Carbon Black Endpoint Standard v2
This Integration is part of the Carbon Black Endpoint Standard Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
VMware Carbon Black Endpoint Standard (formerly known as Carbon Black Defense) is a next-generation antivirus + EDR in one cloud-delivered platform that stops commodity malware, advanced malware, non-malware attacks, and ransomware. This integration was integrated and tested with version 1.1.2 of Carbon Black Endpoint Standard
New Features in Carbon Black Endpoint Standard v2#
The Carbon Black Endpoint Standard v1 integration is deprecated because Carbon Black released a new version of their API. Use the Carbon Black Endpoint Standard v2 integration instead. The following are the new features in V2.
New Commands#
The Carbon Black Endpoint Standard v2 integration supports the following new commands:
- Operations on devices:
- cbd-device-background-scan Starts a background scan on a device by ID.
- cbd-device-background-scan-stop Stops a background scan on a device by ID.
- cbd-device-bypass Bypasses a device.
- cbd-device-unbypass Unbypasses a device.
- cbd-device-policy-update Updates the devices to the specified policy ID.
- cbd-device-update-sensor-version Updates the version of a sensor.
- cbd-device-quarantine Quarantines the device.
- cbd-device-unquarantine Unquarantines the device.
- cbd-alerts-search Retrieves all alerts using some arguments (query, ID, type, category) to filter the results.
- cbd-find-events-details Retrieves details for enriched events.
- cbd-find-events-details-results Retrieves the status for an enriched events detail request for a given job ID.
- cbd-find-events-results Retrieves the result for an enriched events search request for a given job ID.
- cbd-find-processes-results Retrieves the results of a process search identified by the job ID.
Deprecated Commands in Carbon Black Endpoint Standard v1#
The following commands from the Carbon Black Endpoint Standard v1 integration have been deprecated and replaced with the v2 commands as shown.
| Deprecated Command | Replaced with v2 Commands |
|---|---|
| cbd-get-device-status | cbd-device-search |
| cbd-get-devices-status | cbd-device-search |
| cbd-change-device-status | - cbd-device-quarantine - cbd-device-unquarantine - cbd-device-background-scan - cbd-device-background-scan-stop - cbd-device-bypass - cbd-device-unbypass - cbd-device-policy-update - cbd-device-update-sensor-version |
| cbd-find-events | cbd-find-events returns a job_id to use in the cbd-find-events-results command as an argument. |
| cbd-find-processes | cbd-find-processes returns a job_id to use in the cbd-find-processes-results command as an argument. |
Playbooks#
There are 3 new playbooks:
- Carbon Black Endpoint Standard Find Events - Finds events using a search query (or device_id, etc.).
- Carbon Black Endpoint Standard Find Event Details - Receives event IDs and returns details about the event.
- Carbon Black Endpoint Standard Find Processes - Finds processes using a search query (or device_id, etc.).
Mapper#
Carbon Black Endpoint Standard Mapper.
Layout#
Carbon Black Endpoint Standard Incoming Layout.
Classifier#
Carbon Black Endpoint Standard
Configure Carbon Black Endpoint Standard on Cortex XSOAR#
Navigate to Settings > Integrations > Servers & Services.
Search for Carbon Black Endpoint Standard.
Click Add instance to create and configure a new integration instance.
Parameter Description Required URL True Custom API Key This Custom API key is required for all use cases except the policy use cases. False Custom API Secret Key This Custom API secret key is required for all use cases except the policy use cases. False Live Response API Key This Live Response API key is required only for the policy use cases. False Live Response API Secret Key This Live Response API secret key is required only for the policy use cases. False Organization Key The organization unique key. This is required for all use cases (and for fetching incidents) except the policy use cases. False Incident type False Fetch incidents False Trust any certificate (not secure) False Use system proxy settings False The type of the alert Type of alert to be fetched. False The category of the alert. Category of alert to be fetched (THREAT, MONITORED). If nothing is selected he is fetching from all categories. False Device id The alerts related to a specific device, represented by its ID. False Policy id The alerts related to a specific policy, represented by its ID. False Device username The alerts related to a specific device, represented by its username. False Query Query in Lucene syntax and/or value searches. False First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days). False Maximum number of incidents per fetch False Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
cbd-get-alert-details#
Get details about the events that led to an alert by its ID. This includes retrieving metadata around the alert as well as a list of all the events associated with the alert. Only API keys of type “API” can call the alerts API.
Required Permissions#
RBAC Permissions Required - org.alerts: READ
Base Command#
cbd-get-alert-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| alertId | The ID of the alert. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Alert.id | String | The identifier for the alert. |
| CarbonBlackDefense.Alert.legacy_alert_id | String | The unique short ID for the alerts to support easier consumption in the UI console. Use the ID for API requests. |
| CarbonBlackDefense.Alert.org_key | String | The unique identifier for the organization associated with the alert. |
| CarbonBlackDefense.Alert.create_time | Date | The time the alert was created. |
| CarbonBlackDefense.Alert.last_update_time | Date | The last time the alert was updated. |
| CarbonBlackDefense.Alert.first_event_time | Date | The time of the first event associated with the alert. |
| CarbonBlackDefense.Alert.last_event_time | Date | The time of the latest event associated with the alert. |
| CarbonBlackDefense.Alert.threat_id | String | The identifier of the threat that this alert belongs to. Threats are comprised of a combination of factors that can be repeated across devices. |
| CarbonBlackDefense.Alert.severity | Number | The threat ranking of the alert. |
| CarbonBlackDefense.Alert.category | String | The category of the alert (THREAT, MONITORED). |
| CarbonBlackDefense.Alert.device_id | Number | The identifier assigned by Carbon Black Cloud to the device associated with the alert. |
| CarbonBlackDefense.Alert.device_os | String | The operating system of the device associated with the alert. |
| CarbonBlackDefense.Alert.device_os_version | String | The operating system and version on the device. |
| CarbonBlackDefense.Alert.device_name | String | The hostname of the device associated with the alert. |
| CarbonBlackDefense.Alert.device_username | String | The username of the user logged on during the alert. If the user is not available then this may be populated with the device owner. |
| CarbonBlackDefense.Alert.policy_id | Number | The identifier for the policy associated with the device at the time of the alert. |
| CarbonBlackDefense.Alert.policy_name | String | The name of the policy associated with the device at the time of the alert. |
| CarbonBlackDefense.Alert.target_value | String | The priority of the device assigned by the policy. |
| CarbonBlackDefense.Alert.workflow.state | String | The state of the tracking system for alerts as they are triaged and resolved. The state can be OPEN or DISMISSED. |
| CarbonBlackDefense.Alert.workflow.remediation | String | The state of the workflow of the tracking system for alerts as they are triaged and resolved. The state can be OPEN or DISMISSED. |
| CarbonBlackDefense.Alert.workflow.last_update_time | Date | The last time the alert was updated. |
| CarbonBlackDefense.Alert.workflow.comment | String | The comment about the workflow of the tracking system for alerts as they are triaged and resolved. |
| CarbonBlackDefense.Alert.workflow.changed_by | String | The name of the person who changed the alert. |
| CarbonBlackDefense.Alert.notes_present | Boolean | Indicates if notes are associated with the threat ID. |
| CarbonBlackDefense.Alert.tags | Unknown | Tags associated with the alert ([ "tag1", "tag2" ]). |
| CarbonBlackDefense.Alert.reason | String | The description of the alert. |
| CarbonBlackDefense.Alert.count | Number | The count of the alert. |
| CarbonBlackDefense.Alert.report_id | String | The identifier of the report that contains the IOC. |
| CarbonBlackDefense.Alert.report_name | String | The name of the report that contains the IOC. |
| CarbonBlackDefense.Alert.ioc_id | String | The identifier of the IOC that caused the hit. |
| CarbonBlackDefense.Alert.ioc_field | String | The indicator of comprise (IOC) field that the hit contains. |
