VMware Carbon Black EDR

40 min

the vmware carbon black edr connector facilitates seamless integration with the carbon black edr platform, enabling automated threat detection and response actions vmware carbon black edr is a leading endpoint detection and response platform that provides comprehensive threat hunting and incident response capabilities this connector enables swimlane turbine users to automate key security operations tasks such as retrieving binary details, isolating or unblocking files, fetching alerts, and managing sensors by integrating with vmware carbon black edr, users can streamline their security workflows, rapidly respond to threats, and enhance their overall security posture without the need for manual intervention prerequisites to effectively utilize the vmware carbon black edr connector with swimlane turbine, ensure you have the following prerequisites api key authentication with the following parameters url the endpoint url for the vmware carbon black edr api api key your personal api key provided by vmware carbon black edr for secure access capabilities this connector allows security operators to manage alerts, processes, binaries and hosts on devices asset setup this section provides instructions for obtaining information for the swimlane asset obtaining an api token log into your carbon black server from the top right corner, click your name and then select my profile from the top left corner of your profile, click api token if you have not previously generated an api token, generate it now copy the token into the asset in swimlane note you may reset your token in order to generate a new one at any time permissions the user to whom this token is assigned must have permissions for basic analyst actions, isolating hosts, and managing binaries limitations some api documentation query options show lowercase examples but they must be capitalized this may happen with other options for example, the get alerts query is mentioned in the carbon black documentation as status\ resolved but must be status\ resolved in order to filter properly documentation api documentation https //developer carbonblack com/reference/enterprise response/6 3/rest api/quick start guide https //developer carbonblack com/guide/enterprise response/cbrestapiquickstart/how to write queries https //developer carbonblack com/resources/query overview\ pdf configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required x auth token api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions binary details retrieve detailed information for a binary file using its md5 hash in vmware carbon black edr endpoint url api/v1/binary/{{md5}}/summary method get input argument name type required description md5 string required parameter for binary details output parameter type description status code number http status code of the response reason string response reason phrase host count number count value digsig result string result of the operation observed filename array name of the resource product version string output field product version digsig issuer string output field digsig issuer signed string output field signed digsig sign time string time value orig mod len number output field orig mod len is executable image boolean output field is executable image is 64bit boolean output field is 64bit digsig subject string output field digsig subject digsig publisher string output field digsig publisher group array output field group event partition id array unique identifier file version string output field file version company name string name of the resource internal name string name of the resource icon string output field icon product name string name of the resource digsig result code string result of the operation timestamp string output field timestamp copied mod len number output field copied mod len server added timestamp string output field server added timestamp example \[ { "status code" 200, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 19 38 55 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "last modified" "2023 01 05 12 38 55 029248", "cache control" "max age=0", "pragma" "no cache", "expires" "thu, 05 jan 2023 19 38 55 gmt", "strict transport security" "max age=31536000", "x frame options" "deny, deny", "x content type options" "nosniff", "content encoding" "gzip" }, "reason" "ok", "json body" { "host count" 1, "digsig result" "signed", "observed filename" \[], "product version" "8 0 0 2562 (patch 6)", "digsig issuer" "symantec class 3 sha256 code signing ca", "signed" "signed", "digsig sign time" "2017 10 25t18 13 00z", "orig mod len" 1913152, "is executable image" true, "is 64bit" true, "digsig subject" "carbon black, inc ", "digsig publisher" "microsoft corporation", "group" \[], "event partition id" \[], "file version" "8 0 0 2562 (patch 6)" } } ] block/unblock md5 hash isolate a file with a specified md5 hash or remove it from isolation in vmware carbon black edr requires 'md5hash' and 'isolate' parameters endpoint url api/v1/banning/blacklist method post input argument name type required description md5hash string required parameter for block/unblock md5 hash last ban time string optional time value ban count string optional count value last ban host string optional parameter for block/unblock md5 hash text string optional parameter for block/unblock md5 hash isolate boolean required parameter for block/unblock md5 hash output parameter type description