon Black server needs a timestamp for every report. Using git gives an accurate timestamp (from the latest commit) which does not change. This ensures that 'incremental' update mode is efficient, only changed reports will be parsed.

It is possible to use without git. However, this is not recommended for anything other than testing.

How can I delete indicators?

The Carbon Black Response server prefers to do an 'incremental' sync against feeds. This means that deleted items will not be removed.

To delete an item change enabled to False and regenerate the feed.

How can I automatically update my server?

Simply copy the JSON file to a web server which can be accessed by the Carbon Black instance. You can optionally use basic authentication and provide the username and password in the Carbon Black web interface.

You can add a new feed to the Threat Intelligence section in Carbon Black.

There seem to be no restrictions on the web server other than returning valid JSON.

How can I integrate this with my workflow?

The tool is a Python module which can be imported and used from your own code.

from hydrocarbon import FeedGenerator

builder = FeedGenerator("/path/to/config.yaml")
builder.add_data_dir("/path/to/data/")

with open("output.json", "w") as fh:
    builder.generate_feed(fh)

See hydrocarbon/app.py for an example implementation.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

hydrocarbon-0.0.4.tar.gz (9.1 kB view details)

Uploaded Source

File details

Details for the file hydrocarbon-0.0.4.tar.gz.

File metadata

  • Download URL: hydrocarbon-0.0.4.tar.gz
  • Upload date:
  • Size: 9.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/47.1.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.8.5

File hashes

Hashes for hydrocarbon-0.0.4.tar.gz
Algorithm Hash digest
SHA256 778b042415b706d5115ca69497d10d805b6e6f2443273f98027193367fbd720d
MD5 d3c5580a644aa26edfc2db3a8e9a8081
BLAKE2b-256 a5048cf92aa4bc176c288dd985dc56172ee7d3cd55048593bece45fc05bdfb45

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page