| CarbonBlackDefense.Alert.ioc_hit | String | IOC field value or IOC that matches the query. |
| CarbonBlackDefense.Alert.watchlists.id | String | The ID of the watchlists associated with an alert. |
| CarbonBlackDefense.Alert.watchlists.name | String | The name of the watchlists associated with an alert. |
| CarbonBlackDefense.Alert.process_guid | String | The global unique identifier of the process that triggered the hit. |
| CarbonBlackDefense.Alert.process_name | String | The name of the process that triggered the hit. |
| CarbonBlackDefense.Alert.run_state | String | The run state for the watchlist alerts. This value is always "RAN". |
| CarbonBlackDefense.Alert.threat_indicators.process_name | String | The name of the threat indicators that make up the threat. |
| CarbonBlackDefense.Alert.threat_indicators.sha256 | String | The SHA-256 hash of the threat indicators that make up the threat. |
| CarbonBlackDefense.Alert.threat_indicators.ttps | String | The tactics, techniques, and procedures (TTPs) of the threat indicators that make up the threat. |
| CarbonBlackDefense.Alert.threat_cause_actor_sha256 | String | The SHA-256 hash of the threat cause actor. |
| CarbonBlackDefense.Alert.threat_cause_actor_md5 | String | The MD5 hash of the threat cause actor. |
| CarbonBlackDefense.Alert.threat_cause_actor_name | String | Process name or IP address of the threat actor. |
| CarbonBlackDefense.Alert.threat_cause_reputation | String | The reputation of the threat cause. (KNOWN_MALWARE, SUSPECT_MALWARE, PUP, NOT_LISTED, ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, TRUSTED_WHITE_LIST, COMPANY_BLACK_LIST). |
| CarbonBlackDefense.Alert.threat_cause_threat_category | String | The category of the threat cause. (UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM). |
| CarbonBlackDefense.Alert.threat_cause_vector | String | The source of the threat cause. (EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY). |
| CarbonBlackDefense.Alert.document_guid | String | The document GUID. |
| CarbonBlackDefense.Alert.type | String | The type of alert. (CB_ANALYTICS, DEVICE_CONTROL). |
| CarbonBlackDefense.Alert.reason_code | String | The shorthand enum for the full-text reason. |
| CarbonBlackDefense.Alert.device_location | String | Whether the device was on-premise or off-premise when the alert started. (ONSITE, OFFSITE, UNKNOWN). |
| CarbonBlackDefense.Alert.created_by_event_id | String | Event identifier that initiated the alert. |
| CarbonBlackDefense.Alert.threat_activity_dlp | String | Whether the alert involved data loss prevention (DLP). (NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED). |
| CarbonBlackDefense.Alert.threat_activity_phish | String | Whether the alert involved phishing. (NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED). |
| CarbonBlackDefense.Alert.threat_activity_c2 | String | Whether the alert involved a command and control (c2) server. (NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED). |
| CarbonBlackDefense.Alert.threat_cause_actor_process_pid | String | The process identifier (PID) of the actor process. |
| CarbonBlackDefense.Alert.threat_cause_process_guid | String | The GUID of the process. |
| CarbonBlackDefense.Alert.threat_cause_parent_guid | String | The parent GUID of the process. |
| CarbonBlackDefense.Alert.threat_cause_cause_event_id | String | The threat cause cause event ID. |
| CarbonBlackDefense.Alert.blocked_threat_category | String | The category of the threat on which we were able to take action. (UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM). |
| CarbonBlackDefense.Alert.not_blocked_threat_category | String | Other potentially malicious activity involved in the threat on which we weren’t able to take action (either due to policy config, or not having a relevant rule). (UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM). |
| CarbonBlackDefense.Alert.kill_chain_status | String | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. (RECONNAISSANCE, WEAPONIZE, DELIVER_EXPLOIT, INSTALL_RUN, COMMAND_AND_CONTROL, EXECUTE_GOAL, BREACH). For example [ "EXECUTE_GOAL", "BREACH" ]. |
| CarbonBlackDefense.Alert.sensor_action | String | The action taken by the sensor, according to the rule of the policy. (POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY). |
| CarbonBlackDefense.Alert.policy_applied | String | Whether a policy was applied. (APPLIED, NOT_APPLIED). |
Command Example#
!cbd-get-alert-details alertId=3d541e1d-8930-4651-85c3-8cd9728d9776
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Get Alert Details#
Id Category Device Id Device Name Device Username Create Time Ioc Hit Policy Name Process Name Type Severity 1234 THREAT 5678 AB\winABC-123 jon@example.com 2021-04-04T10:42:54.143Z ((netconn_port:5355 device_os:WINDOWS)) -enriched:true default svchost.exe WATCHLIST 1
cbd-device-search#
Searches devices in your organization.
Required Permissions#
RBAC Permissions Required - device: READ
Base Command#
cbd-device-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The identifier for the device. | Optional |
| os | The operating system. Possible values: "WINDOWS", "MAC", "LINUX", and "OTHER". Possible values are: WINDOWS, MAC, LINUX, OTHER. | Optional |
| status | The status of the device. Possible values: "PENDING", "REGISTERED", "DEREGISTERED", "BYPASS", "ACTIVE", "INACTIVE", "ERROR", "ALL", "BYPASS_ON", "LIVE", "SENSOR_PENDING_UPDATE". Possible values are: PENDING, REGISTERED, DEREGISTERED, BYPASS, ACTIVE, INACTIVE, ERROR, ALL, BYPASS_ON, LIVE, SENSOR_PENDING_UPDATE. | Optional |
| start_time | The time to start getting results. specified as ISO-8601 strings for example: "2021-01-27T12:43:26.243Z". | Optional |
| target_priority | The “Target value” configured in the policy assigned to the sensor. Possible values: "LOW", "MEDIUM", "HIGH", "MISSION_CRITICAL". Possible values are: LOW, MEDIUM, HIGH, MISSION_CRITICAL. | Optional |
| query | The query in Lucene syntax and/or value searches. | Optional |
| end_time | The time to stop getting results. specified as ISO-8601 strings for example: "2021-02-27T12:43:26.243Z". | Optional |
| rows | The maximum number of rows to return. Default is 20. Default is 20. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Device.activation_code | String | The device activation code to register the sensor with a specific organization. |
| CarbonBlackDefense.Device.activation_code_expiry_time | Date | The time when the activation code expires and cannot be used to register a device. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.ad_group_id | Number | The Active Directory group ID to match. |
| CarbonBlackDefense.Device.appliance_name | String | The name of the appliance the Virtual Machine (VM) is associated with. |
| CarbonBlackDefense.Device.appliance_uuid | String | The UUID of the appliance the VM is associated with. |
| CarbonBlackDefense.Device.av_ave_version | String | The AVE version (part of AV Version). |
| CarbonBlackDefense.Device.av_engine | String | The current antivirus (AV) version. |
| CarbonBlackDefense.Device.av_last_scan_time | Date | The last time a local scan completed. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.av_master | Boolean | Whether the device is an AV Master. |
| CarbonBlackDefense.Device.av_pack_version | String | The pack version (part of AV version). |
| CarbonBlackDefense.Device.av_product_version | String | The product version (part of AV version). |
| CarbonBlackDefense.Device.av_status | String | The status of the local scan. For example [ "AV_ACTIVE", "AV_REGISTERED" ]. (AV_NOT_REGISTERED, AV_REGISTERED, AV_DEREGISTERED, AV_ACTIVE, AV_BYPASS, SIGNATURE_UPDATE_DISABLED, ONACCESS_SCAN_DISABLED, ONDEMAND_SCAN_DISABLED, PRODUCT_UPDATE_DISABLED). |
| CarbonBlackDefense.Device.av_update_servers | Unknown | A list of the device’s AV servers. For example [ "string", "string" ]. |
| CarbonBlackDefense.Device.av_vdf_version | String | VDF version (part of AV version). |
| CarbonBlackDefense.Device.cluster_name | String | Name of the cluster. A cluster is a group of hosts. |
| CarbonBlackDefense.Device.current_sensor_policy_name | String | The name of the policy currently configured on the sensor. |
| CarbonBlackDefense.Device.datacenter_name | String | The name of the underlying data center. The data center managed object provides the interface to the common container object for hosts, virtual machines, networks, and datastores. |
| CarbonBlackDefense.Device.deployment_type | String | The device’s deployment type. This is a classification that is determined by its lifecycle management policy. (ENDPOINT, WORKLOAD). |
| CarbonBlackDefense.Device.deregistered_time | Date | The time when the deregister request was received. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.device_meta_data_item_list.key_name | String | The key name that describes the device. |
