VMware Carbon Black EDR

the vmware carbon black edr connector facilitates seamless integration with the carbon black edr platform, enabling automated threat detection and response actions vmware carbon black edr is a leading endpoint detection and response platform that provides comprehensive threat hunting and incident response capabilities this connector enables swimlane turbine users to automate key security operations tasks such as retrieving binary details, isolating or unblocking files, fetching alerts, and managing sensors by integrating with vmware carbon black edr, users can streamline their security workflows, rapidly respond to threats, and enhance their overall security posture without the need for manual intervention prerequisites to effectively utilize the vmware carbon black edr connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url the endpoint url for the vmware carbon black edr api api key your personal api key provided by vmware carbon black edr for secure access capabilities this connector allows security operators to manage alerts, processes, binaries and hosts on devices asset setup this section provides instructions for obtaining information for the swimlane asset obtaining an api token log into your carbon black server from the top right corner, click your name and then select my profile from the top left corner of your profile, click api token if you have not previously generated an api token, generate it now copy the token into the asset in swimlane note you may reset your token in order to generate a new one at any time permissions the user to whom this token is assigned must have permissions for basic analyst actions, isolating hosts, and managing binaries limitations some api documentation query options show lowercase examples but they must be capitalized this may happen with other options for example, the get alerts query is mentioned in the carbon black documentation as status\ resolved but must be status\ resolved in order to filter properly documentation https //developer carbonblack com/reference/enterprise response/6 3/rest api/ https //developer carbonblack com/guide/enterprise response/cbrestapiquickstart/ https //developer carbonblack com/resources/query overview\ pdf configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x auth token api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions binary details retrieve detailed information for a binary file using its md5 hash in vmware carbon black edr endpoint url api/v1/binary/{{md5}}/summary method get input argument name type required description path parameters md5 string required parameters for the binary details action input example {"path parameters" {"md5" "be57857b26f30e6dd658f07da31e0dfc"}} output parameter type description status code number http status code of the response reason string response reason phrase host count number count value digsig result string result of the operation observed filename array name of the resource product version string output field product version digsig issuer string output field digsig issuer signed string output field signed digsig sign time string time value orig mod len number output field orig mod len is executable image boolean output field is executable image is 64bit boolean output field is 64bit digsig subject string output field digsig subject digsig publisher string output field digsig publisher group array output field group event partition id array unique identifier file version string output field file version company name string name of the resource internal name string name of the resource icon string output field icon product name string name of the resource digsig result code string result of the operation timestamp string output field timestamp copied mod len number output field copied mod len server added timestamp string output field server added timestamp output example {"status code" 200,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 19 38 55 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","last modified" "2023 01 05 12 38 55 029248","cache control" "max age=0","pragma" "no cache","expires" "thu, 05 jan 2023 19 38 55 gmt","strict transport security" "max age=31536000","x frame options" "deny, deny","x content type options" "nosniff","content encoding" "gzip"},"reason" "ok","json b block/unblock md5 hash isolate a file with a specified md5 hash or remove it from isolation in vmware carbon black edr requires 'md5hash' and 'isolate' parameters endpoint url api/v1/banning/blacklist method post input argument name type required description md5hash string optional parameter for block/unblock md5 hash last ban time string optional time value ban count string optional count value last ban host string optional parameter for block/unblock md5 hash text string optional parameter for block/unblock md5 hash isolate boolean optional parameter for block/unblock md5 hash input example {"json body" {"md5hash" "be57857b26f30e6dd658f07da31e0dfc","last ban time" "0","ban count" "0","last ban host" "0","text" "banning","isolate"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation output example {"status code" 200,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 19 44 59 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","last modified" "2023 01 05 12 44 59 670237","cache control" "max age=0","pragma" "no cache","expires" "thu, 05 jan 2023 19 44 59 gmt","strict transport security" "max age=31536000","x frame options" "deny, deny","x content type options" "nosniff","content encoding" "gzip"},"reason" "ok","json b get alerts retrieve a list of alerts from vmware carbon black edr to identify potential threats and take necessary actions endpoint url api/v2/alert method get input argument name type required description parameters q string optional parameters for the get alerts action parameters rows number optional parameters for the get alerts action input example {"parameters" {"q" "status\ unresolved","rows" 10}} output parameter type description status code number http status code of the response reason string response reason phrase terms array output field terms terms file name string name of the resource terms file string output field terms file results array result of the operation results file name string name of the resource results file string result of the operation elapsed number output field elapsed comprehensive search boolean output field comprehensive search all segments boolean output field all segments total results number result of the operation highlights array output field highlights highlights file name string name of the resource highlights file string output field highlights file facets object output field facets start number output field start incomplete results boolean result of the operation filtered object output field filtered output example {"status code" 200,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 19 15 45 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","last modified" "2023 01 05 12 15 45 562059","cache control" "max age=0","pragma" "no cache","expires" "thu, 05 jan 2023 19 15 45 gmt","strict transport security" "max age=31536000","x frame options" "deny, deny","x content type options" "nosniff","content encoding" "gzip"},"reason" "ok","json b get sensors retrieves detailed