status code number http status code of the response reason string response reason phrase result string result of the operation example \[ { "status code" 200, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 19 44 59 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "last modified" "2023 01 05 12 44 59 670237", "cache control" "max age=0", "pragma" "no cache", "expires" "thu, 05 jan 2023 19 44 59 gmt", "strict transport security" "max age=31536000", "x frame options" "deny, deny", "x content type options" "nosniff", "content encoding" "gzip" }, "reason" "ok", "json body" { "result" "success" } } ] get alerts retrieve a list of alerts from vmware carbon black edr to identify potential threats and take necessary actions endpoint url api/v2/alert method get input argument name type required description q string optional parameter for get alerts rows number optional parameter for get alerts output parameter type description status code number http status code of the response reason string response reason phrase terms array output field terms file name string name of the resource file string output field file results array result of the operation file name string name of the resource file string output field file elapsed number output field elapsed comprehensive search boolean output field comprehensive search all segments boolean output field all segments total results number result of the operation highlights array output field highlights file name string name of the resource file string output field file facets object output field facets start number output field start incomplete results boolean result of the operation filtered object output field filtered example \[ { "status code" 200, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 19 15 45 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "last modified" "2023 01 05 12 15 45 562059", "cache control" "max age=0", "pragma" "no cache", "expires" "thu, 05 jan 2023 19 15 45 gmt", "strict transport security" "max age=31536000", "x frame options" "deny, deny", "x content type options" "nosniff", "content encoding" "gzip" }, "reason" "ok", "json body" { "terms" \[], "results" \[], "elapsed" 0 012996196746826172, "comprehensive search" true, "all segments" true, "total results" 0, "highlights" \[], "facets" {}, "start" 0, "incomplete results" false, "filtered" {} } } ] get sensors retrieves detailed information about sensors from vmware carbon black edr using the specified sensor id endpoint url api/v1/sensor/{{sensor id}} method get input argument name type required description sensor id number required unique identifier hostname string optional name of the resource ipaddr string optional parameter for get sensors groupip string optional parameter for get sensors inactive filter days number optional parameter for get sensors output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 500, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 20 40 51 gmt", "content type" "text/html", "content length" "291", "connection" "keep alive", "last modified" "2023 01 05 13 40 51 636821", "cache control" "no store, no cache, must revalidate, post check=0, pre check=0, max age=0", "pragma" "no cache", "expires" " 1" }, "reason" "internal server error", "response text" "\<!doctype html public \\" //w3c//dtd html 3 2 final//en\\">\n\<title>500 internal serv " } ] list banned md5 hashes retrieves a list of md5 hashes that have been banned from execution by vmware carbon black edr endpoint url api/v1/banning/blacklist method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 19 48 13 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "last modified" "2023 01 05 12 48 13 514064", "cache control" "max age=0", "pragma" "no cache", "expires" "thu, 05 jan 2023 19 48 13 gmt", "strict transport security" "max age=31536000", "x frame options" "deny, deny", "x content type options" "nosniff", "content encoding" "gzip" }, "reason" "ok", "json body" \[ { "username" "admin", "audit" \[ { "username" "admin", "timestamp" "2023 01 05 12 44 59 592831 07 00", "text" "banning", "enabled" true, "user id" 1 } ], "text" "banning", "md5hash" "be57857b26f30e6dd658f07da31e0dfc", "block count" 0, "user id" 1, "last block sensor id" null, "enabled" true, "last block time" null, "timestamp" "2023 01 05 12 44 59 592831 07 00", "last block hostname" null }, { "username" "admin", "audit" \[ { "username" "admin", "timestamp" "2018 05 04 09 40 28 248582 06 00", "text" "turbine blocked by malicious file download monitoring playbook", "enabled" true, "user id" 1 } ], "text" "turbine blocked by malicious file download monitoring playbook", "md5hash" "4ab7f450124b7b4400bf866243d41a19", "block count" 0, "user id" 1, "last block sensor id" null, "enabled" true, "last block time" null, "timestamp" "2018 05 04 09 40 28 248582 06 00", "last block hostname" null }, { "username" "admin", "audit" \[ { "username" "admin", "timestamp" "2018 04 26 13 40 17 361705 06 00", "text" "turbine blocked by malicious file download monitoring playbook", "enabled" true, "user id" 1 }, { "username" "admin", "timestamp" "2018 04 26 12 19 57 021966 06 00", "text" "turbine blocked by malicious file download monitoring playbook", "enabled" false, "user id" 1 }, { "username" "admin", "timestamp" "2018 04 26 09 53 00 371018 06 00", "text" "turbine blocked by malicious file download monitoring playbook", "enabled" true, "user id" 1 }, { "username" "admin", "timestamp" "2018 04 26 09 46 