| CarbonBlackDefense.Device.device_meta_data_item_list.key_value | String | The key value that describes the device. |
| CarbonBlackDefense.Device.device_meta_data_item_list.position | Number | The position that describes the device. |
| CarbonBlackDefense.Device.device_owner_id | Number | The identifier for the device owner associated with the device. |
| CarbonBlackDefense.Device.email | String | The email address for the device owner. |
| CarbonBlackDefense.Device.encoded_activation_code | String | The encoded activation code. |
| CarbonBlackDefense.Device.esx_host_name | String | The name of the ESX host on which the VM is deployed. |
| CarbonBlackDefense.Device.esx_host_uuid | String | The UUID of the ESX host on which the VM is deployed. |
| CarbonBlackDefense.Device.first_name | String | The first name of the device owner. |
| CarbonBlackDefense.Device.id | Number | The ID of the device. |
| CarbonBlackDefense.Device.last_contact_time | Date | The last time the sensor contacted Carbon Black Cloud. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.last_device_policy_changed_time | Date | The last time the sensor changed from one policy to another. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.last_device_policy_requested_time | Date | The last time the sensor checked for changes to the policy. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.last_external_ip_address | String | The last IP address of the device according to Carbon Black Cloud. This can differ from the last_internal_ip_address due to the network proxy or NAT. Can be either IPv4 or IPv6 format. |
| CarbonBlackDefense.Device.last_internal_ip_address | String | The last IP address of the device reported by the sensor. Can be either IPv4 or IPv6 format. |
| CarbonBlackDefense.Device.last_location | String | The device’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix. (UNKNOWN, ONSITE, OFFSITE). |
| CarbonBlackDefense.Device.last_name | String | The last name of the device owner. |
| CarbonBlackDefense.Device.last_policy_updated_time | Date | The last time the current policy received an update. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.last_reported_time | Date | The last time Carbon Black Cloud received one or more events reported by the sensor. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.last_reset_time | Date | The last time the device was reset. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.last_shutdown_time | Date | The last time the device was shutdown. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.linux_kernel_version | String | Not implemented. |
| CarbonBlackDefense.Device.login_user_name | String | The last user who logged in to the device. (Requires Windows Carbon Black Cloud sensor). |
| CarbonBlackDefense.Device.mac_address | String | The media access control (MAC) address for the device’s primary interface. (Requires Windows CBC sensor version 3.6.0.1941 or later, or macOS CBC sensor). |
| CarbonBlackDefense.Device.middle_name | String | The middle name of the device owner. |
| CarbonBlackDefense.Device.name | String | The hostname of the endpoint recorded by the sensor when last initialized. |
| CarbonBlackDefense.Device.organization_id | Number | The organization identifier. |
| CarbonBlackDefense.Device.organization_name | String | The organization name. |
| CarbonBlackDefense.Device.os | String | The operating system. (WINDOWS, MAC, LINUX, OTHER). |
| CarbonBlackDefense.Device.os_version | String | The operating system and version of the endpoint. |
| CarbonBlackDefense.Device.passive_mode | Boolean | Whether the device is in bypass mode. |
| CarbonBlackDefense.Device.policy_id | Number | The policy identifier assigned to the device. |
| CarbonBlackDefense.Device.policy_name | String | The policy name assigned to the device. This name may not match the current_sensor_policy_name until the sensor checks back in. |
| CarbonBlackDefense.Device.policy_override | Boolean | Whether the policy was manually assigned to override mass sensor management. |
| CarbonBlackDefense.Device.quarantined | Boolean | The indicator that the device is in quarantine mode. |
| CarbonBlackDefense.Device.registered_time | Date | The time when the device was registered with Carbon Black Cloud. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.scan_last_action_time | Date | The last time the background scan was started or stopped. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.scan_last_complete_time | Date | The time the last background scan completed. (ISO 8601 timestamp in UTC). |
| CarbonBlackDefense.Device.scan_status | String | The status of the background scan. (NEVER_RUN, STOPPED, IN_PROGRESS, COMPLETED). |
| CarbonBlackDefense.Device.sensor_kit_type | String | The type of sensor installed on the device. (XP, WINDOWS, MAC, AV_SIG, OTHER, RHEL, UBUNTU, SUSE, AMAZON_LINUX, MAC_OSX). |
| CarbonBlackDefense.Device.sensor_out_of_date | Boolean | Whether there is a new version available to be installed. |
| CarbonBlackDefense.Device.sensor_pending_update | Boolean | Whether the sensor is marked by the sensor updater service for a sensor upgrade. |
| CarbonBlackDefense.Device.sensor_states | String | The states the sensor is in. For example [ "ACTIVE", "LIVE_RESPONSE_ENABLED" ]. (ACTIVE, PANICS_DETECTED, LOOP_DETECTED, DB_CORRUPTION_DETECTED, CSR_ACTION, REPUX_ACTION, DRIVER_INIT_ERROR, REMGR_INIT_ERROR, UNSUPPORTED_OS, SENSOR_UPGRADE_IN_PROGRESS, SENSOR_UNREGISTERED, WATCHDOG, SENSOR_RESET_IN_PROGRESS, DRIVER_INIT_REBOOT_REQUIRED, DRIVER_LOAD_NOT_GRANTED, SENSOR_SHUTDOWN, SENSOR_MAINTENANCE, FULL_DISK_ACCESS_NOT_GRANTED, DEBUG_MODE_ENABLED, AUTO_UPDATE_DISABLED, SELF_PROTECT_DISABLED, VDI_MODE_ENABLED, POC_MODE_ENABLED, SECURITY_CENTER_OPTLN_DISABLED, LIVE_RESPONSE_RUNNING, LIVE_RESPONSE_NOT_RUNNING, LIVE_RESPONSE_KILLED, LIVE_RESPONSE_NOT_KILLED, LIVE_RESPONSE_ENABLED, LIVE_RESPONSE_DISABLED, DRIVER_KERNEL, DRIVER_USERSPACE). |
| CarbonBlackDefense.Device.sensor_version | String | The version of the installed sensor in the format: #.#.#.#. |
| CarbonBlackDefense.Device.status | String | The status of the device. (PENDING, REGISTERED, DEREGISTERED, BYPASS Additional searchable statuses that are not returnable ACTIVE, INACTIVE, ERROR, ALL, BYPASS_ON, LIVE, SENSOR_PENDING_UPDATE). |
| CarbonBlackDefense.Device.target_priority | String | Device target priorities to match. (LOW, MEDIUM, HIGH, MISSION_CRITICAL). |
| CarbonBlackDefense.Device.uninstall_code | String | The code to enter when uninstalling the sensor. |
| CarbonBlackDefense.Device.vcenter_host_url | String | The vCenter host URL. |
| CarbonBlackDefense.Device.vcenter_name | String | The name of the vCenter the VM is associated with. |
| CarbonBlackDefense.Device.vcenter_uuid | String | The 128-bit SMBIOS UUID of a vCenter represented as a hexadecimal string. |
| CarbonBlackDefense.Device.vdi_base_device | Number | The identifier of the device from which this device was cloned/re-registered. |
| CarbonBlackDefense.Device.virtual_machine | Boolean | Whether this device is a virtual machine (VMware AppDefense integration). Deprecated for deployment_type. |
| CarbonBlackDefense.Device.virtualization_provider | String | The name of the VM virtualization provider. |
| CarbonBlackDefense.Device.vm_ip | String | The IP address of the VM. |
| CarbonBlackDefense.Device.vm_name | String | The name of the VM that the sensor is deployed on. |
| CarbonBlackDefense.Device.vm_uuid | String | The 128-bit SMBIOS UUID of a virtual machine represented as a hexadecimal string. (Format: 12345678-abcd-1234-cdef-123456789abc). |
| CarbonBlackDefense.Device.vulnerability_score | Number | The vulnerability score from 0 to 100 indicating the workload’s level of vulnerability with 100 being highly vulnerable. |
| CarbonBlackDefense.Device.vulnerability_severity | String | The severity level indicating the workload’s vulnerability. (CRITICAL, MODERATE, IMPORTANT, LOW). |
| CarbonBlackDefense.Device.windows_platform | String | Deprecated for os_version. (CLIENT_X86, CLIENT_X64, SERVER_X86, SERVER_X64, CLIENT_ARM64, SERVER_ARM64). |
Command Example#
!cbd-device-search
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Devices List Results#
Id Name Os Policy Name Quarantined Status Target Priority Last Internal Ip Address Last External Ip Address Last Contact Time Last Location 1234 bo1tapsandbox-01 LINUX LRDemo-JH false REGISTERED MEDIUM 8.8.8.8 1.1.1.1 2021-04-04T13:29:14.616Z UNKNOWN 5678 REDTEAM\malware-gen2 WINDOWS default false BYPASS LOW 8.8.8.8 1.1.1.1 2021-04-04T13:29:14.056Z OFFSITE 9101 RTEST\Oleg-TB2-Win10E WINDOWS default false REGISTERED LOW 8.8.8.8 1.1.1.1 2021-04-04T13:29:13.643Z OFFSITE
cbd-find-processes#
Creates a process search job. The results for the search job may be requested using the returned job ID. At least one of the arguments (not including: rows, start, and time_range) is required.