information about sensors from vmware carbon black edr using the specified sensor id endpoint url api/v1/sensor/{{sensor id}} method get input argument name type required description path parameters sensor id number required parameters for the get sensors action parameters hostname string optional parameters for the get sensors action parameters ipaddr string optional parameters for the get sensors action parameters groupip string optional parameters for the get sensors action parameters inactive filter days number optional parameters for the get sensors action input example {"parameters" {"hostname" "bob computer","ipaddr" "1 1 1 1","groupip" "239ewf78w98","inactive filter days" 1},"path parameters" {"sensor id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 500,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 20 40 51 gmt","content type" "text/html","content length" "291","connection" "keep alive","last modified" "2023 01 05 13 40 51 636821","cache control" "no store, no cache, must revalidate, post check=0, pre check=0, max age=0","pragma" "no cache","expires" " 1"},"reason" "internal server error","response text" "\<!doctype html public \\" //w3c//dtd html 3 2 final//en\\">\n\<title>500 internal serv "} list banned md5 hashes retrieves a list of md5 hashes that have been banned from execution by vmware carbon black edr endpoint url api/v1/banning/blacklist method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 19 48 13 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","last modified" "2023 01 05 12 48 13 514064","cache control" "max age=0","pragma" "no cache","expires" "thu, 05 jan 2023 19 48 13 gmt","strict transport security" "max age=31536000","x frame options" "deny, deny","x content type options" "nosniff","content encoding" "gzip"},"reason" "ok","json b md5 search retrieve detailed information for specified md5 hashes using vmware carbon black edr endpoint url api/v1/binary method get input argument name type required description parameters q string optional parameters for the md5 search action input example {"parameters" {"q" "be57857b26f30e6dd658f07da31e0dfc or 20b146e082833ecee45452e1494d5254"}} output parameter type description status code number http status code of the response reason string response reason phrase terms array output field terms total results number result of the operation highlights array output field highlights highlights name string name of the resource highlights ids array unique identifier facets object output field facets results array result of the operation results host count number result of the operation results original filename string name of the resource results legal copyright string result of the operation results digsig result string result of the operation results observed filename array name of the resource results product version string result of the operation results watchlists array result of the operation results watchlists wid string unique identifier results watchlists value string value for the parameter results facet id number unique identifier results digsig issuer string result of the operation results copied mod len number result of the operation results server added timestamp string result of the operation results digsig sign time string result of the operation results orig mod len number result of the operation results is executable image boolean result of the operation output example {"status code" 200,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 19 08 29 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","last modified" "2023 01 05 12 08 29 295477","cache control" "max age=0","pragma" "no cache","expires" "thu, 05 jan 2023 19 08 29 gmt","strict transport security" "max age=31536000","x frame options" "deny, deny","x content type options" "nosniff","content encoding" "gzip"},"reason" "ok","json b modify sensor update settings for a specific sensor in vmware carbon black edr using the sensor's unique identifier endpoint url api/v1/sensor/{{sensor id}} method put input argument name type required description path parameters sensor id number required parameters for the modify sensor action parameters network isolation enabled string optional parameters for the modify sensor action input example {"parameters" {"network isolation enabled" "network isolation enabled"},"path parameters" {"sensor id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 500,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 21 03 51 gmt","content type" "text/html; charset=utf 8","content length" "44","connection" "keep alive","last modified" "2023 01 05 14 03 51 779964","cache control" "no store, no cache, must revalidate, post check=0, pre check=0, max age=0","pragma" "no cache","expires" " 1"},"reason" "internal server error","response text" "unhandled exception check logs for details "} process search execute a search query for processes within vmware carbon black edr and retrieve relevant process information endpoint url api/v1/process method get input argument name type required description parameters q string optional parameters for the process search action parameters rows number optional parameters for the process search action input example {"parameters" {"q" "process name\ svchost exe","rows" 10}} output parameter type description status code number http status code of the response reason string response reason phrase terms array output field terms results array result of the operation results file name string name of the resource results file string result of the operation elapsed number output field elapsed comprehensive search boolean output field comprehensive search all segments boolean output field all segments total results number result of the operation highlights array output field highlights highlights file name string name of the resource highlights file string output field highlights file facets object output field facets tagged pids object unique identifier start number output field start incomplete results boolean result of the operation filtered object output field filtered output example {"status code" 200,"response headers" {"server" "openresty","date" "thu, 05 jan 2023 19 34 38 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","last modified" "2023 01 05 12 34 38 702167","cache control" "max age=0","pragma" "no cache","expires" "thu, 05 jan 2023 19 34 38 gmt","strict transport security" "max age=31536000","x frame options" "deny, deny","x content type options" "nosniff","content encoding" "gzip"},"reason" "ok","json b response headers header description example cache control directives for caching mechanisms no store, no cache, must revalidate, post check=0, pre check=0, max age=0 connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 44 content type the media type of the resource text/html date the date and time at which the message was originated thu, 05 jan 2023 19 38 55 gmt expires the date/time after which the response is considered stale thu, 05 jan 2023 19 38 55 gmt last modified the date and time at which the origin server believes the resource was last modified 2023 01 05 12 48 13 514064 pragma http response header pragma no cache server information about the software used by the origin server openresty strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options deny, deny