36 886681 06 00", "text" "turbine blocked by malicious file download monitoring playbook", "enabled" false, "user id" 1 }, { "username" "admin", "timestamp" "2018 04 26 07 01 02 637848 06 00", "text" "turbine blocked by malicious file download monitoring playbook", "enabled" true, "user id" 1 }, md5 search retrieve detailed information for specified md5 hashes using vmware carbon black edr endpoint url api/v1/binary method get input argument name type required description q string optional parameter for md5 search output parameter type description status code number http status code of the response reason string response reason phrase terms array output field terms total results number result of the operation highlights array output field highlights name string name of the resource ids array unique identifier facets object output field facets results array result of the operation host count number count value original filename string name of the resource legal copyright string output field legal copyright digsig result string result of the operation observed filename array name of the resource product version string output field product version watchlists array output field watchlists wid string unique identifier value string value for the parameter facet id number unique identifier digsig issuer string output field digsig issuer copied mod len number output field copied mod len server added timestamp string output field server added timestamp digsig sign time string time value orig mod len number output field orig mod len is executable image boolean output field is executable image example \[ { "status code" 200, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 19 08 29 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "last modified" "2023 01 05 12 08 29 295477", "cache control" "max age=0", "pragma" "no cache", "expires" "thu, 05 jan 2023 19 08 29 gmt", "strict transport security" "max age=31536000", "x frame options" "deny, deny", "x content type options" "nosniff", "content encoding" "gzip" }, "reason" "ok", "json body" { "terms" \[], "total results" 2, "highlights" \[], "facets" {}, "results" \[], "elapsed" 0 35674595832824707, "start" 0 } } ] modify sensor update settings for a specific sensor in vmware carbon black edr using the sensor's unique identifier endpoint url api/v1/sensor/{{sensor id}} method put input argument name type required description sensor id number required unique identifier network isolation enabled string optional parameter for modify sensor output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 500, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 21 03 51 gmt", "content type" "text/html; charset=utf 8", "content length" "44", "connection" "keep alive", "last modified" "2023 01 05 14 03 51 779964", "cache control" "no store, no cache, must revalidate, post check=0, pre check=0, max age=0", "pragma" "no cache", "expires" " 1" }, "reason" "internal server error", "response text" "unhandled exception check logs for details " } ] process search execute a search query for processes within vmware carbon black edr and retrieve relevant process information endpoint url api/v1/process method get input argument name type required description q string optional parameter for process search rows number optional parameter for process search output parameter type description status code number http status code of the response reason string response reason phrase terms array output field terms results array result of the operation file name string name of the resource file string output field file elapsed number output field elapsed comprehensive search boolean output field comprehensive search all segments boolean output field all segments total results number result of the operation highlights array output field highlights file name string name of the resource file string output field file facets object output field facets tagged pids object unique identifier start number output field start incomplete results boolean result of the operation filtered object output field filtered example \[ { "status code" 200, "response headers" { "server" "openresty", "date" "thu, 05 jan 2023 19 34 38 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "last modified" "2023 01 05 12 34 38 702167", "cache control" "max age=0", "pragma" "no cache", "expires" "thu, 05 jan 2023 19 34 38 gmt", "strict transport security" "max age=31536000", "x frame options" "deny, deny", "x content type options" "nosniff", "content encoding" "gzip" }, "reason" "ok", "json body" { "terms" \[], "results" \[], "elapsed" 0 05518198013305664, "comprehensive search" true, "all segments" true, "total results" 0, "highlights" \[], "facets" {}, "tagged pids" {}, "start" 0, "incomplete results" false, "filtered" {} } } ] response headers header description example cache control directives for caching mechanisms max age=0 connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 291 content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated thu, 05 jan 2023 20 40 51 gmt expires the date/time after which the response is considered stale thu, 05 jan 2023 19 38 55 gmt last modified the date and time at which the origin server believes the resource was last modified 2023 01 05 12 44 59 670237 pragma http response header pragma no cache server information about the software used by the origin server openresty strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options deny, deny