Required Permissions#
RBAC Permissions Required - org.search.events: CREATE
Base Command#
cbd-find-processes
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_category | The Carbon Black Cloud classification for events tagged to an alert. Possible values: "THREAT" and "OBSERVED". Possible values are: THREAT, OBSERVED. | Optional |
| hash | Aggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash). | Optional |
| device_external_ip | The IP address of the endpoint according to Carbon Black Cloud. This IP address can differ from the device_internal_ip due to network proxy or NAT. Can be either IPv4 or IPv6 format. | Optional |
| device_id | The ID assigned to the endpoint by Carbon Black Cloud. This ID is unique across all Carbon Black Cloud environments. | Optional |
| device_internal_ip | The IP address of the endpoint reported by the sensor. Can be either IPv4 or IPv6 format. | Optional |
| device_name | The hostname of the endpoint recorded by the sensor when last initialized. | Optional |
| device_os | The operating system of the endpoint. Possible values: "WINDOWS", "MAC", "LINUX". Possible values are: WINDOWS, MAC, LINUX. | Optional |
| device_timestamp | The sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud. specified as ISO 8601 timestamp in UTC for example: 2020-01-19T04:28:40.190Z. | Optional |
| event_type | The type of enriched event observed. Possible value: "filemod", "netconn", "regmod", "modload", "crossproc", "childproc", "scriptload", and "fileless_scriptload". Possible values are: filemod, netconn, regmod, modload, crossproc, childproc, scriptload, fileless_scriptload. | Optional |
| parent_name | The file system path of the parent process binary. | Optional |
| parent_reputation | The reputation of the parent process applied by Carbon Black Cloud when the event is initially processed. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST". Possible values are: ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST. | Optional |
| process_cmdline | The command line executed by the actor process. | Optional |
| process_guid | The unique process identifier for the actor process. | Optional |
| process_name | The file system path of the actor process binary. | Optional |
| process_pid | The process identifier assigned by the operating system. This can be multi-valued in case of fork() or exec() process operations on Linux and macOS. | Optional |
| process_reputation | The reputation of the actor process applied when the event is processed by Carbon Black Cloud. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST". Possible values are: ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST. | Optional |
| process_start_time | The sensor reported timestamp of when the process started. specified as ISO 8601 timestamp in UTC for example: 2020-05-04T21:34:03.968Z. This is not available for processes running before the sensor starts. | Optional |
| process_terminated | Whether the process has terminated. Possible values: "true" and "false". Always "false" for enriched events (process termination not recorded). Possible values are: true, false. | Optional |
| process_username | The user context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid(). | Optional |
| sensor_action | The action performed by the sensor on the process. Possible values: "TERMINATE", "DENY", and "SUSPEND". Possible values are: TERMINATE, DENY, SUSPEND. | Optional |
| query | The query in Lucene syntax and/or value searches. | Optional |
| rows | The number of rows to request. Can be paginated. | Optional |
| start | The first row to use for pagination. | Optional |
| time_range | The time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Process.Search.job_id | String | The job ID of the process search. |
Command Example#
!cbd-find-processes query=chrome
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Processes Search#
Job Id f5a2ae0e-c3f7-4443-882d-009097eaabd3
cbd-find-events#
Creates an enriched events search job. The results for the search job may be requested using the returned job ID. At least one of the arguments (not including: rows, start, time_range) is required).
Required Permissions#
RBAC Permissions Required - org.search.events: CREATE
Base Command#
cbd-find-events
Input#
| Argument Name | Description | Required |
|---|---|---|
| alert_category | The Carbon Black Cloud classification for events tagged to an alert. Possible values: "THREAT" and "OBSERVED". Possible values are: THREAT, OBSERVED. | Optional |
| hash | Aggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash). | Optional |
| device_external_ip | The IP address of the endpoint according to Carbon Black Cloud. This IP address can differ from the device_internal_ip due to network proxy or NAT. Can be either IPv4 or IPv6 format. | Optional |
| device_id | The ID assigned to the endpoint by Carbon Black Cloud. This ID is unique across all Carbon Black Cloud environments. | Optional |
| device_internal_ip | The IP address of the endpoint reported by the sensor. Can be either IPv4 or IPv6 format. | Optional |
| device_name | The hostname of the endpoint recorded by the sensor when last initialized. | Optional |
| device_os | The operating system of the endpoint. Possible values: "WINDOWS", "MAC", "LINUX". Possible values are: WINDOWS, MAC, LINUX. | Optional |
| event_type | The type of enriched event observed. Possible value: "filemod", "netconn", "regmod", "modload", "crossproc", "childproc", "scriptload", and "fileless_scriptload". Possible values are: filemod, netconn, regmod, modload, crossproc, childproc, scriptload, fileless_scriptload. | Optional |
| parent_name | The file system path of the parent process binary. | Optional |
| parent_reputation | The reputation of the parent process applied by Carbon Black Cloud when the event is initially processed. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST". Possible values are: ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST. | Optional |
| process_cmdline | The command line executed by the actor process. | Optional |
| process_guid | The unique process identifier for the actor process. | Optional |
| process_name | The file system path of the actor process binary. | Optional |
| process_pid | The process identifier assigned by the operating system. This can be multi-valued in case of fork() or exec() process operations on Linux and macOS. | Optional |
| process_reputation | The reputation of the actor process applied when the event is processed by Carbon Black Cloud. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST". Possible values are: ADAPTIVE_WHITE_LIST, ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST. | Optional |
| process_start_time | The sensor reported timestamp of when the process started. specified as ISO 8601 timestamp in UTC for example: 2020-05-04T21:34:03.968Z. This is not available for processes running before the sensor starts. | Optional |
| process_terminated | Whether the process has terminated. Possible values: "true" and "false". Always "false" for enriched events (process termination not recorded). Possible values are: true, false. | Optional |
| process_username | The user context in which the actor process was executed. MacOS - all users for the PID for fork() and exec() transitions. Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid(). | Optional |
| sensor_action | The action performed by the sensor on the process. Possible values: "TERMINATE", "DENY", and "SUSPEND". Possible values are: TERMINATE, DENY, SUSPEND. | Optional |
| query | The query in Lucene syntax and/or value searches. | Optional |
| rows | The number of rows to request. Can be paginated. | Optional |
| start | The first row to use for pagination. | Optional |
| time_range | The time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Events.Search.job_id | String | The job ID of the event search. |
Command Example#
!cbd-find-events query=chrome
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Events Search#
Job Id b853bf18-d1f3-4dcc-b590-6626ee547bec
cbd-find-processes-results#
Retrieves the results of a process search identified by the job ID.
