With the latest update of the Cratos API to version 1.45 (https://www.ecrimelabs.com/cratos-threat-api) we now support direct integration between MISP and Carbon Black’s CB Response (https://www.carbonblack.com/products/cb-response/) through delivery with Threat Intelligence Feeds.
With this latest addition of features you can consume specific data sets automatically from your MISP instance directly into Carbon Black Response, and thereby making the power of your threat data even more operational as you can choose to alert, block or even hunt with the data.
The integration uses the same functionality as with the other feeds Cratos API provides, meaning when you add custom tags in your MISP instance it becomes avaliable in the Cratos API for your security components to consume.
Howto integrate your MISP instance with Cb Response
The integration into Cb Reponse is simple.
Login into your Cb Response portal click “Threat Intelligence” and “Add new Feed” here you paste the URL to your Cratos API.
When the feed has been added, remember to “Enable” this and do a full sync
As Shown above there are 4 different feeds, with indicators choosen to be shared from a MISP instance
incident
alert
block
hunt
The above indicators is from eCrimeLabs test page: http://www.evilcorp.dk/
With this in place the MISP data will regularly get updated into your Cb Response installation.