Required Permissions#
RBAC Permissions Required - org.search.events: READ
Base Command#
cbd-find-processes-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | The job ID. | Required |
| rows | The number of rows to request. Can be paginated. Default is 10. Default is 10. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Process.Results.job_id | String | The results of the process search. |
| CarbonBlackDefense.Process.Results.approximate_unaggregated | Number | The approximate number of unaggregated results. |
| CarbonBlackDefense.Process.Results.completed | Number | The number of completed results. |
| CarbonBlackDefense.Process.Results.contacted | Number | The number of contacted results. |
| CarbonBlackDefense.Process.Results.num_aggregated | Number | The number of aggregated results. |
| CarbonBlackDefense.Process.Results.num_available | Number | The number of processes available in this search. |
| CarbonBlackDefense.Process.Results.num_found | Number | The number of processes found in this search. |
| CarbonBlackDefense.Process.Results.results | Unknown | The lists that contains the data of the results for this search. |
Command Example#
!cbd-find-processes-results job_id=a79f5a25-5ab4-4df7-b806-62e0aedd7034
Context Example#
Human Readable Output#
The Results For The Process Search#
Device Id Device Name Process Name Device Policy Id Enriched Event Type 1234 vm-2k12-vg63 c:\program files (x86)\google\chrome\application\chrome.exe 1234 NETWORK 5678 development\vm-beats-dev c:\program files (x86)\google\chrome\application\chrome.exe 1234 NETWORK 9101 development\vm-beats-dev c:\program files (x86)\google\chrome\application\chrome.exe 1234 CREATE_PROCESS
cbd-get-policies#
Gets the list of policies available in your organization.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-get-policies
Input#
There are no input arguments for this command.
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Policy.id | Number | The policy ID. |
| CarbonBlackDefense.Policy.priorityLevel | String | The policy priority level. |
| CarbonBlackDefense.Policy.systemPolicy | Boolean | Whether the policy is a system policy. |
| CarbonBlackDefense.Policy.latestRevision | Number | The latest revision of the policy. |
| CarbonBlackDefense.Policy.policy | Unknown | The policy object. |
| CarbonBlackDefense.Policy.name | String | The unique name of the policy. |
| CarbonBlackDefense.Policy.description | String | The description of the policy. |
| CarbonBlackDefense.Policy.version | Number | The version of the policy. |
Command Example#
!cbd-get-policies
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policies#
Id Priority Level System Policy Latest Revision Version 6525 LOW true 2021-04-02T06:05:12.000Z 2 6527 HIGH true 2021-02-15T20:41:32.000Z 2 6528 MEDIUM true 2021-02-15T20:41:32.000Z 2
cbd-get-policy#
Retrieves a policy object by ID.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-get-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| policyId | The policy ID. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Policy.id | Number | The policy ID. |
| CarbonBlackDefense.Policy.priorityLevel | String | The policy priority level. |
| CarbonBlackDefense.Policy.systemPolicy | Boolean | Whether the policy is a system policy. |
| CarbonBlackDefense.Policy.latestRevision | Number | The latest revision of the policy. |
| CarbonBlackDefense.Policy.policy | Unknown | The policy object. |
| CarbonBlackDefense.Policy.name | String | The unique name of the policy. |
| CarbonBlackDefense.Policy.description | String | The description of the policy. |
| CarbonBlackDefense.Policy.version | Number | The version of the policy. |
Command Example#
!cbd-get-policy policyId=6527
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policy#
Id Name Latest Revision Version Priority Level System Policy 6527 Detection_Servers 2021-02-15T20:41:32.000Z 2 HIGH true
cbd-set-policy#
Resets policy fields.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-set-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| policy | The policy ID to be set. | Required |
| keyValue | A JSON object that holds key/value pairs. The key is the field path in the policy object you want to update with a value. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Policy.id | Number | The policy ID. |
| CarbonBlackDefense.Policy.priorityLevel | String | The policy priority level. |
| CarbonBlackDefense.Policy.systemPolicy | Boolean | Whether the policy is a system policy. |
| CarbonBlackDefense.Policy.latestRevision | Number | The latest revision of the policy. |
| CarbonBlackDefense.Policy.policy | Unknown | The policy object. |
| CarbonBlackDefense.Policy.name | String | The unique name of the policy. |
| CarbonBlackDefense.Policy.description | String | The description of the policy. |
| CarbonBlackDefense.Policy.version | Number | The version of the policy. |
Command Example#
``!cbd-set-policy policy=123456 keyValue={"policyInfo": {"description": "update example", "name": "xsoar test1", "id": 123456, "policy": {"sensorSettings": [{"name": "SHOW_UI", "value": "true"}]}, "priorityLevel": "HIGH"}}````
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policy#
Id Description Name Latest Revision Version Priority Level System Policy 123456 update example xsoar test1 2021-04-04T13:28:57.000Z 2 HIGH false
cbd-create-policy#
Creates a new policy on the CB Defense backend.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-create-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| description | A description of the policy. Can be multiple lines. | Required |
| name | A unique one-line name for the policy. | Required |
| priorityLevel | The priority score associated with sensors assigned to this policy. Possible values: "MISSION_CRITICAL", "HIGH", "MEDIUM", and "LOW". Possible values are: MISSION_CRITICAL, HIGH, MEDIUM, LOW. | Required |
| policy | The JSON object containing the policy details. Make sure a valid policy object is passed. You can use the get-policy command to retrieve a similar policy object. Then you can reset some of the policy's fields with the set-policy command, and pass the edited object. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Policy.id | Number | The policy ID. |
| CarbonBlackDefense.Policy.priorityLevel | String | The policy priority level. |
| CarbonBlackDefense.Policy.systemPolicy | Boolean | Whether the policy is a system policy. |
| CarbonBlackDefense.Policy.latestRevision | Number | The latest revision of the policy. |
| CarbonBlackDefense.Policy.policy | Unknown | The policy object. |
| CarbonBlackDefense.Policy.name | String | The unique name of the policy. |
| CarbonBlackDefense.Policy.description | String | The description of the policy. |
| CarbonBlackDefense.Policy.version | Number | The version of the policy. |
Command Example#
``!cbd-create-policy description=This is xsoar's test policy name=xsoar test3 priorityLevel=HIGH policy={}````
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policy#
Id Description Name Latest Revision Version Priority Level System Policy 67586 This is xsoar's test policy xsoar test3 2021-04-04T13:28:49.000Z 2 HIGH false
cbd-delete-policy#
Deletes a policy from the CB Defense backend. This may return an error if devices are actively assigned to the policy ID requested for deletion. Note: System policies cannot be deleted.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-delete-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| policyId | The policy ID. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-delete-policy policyId=67585
Human Readable Output#
The policy 67585 was deleted successfully#
Message Success Success true
cbd-update-policy#
Updates an existing policy with a new policy. Note: System policies cannot be modified.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-update-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| description | A description of the policy. | Required |
| name | A one-line name for the policy. | Required |
| priorityLevel | The priority score associated with sensors assigned to this policy. Possible values: "MISSION_CRITICAL", "HIGH", "MEDIUM", and "LOW". Possible values are: MISSION_CRITICAL, HIGH, MEDIUM, LOW. | Required |
| id | The ID of the policy to replace. | Required |
| policy | The JSON object containing the policy details. Make sure a valid policy object is passed. For example {'sensorSettings': [{'name': 'SHOW_UI', 'value': 'false'}]}. You can use the get-policy command to retrieve the policy object you want to update. Then you can reset some of the policy's fields with the set-policy command, and pass the edited object. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Policy.id | Number | The policy ID. |
| CarbonBlackDefense.Policy.priorityLevel | String | The policy priority level. |
| CarbonBlackDefense.Policy.systemPolicy | Boolean | Whether the policy is a system policy. |
| CarbonBlackDefense.Policy.latestRevision | Number | The latest revision of the policy. |
| CarbonBlackDefense.Policy.policy | Unknown | The policy object. |
| CarbonBlackDefense.Policy.name | String | The unique name of the policy. |
| CarbonBlackDefense.Policy.description | String | The description of the policy. |
| CarbonBlackDefense.Policy.version | Number | The version of the policy. |
Command Example#
``!cbd-update-policy id=123456 description=This is xsoar's test policy after an update name=xsoar test1 priorityLevel=LOW policy={"sensorSettings": [{"name": "SHOW_UI", "value": "false"}]}````
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policy#
Id Description Name Latest Revision Version Priority Level System Policy 123456 This is xsoar's test policy after an update xsoar test1 2021-04-04T13:29:00.000Z 2 LOW false
cbd-add-rule-to-policy#
Adds a new rule to an existing policy. Note: System policies cannot be modified.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-add-rule-to-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| action | Rule action. Possible values: "TERMINATE", "IGNORE", "TERMINATE_THREAD", "ALLOW", "DENY", and "TERMINATE_PROCESS". Possible values are: TERMINATE, IGNORE, TERMINATE_THREAD, ALLOW, DENY, TERMINATE_PROCESS. | Required |
| operation | Rule operation. Possible values are: MODIFY_SYSTEM_EXE, PASSTHRU, CRED, RANSOM, NETWORK_SERVER, POL_INVOKE_NOT_TRUSTED, IMPERSONATE, MICROPHONE_CAMERA, INVOKE_SYSAPP, NETWORK_CLIENT, BYPASS_REG, BUFFER_OVERFLOW, BYPASS_API, USER_DOC, CODE_INJECTION, BYPASS_NET, KEYBOARD, BYPASS_ALL, RUN, INVOKE_CMD_INTERPRETER, MODIFY_SYTEM_CONFIG, ESCALATE, BYPASS_FILE, RUN_AS_ADMIN, BYPASS_PROCESS, NETWORK, KERNEL_ACCESS, NETWORK_PEER, PACKED, INVOKE_SCRIPT, MEMORY_SCRAPE, BYPASS_SELF_PROTECT, TAMPER_API. | Required |
| required | Whether the rule is required. Possible values: "true" and "false". Possible values are: true, false. | Required |
| type | Application type. Possible values: "REPUTATION", "SIGNED_BY", and "NAME_PATH". Possible values are: REPUTATION, SIGNED_BY, NAME_PATH. | Required |
| value | Application value. | Required |
| policyId | The policy ID. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-add-rule-to-policy action=ALLOW operation=RANSOM required=true type=REPUTATION value=COMPANY_BLACK_LIST policyId=123456
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policy#
Id Description Name Latest Revision Version Priority Level System Policy 123456 This is xsoar's test policy after an update xsoar test1 2021-04-04T13:29:04.000Z 2 LOW false
cbd-update-rule-in-policy#
Updates an existing rule with a new rule. Note: System policies cannot be modified.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-update-rule-in-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| action | Rule action. Possible values: "TERMINATE", "IGNORE", "TERMINATE_THREAD", "ALLOW", "DENY", and "TERMINATE_PROCESS". Possible values are: TERMINATE, IGNORE, TERMINATE_THREAD, ALLOW, DENY, TERMINATE_PROCESS. | Required |
| operation | Rule operation. Possible values are: MODIFY_SYSTEM_EXE, PASSTHRU, CRED, RANSOM, NETWORK_SERVER, POL_INVOKE_NOT_TRUSTED, IMPERSONATE, MICROPHONE_CAMERA, INVOKE_SYSAPP, NETWORK_CLIENT, BYPASS_REG, BUFFER_OVERFLOW, BYPASS_API, USER_DOC, CODE_INJECTION, BYPASS_NET, KEYBOARD, BYPASS_ALL, RUN, INVOKE_CMD_INTERPRETER, MODIFY_SYTEM_CONFIG, ESCALATE, BYPASS_FILE, RUN_AS_ADMIN, BYPASS_PROCESS, NETWORK, KERNEL_ACCESS, NETWORK_PEER, PACKED, INVOKE_SCRIPT, MEMORY_SCRAPE, BYPASS_SELF_PROTECT, TAMPER_API. | Required |
| required | Whether the rule is required. Possible values: "true" and "false". Possible values are: true, false. | Required |
| id | Rule ID. | Required |
| type | Application type. Possible values: "REPUTATION", "SIGNED_BY", and "NAME_PATH". Possible values are: REPUTATION, SIGNED_BY, NAME_PATH. | Required |
| value | Application value. | Required |
| policyId | The policy ID. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-update-rule-in-policy action=ALLOW operation=RANSOM required=false id=23 type=REPUTATION value=COMPANY_BLACK_LIST policyId=123456
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Policy#
Id Description Name Latest Revision Version Priority Level System Policy 123456 This is xsoar's test policy after an update xsoar test1 2021-04-04T13:29:07.000Z 2 LOW false
cbd-delete-rule-from-policy#
Removes a rule from an existing policy. Note: System policies cannot be modified.
Required Permissions#
Live Response Permissions Required
Base Command#
cbd-delete-rule-from-policy
Input#
| Argument Name | Description | Required |
|---|---|---|
| policyId | The policy ID. | Required |
| ruleId | The rule ID. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-delete-rule-from-policy policyId=123456 ruleId=23
Human Readable Output#
The rule was successfully deleted from the policy#
Message Success Success true
cbd-find-events-results#
Retrieves the result for an enriched events search request for a given job ID. By default returns 10 rows.
Required Permissions#
RBAC Permissions Required - org.search.events: READ
Base Command#
cbd-find-events-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | The job ID. | Required |
| rows | The number of rows to request. Can be paginated. Default is 10. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Events.Results.job_id | Results | The results of the event. |
| CarbonBlackDefense.Events.Results.approximate_unaggregated | Number | The approximate number of unaggregated results. |
| CarbonBlackDefense.Events.Results.completed | Number | The number of completed results. |
| CarbonBlackDefense.Events.Results.contacted | Number | The number of contacted results. |
| CarbonBlackDefense.Events.Results.num_aggregated | Number | The number of aggregated results. |
| CarbonBlackDefense.Events.Results.num_available | Number | The number of events available in this search. |
| CarbonBlackDefense.Events.Results.num_found | Number | The number of events found in this search. |
| CarbonBlackDefense.Events.Results.results | Unknown | The lists that contains the data of the results for this search. |
Command Example#
!cbd-find-events-results job_id=82d1df67-0edc-43e6-8e1b-c3dd9d42a3e9
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Event Results#
Event Id Device Id Event Network Remote Port Event Network Remote Ipv4 Event Network Local Ipv4 Enriched Event Type 1234 1112 CREATE_PROCESS 5678 1314 FILE_CREATE 9101 1516 CREATE_PROCESS
cbd-find-events-details#
Initiates a request to retrieve detail fields for enriched events. the job_id that returns from this command can be used to get the results using the "cbd-find-events-details-results" command.
Required Permissions#
RBAC Permissions Required - org.search.events: CREATE
Base Command#
cbd-find-events-details
Input#
| Argument Name | Description | Required |
|---|---|---|
| event_ids | A comma-separated list of event IDs to fetch. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.EventDetails.Search.job_id | String | The job ID. |
Command Example#
``!cbd-find-events-details event_ids=["b5eeb4ec953411eb8af72dacb2908592"]````
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Event Details Search#
Job Id 3b7c0a61-2ef5-4541-b9bb-2389bd009d32
cbd-find-events-details-results#
Retrieves the status for an enriched events detail request for a given job ID.
Required Permissions#
RBAC Permissions Required - org.search.events: READ
Base Command#
cbd-find-events-details-results
Input#
| Argument Name | Description | Required |
|---|---|---|
| job_id | The job ID. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.EventDetails.Results.job_id | Results | The results of the event. |
| CarbonBlackDefense.EventDetails.Results.approximate_unaggregated | Number | The approximate number of unaggregated results. |
| CarbonBlackDefense.EventDetails.Results.completed | Number | The number of completed results. |
| CarbonBlackDefense.EventDetails.Results.contacted | Number | The number of contacted results. |
| CarbonBlackDefense.EventDetails.Results.num_aggregated | Number | The number of aggregated results. |
| CarbonBlackDefense.EventDetails.Results.num_available | Number | The number of event details available in this search. |
| CarbonBlackDefense.EventDetails.Results.num_found | Number | The number of event details found in this search. |
| CarbonBlackDefense.EventDetails.Results.results | Unknown | The lists that contains the data of the results for this search. |
Command Example#
!cbd-find-events-details-results job_id=ee9d8548-e356-45b5-97e5-307713a56e26
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Event Details Results#
Event Id Device Id Event Network Remote Port Event Network Remote Ipv4 Event Network Local Ipv4 Enriched Event Type 1234 5678 80 8.8.8.8 1.1.1.1 NETWORK
cbd-device-quarantine#
Quarantines the device. Not supported for devices in a Linux operating system.
Required Permissions#
RBAC Permissions Required - device.quarantine: EXECUTE
Base Command#
cbd-device-quarantine
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-quarantine device_id=123456
Human Readable Output#
Device quarantine successfully
cbd-device-unquarantine#
Unquarantines the device. Not supported for devices in a Linux operating system.
Required Permissions#
RBAC Permissions Required - device.quarantine: EXECUTE
Base Command#
cbd-device-unquarantine
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-unquarantine device_id=123456
Human Readable Output#
Device unquarantine successfully
cbd-device-background-scan#
Starts a background scan on the device. Not supported for devices in a Linux operating system.
Required Permissions#
RBAC Permissions Required - device.bg-scan: EXECUTE
Base Command#
cbd-device-background-scan
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-background-scan device_id=123456
Human Readable Output#
Background scan started successfully
cbd-device-background-scan-stop#
Stops a background scan on the device. Not supported for devices in a Linux operating system.
Required Permissions#
RBAC Permissions Required - device.bg-scan: EXECUTE
Base Command#
cbd-device-background-scan-stop
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-background-scan-stop device_id=123456
Human Readable Output#
Background scan stopped successfully
cbd-device-bypass#
Bypasses a device.
Required Permissions#
RBAC Permissions Required - device.bypass: EXECUTE
Base Command#
cbd-device-bypass
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-bypass device_id=123456
Human Readable Output#
Device bypass successfully
cbd-device-unbypass#
Unbypasses a device.
Required Permissions#
RBAC Permissions Required - device.bypass: EXECUTE
Base Command#
cbd-device-unbypass
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-unbypass device_id=123456
Human Readable Output#
Device unbypass successfully
cbd-device-policy-update#
Updates the devices to the specified policy ID.
Required Permissions#
RBAC Permissions Required - device.policy: UPDATE
Base Command#
cbd-device-policy-update
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
| policy_id | The ID of the policy. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-policy-update device_id=123456 policy_id=123456
Human Readable Output#
Policy updated successfully
cbd-device-update-sensor-version#
Updates the version of a sensor.
Required Permissions#
RBAC Permissions Required - device.kits: EXECUTE
Base Command#
cbd-device-update-sensor-version
Input#
| Argument Name | Description | Required |
|---|---|---|
| device_id | The ID of the device. | Required |
| sensor_version | The new version of the sensor. For example: { "MAC": "1.2.3.4" }. Supported types: XP, WINDOWS, MAC, AV_SIG, OTHER, RHEL, UBUNTU, SUSE, AMAZON_LINUX, MAC_OSX. Possible values are: {"XP":}, {"WINDOWS":}, {"MAC":}, {"AV_SIG":}, {"OTHER":}, {"RHEL":}, {"UBUNTU":}, {"SUSE":}, {"AMAZON_LINUX":}, {"MAC_OSX":}. | Required |
Context Output#
There is no context output for this command.
Command Example#
!cbd-device-update-sensor-version device_id=123456 sensor_version={\"AMAZON_LINUX\":\"1.2.3.4\"}
Human Readable Output#
Version update to {"AMAZON_LINUX":"1.2.3.4"} was successful
cbd-alerts-search#
Gets details on the events that led to an alert. This includes retrieving metadata around the alert as well as the event associated with the alert.
Required Permissions#
RBAC Permissions Required - org.alerts: READ
Base Command#
cbd-alerts-search
Input#
| Argument Name | Description | Required |
|---|---|---|
| type | The type of the alerts. Possible values: "cbAnalytics", "devicecontrol", "all". Possible values are: cbanalytics, devicecontrol, all. | Optional |
| category | The category of the alert. Possible values: "THREAT", "MONITORED". Possible values are: THREAT, MONITORED. | Optional |
| device_id | The device ID. | Optional |
| first_event_time | The time of the first event associated with the alert. The syntax is {"start": "<dateTime>", "range": "<string>", "end": "<dateTime>" }. For example: { "start": "2010-09-25T00:10:50.277Z", "end": "2015-01-20T10:40:00.00Z"}. | Optional |
| policy_id | The policy ID. | Optional |
| process_sha256 | The SHA-256 hash of the primary involved process. | Optional |
| reputation | The reputation of the primary involved process. Possible values: "KNOWN_MALWARE", "NOT_LISTED", etc. | Optional |
| tag | The tags associated with the alert. | Optional |
| device_username | The username of the user logged on during the alert. If the user is not available then this may be populated with the device owner. | Optional |
| query | The query in Lucene syntax and/or value searches. | Optional |
| rows | The number of results to be returned. | Optional |
| start | The number of the alert from where to start retrieving results. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| CarbonBlackDefense.Alert.id | String | The identifier for the alert. |
| CarbonBlackDefense.Alert.legacy_alert_id | String | The unique short ID for the alerts to support easier consumption in the UI console. Use the ID for API requests. |
| CarbonBlackDefense.Alert.org_key | String | The unique identifier for the organization associated with the alert. |
| CarbonBlackDefense.Alert.create_time | Date | The time the alert was created. |
| CarbonBlackDefense.Alert.last_update_time | Date | The last time the alert was updated. |
| CarbonBlackDefense.Alert.first_event_time | Date | The time of the first event associated with the alert. |
| CarbonBlackDefense.Alert.last_event_time | Date | The time of the latest event associated with the alert. |
| CarbonBlackDefense.Alert.threat_id | String | The identifier of a threat that this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices. |
| CarbonBlackDefense.Alert.severity | Number | The threat ranking of the alert. |
| CarbonBlackDefense.Alert.category | String | The category of the alert. (THREAT, MONITORED). |
| CarbonBlackDefense.Alert.device_id | Number | The identifier assigned by Carbon Black Cloud to the device associated with the alert. |
| CarbonBlackDefense.Alert.device_os | String | The operating system of the device associated with the alert. |
| CarbonBlackDefense.Alert.device_os_version | String | The operating system and version on the device. |
| CarbonBlackDefense.Alert.device_name | String | The hostname of the device associated with the alert. |
| CarbonBlackDefense.Alert.device_username | String | The username of the user logged on during the alert. If the user is not available then this may be populated with the device owner. |
| CarbonBlackDefense.Alert.policy_id | Number | The identifier for the policy associated with the device at the time of the alert. |
| CarbonBlackDefense.Alert.policy_name | String | The name of the policy associated with the device at the time of the alert. |
| CarbonBlackDefense.Alert.target_value | String | The priority of the device assigned by the policy. |
| CarbonBlackDefense.Alert.workflow.state | String | The state of the tracking system for alerts as they are triaged and resolved. Supported states are OPEN or DISMISSED. |
| CarbonBlackDefense.Alert.workflow.remediation | String | The state of the workflow of the tracking system for alerts as they are triaged and resolved. Supported states are OPEN or DISMISSED. |
| CarbonBlackDefense.Alert.workflow.last_update_time | Date | The last time the alert was updated. |
| CarbonBlackDefense.Alert.workflow.comment | String | The comment about the workflow of the tracking system for alerts as they are triaged and resolved. |
| CarbonBlackDefense.Alert.workflow.changed_by | String | The name of the user who changed the alert. |
| CarbonBlackDefense.Alert.notes_present | Boolean | Indicates if notes are associated with the threat ID. |
| CarbonBlackDefense.Alert.tags | Unknown | Tags associated with the alert ([ "tag1", "tag2" ]). |
| CarbonBlackDefense.Alert.reason | String | The description of the alert. |
| CarbonBlackDefense.Alert.count | Number | The count of the alert. |
| CarbonBlackDefense.Alert.report_id | String | The identifier of the report that contains the IOC. |
| CarbonBlackDefense.Alert.report_name | String | The name of the report that contains the IOC. |
| CarbonBlackDefense.Alert.ioc_id | String | The identifier of the IOC that cause the hit. |
| CarbonBlackDefense.Alert.ioc_field | String | The indicator of comprise (IOC) field that the hit contains. |
| CarbonBlackDefense.Alert.ioc_hit | String | IOC field value or IOC that matches the query. |
| CarbonBlackDefense.Alert.watchlists.id | String | The ID of the watchlists associated with an alert. |
| CarbonBlackDefense.Alert.watchlists.name | String | The name of the watchlists associated with an alert. |
| CarbonBlackDefense.Alert.process_guid | String | The global unique identifier of the process that triggered the hit. |
| CarbonBlackDefense.Alert.process_name | String | The name of the process that triggered the hit. |
| CarbonBlackDefense.Alert.run_state | String | Run state for watchlist alerts. This value is always "RAN". |
| CarbonBlackDefense.Alert.threat_indicators.process_name | String | The name of the threat indicators that make up the threat. |
| CarbonBlackDefense.Alert.threat_indicators.sha256 | String | The SHA-256 hash of the threat indicators that make up the threat. |
| CarbonBlackDefense.Alert.threat_indicators.ttps | String | The tactics, techniques, and procedures (TTPs) of the threat indicators that make up the threat. |
| CarbonBlackDefense.Alert.threat_cause_actor_sha256 | String | The SHA-256 hash of the threat cause actor. |
| CarbonBlackDefense.Alert.threat_cause_actor_md5 | String | The SHA-256 hash of the threat cause actor. |
| CarbonBlackDefense.Alert.threat_cause_actor_name | String | Process name or IP address of the threat actor. |
| CarbonBlackDefense.Alert.threat_cause_reputation | String | The reputation of the threat cause. (KNOWN_MALWARE, SUSPECT_MALWARE, PUP, NOT_LISTED, ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, TRUSTED_WHITE_LIST, COMPANY_BLACK_LIST). |
| CarbonBlackDefense.Alert.threat_cause_threat_category | String | The category of the threat cause. (UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM). |
| CarbonBlackDefense.Alert.threat_cause_vector | String | The source of the threat cause. (EMAIL, WEB, GENERIC_SERVER, GENERIC_CLIENT, REMOTE_DRIVE, REMOVABLE_MEDIA, UNKNOWN, APP_STORE, THIRD_PARTY). |
| CarbonBlackDefense.Alert.document_guid | String | The document GUID. |
| CarbonBlackDefense.Alert.type | String | The type of alert. (CB_ANALYTICS, DEVICE_CONTROL). |
| CarbonBlackDefense.Alert.reason_code | String | The shorthand enum for the full-text reason. |
| CarbonBlackDefense.Alert.device_location | String | Whether the device was on-premise or off-premise when the alert started. (ONSITE, OFFSITE, UNKNOWN). |
| CarbonBlackDefense.Alert.created_by_event_id | String | Event identifier that initiated the alert. |
| CarbonBlackDefense.Alert.threat_activity_dlp | String | Whether the alert involved data loss prevention (DLP). (NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED). |
| CarbonBlackDefense.Alert.threat_activity_phish | String | Whether the alert involved phishing. (NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED). |
| CarbonBlackDefense.Alert.threat_activity_c2 | String | Whether the alert involved a command and control (c2) server. (NOT_ATTEMPTED, ATTEMPTED, SUCCEEDED). |
| CarbonBlackDefense.Alert.threat_cause_actor_process_pid | String | The process identifier (PID) of the actor process. |
| CarbonBlackDefense.Alert.threat_cause_process_guid | String | The GUID of the process. |
| CarbonBlackDefense.Alert.threat_cause_parent_guid | String | The parent GUID of the process. |
| CarbonBlackDefense.Alert.threat_cause_cause_event_id | String | The threat cause cause event ID. |
| CarbonBlackDefense.Alert.blocked_threat_category | String | The category of threat which we were able to take action on. (UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM). |
| CarbonBlackDefense.Alert.not_blocked_threat_category | String | Other potentially malicious activity involved in the threat on which we weren’t able to take action (either due to policy config, or not having a relevant rule). (UNKNOWN, NON_MALWARE, NEW_MALWARE, KNOWN_MALWARE, RISKY_PROGRAM). |
| CarbonBlackDefense.Alert.kill_chain_status | String | The stage within the Cyber Kill Chain sequence most closely associated with the attributes of the alert. (RECONNAISSANCE, WEAPONIZE, DELIVER_EXPLOIT, INSTALL_RUN, COMMAND_AND_CONTROL, EXECUTE_GOAL, BREACH). For example [ "EXECUTE_GOAL", "BREACH" ]. |
| CarbonBlackDefense.Alert.sensor_action | String | The action taken by the sensor, according to the rule of the policy. (POLICY_NOT_APPLIED, ALLOW, ALLOW_AND_LOG, TERMINATE, DENY). |
| CarbonBlackDefense.Alert.policy_applied | String | Whether a policy was applied. (APPLIED, NOT_APPLIED). |
Command Example#
!cbd-alerts-search
Context Example#
Human Readable Output#
Carbon Black Endpoint Standard Alerts List Results#
Id Category Device Id Device Name Device Username Create Time Ioc Hit Policy Name Process Name Type Severity 1234 THREAT 1234 QA\win2k16-vg6-11 jon@example.com 2021-04-04T13:28:21.393Z default setup.exe CB_ANALYTICS 2 5678 THREAT 5678 cb-komand-w12 jon@example.com 2021-04-04T13:28:06.812Z ((netconn_port:5355 device_os:WINDOWS)) -enriched:true default svchost.exe WATCHLIST 1 9101 THREAT 9101 BITGLASS-INC\Win10 office@net.com 2021-04-04T13:28:05.399Z ((netconn_port:5355 device_os:WINDOWS)) -enriched:true default svchost.exe WATCHLIST 1