Skip to main content

Carbon Black Endpoint Standard v3

This Integration is part of the Carbon Black Endpoint Standard Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Endpoint Standard is an industry-leading next-generation antivirus (NGAV) and behavioral endpoint detection and response (EDR) solution. Endpoint Standard is delivered through the Carbon Black Cloud, an endpoint protection platform that consolidates security in the cloud using a single agent, console and data set. This integration was integrated and tested with version 1.1.2 of Carbon Black Endpoint Standard v3.

Migration to Carbon Black Endpoint Standard v3#

Deprecated Commands in Carbon Black Endpoint Standard v2#

The following commands from the Carbon Black Endpoint Standard v2 integration have been deprecated and replaced with v3 commands:

Deprecated CommandNew v3 CommandComments
cbd-find-eventscbd-find-observationIncludes cbd-find-events-results.
cbd-find-events-resultscbd-find-observation-resultsManually check results without polling.
cbd-find-events-detailscbd-find-observation-detailsIncludes cbd-find-events-details-results.
cbd-find-events-details-resultscbd-find-observation-details-resultsManually check details results without polling.
cbd-find-processes-resultscbd-find-processes
cbd-find-processes-results
Retrieve results via polling or manually with cbd-find-processes-results.
cbd-get-policiescbd-get-policies-summary

Important Changes in Carbon Black Endpoint Standard v3#

  • Organization Key: Updated to be a required field.
  • cbd-find-processes: Enhanced to include process results when polling=true.
  • cbd-find-observation-results: Added to manually retrieve observation results without polling.
  • cbd-find-observation-details-results: Added to manually retrieve observation details results without polling.
  • cbd-alerts-search: Updated context output; deprecated category arg and updated tag arg to tags.
  • policy commands: Context output updated ; policy arg format changed.
  • rules commands: Updated context output and operation arg options.

Deprecated Playbooks#

  • Carbon Black Endpoint Standard Find Event Details: Use cbd-find-observation-details command instead.
  • Carbon Black Endpoint Standard Find Events: Use cbd-find-observation command instead.
  • Carbon Black Endpoint Standard Find Processes: Use cbd-find-processes command instead.

Mapper#

Carbon Black Endpoint Standard Mapper.

Layout#

Carbon Black Endpoint Standard Incoming Layout.

Classifier#

Carbon Black Endpoint Standard

Configure Carbon Black Endpoint Standard v3 in Cortex#

ParameterDescriptionRequired
URLTrue
Organization KeyThe organization unique key. This is required for all use cases (and for fetching incidents).True
Custom Api KeyThis Custom API key is required for all use cases and for fetch except the policy use cases.False
PasswordThis Custom API key is required for all use cases and for fetch except the policy use cases.False
Api Key (Api/Live Response key)This Live Response API key is required only for the policy use cases.False
PasswordThis Live Response API key is required only for the policy use cases.False
Incident typeFalse
Fetch incidentsFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
The type of the alertType of alert to be fetched.False
Device IDThe alerts related to a specific device, according to the device ID.False
Policy IDThe alerts related to a specific policy, according to the policy ID.False
Device usernameThe alerts related to a specific device, according to the device username.False
Minimum severityThe minimum severity of the alerts to be fetched.False
QueryQuery in Lucene syntax and/or value searches. If defined, the other fetch incidents parameters should be left blank.False
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days).False
Maximum number of incidents per fetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cbd-get-alert-details#


Gets alert details according to alert ID, including alert metadata and a list of all events associated with the alert. Only API keys of type “API” can call the alert API.

Base Command#

cbd-get-alert-details

Input#

Argument NameDescriptionRequired
alertIdThe ID of the alert.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Alert.org_keyStringThe organization key associated with the alert.
CarbonBlackDefense.Alert.alert_urlStringThe URL to view the alert in the Carbon Black Defense console.
CarbonBlackDefense.Alert.idStringThe unique alert ID.
CarbonBlackDefense.Alert.typeStringThe type of the alert.
CarbonBlackDefense.Alert.backend_timestampDateThe timestamp when the alert was generated in the backend.
CarbonBlackDefense.Alert.user_update_timestampDateThe timestamp when the alert was last updated by a user.
CarbonBlackDefense.Alert.backend_update_timestampDateThe timestamp when the alert was last updated in the backend.
CarbonBlackDefense.Alert.detection_timestampDateThe timestamp when the alert was detected.
CarbonBlackDefense.Alert.first_event_timestampDateThe timestamp of the first event related to the alert.
CarbonBlackDefense.Alert.last_event_timestampDateThe timestamp of the last event related to the alert.
CarbonBlackDefense.Alert.severityNumberThe severity level of the alert.
CarbonBlackDefense.Alert.reasonStringThe reason for the alert.
CarbonBlackDefense.Alert.reason_codeStringThe reason code for the alert.
CarbonBlackDefense.Alert.threat_idStringThe threat ID related to the alert.
CarbonBlackDefense.Alert.primary_event_idStringThe primary event ID related to the alert.
CarbonBlackDefense.Alert.policy_appliedStringThe policy applied to the device when the alert was generated.
CarbonBlackDefense.Alert.run_stateStringThe run state of the alert.
CarbonBlackDefense.Alert.sensor_actionStringThe action taken by the sensor for the alert.
CarbonBlackDefense.Alert.workflow.change_timestampDateThe timestamp when the workflow status was last changed.
CarbonBlackDefense.Alert.workflow.changed_by_typeStringThe type of user who last changed the workflow status.
CarbonBlackDefense.Alert.workflow.changed_byStringThe user who last changed the workflow status.
CarbonBlackDefense.Alert.workflow.closure_reasonStringThe reason for closing the alert.
CarbonBlackDefense.Alert.workflow.statusStringThe current workflow status of the alert.
CarbonBlackDefense.Alert.determination.change_timestampDateThe timestamp when the determination was last changed.
CarbonBlackDefense.Alert.determination.valueStringThe value of the determination.
CarbonBlackDefense.Alert.determination.changed_by_typeStringThe type of user who last changed the determination.
CarbonBlackDefense.Alert.determination.changed_byStringThe user who last changed the determination.
CarbonBlackDefense.Alert.tagsUnknownThe tags associated with the alert.
CarbonBlackDefense.Alert.alert_notes_presentBooleanIndicates whether alert notes are present.
CarbonBlackDefense.Alert.threat_notes_presentBooleanIndicates whether threat notes are present.
CarbonBlackDefense.Alert.alert_originStringThe origin of the alert.
CarbonBlackDefense.Alert.is_updatedBooleanIndicates whether the alert has been updated.
CarbonBlackDefense.Alert.device_idNumberThe identifier of the device related to the alert.
CarbonBlackDefense.Alert.device_nameStringThe name of the device related to the alert.
CarbonBlackDefense.Alert.device_uem_idStringThe Unified Endpoint Management (UEM) ID of the device.
CarbonBlackDefense.Alert.device_target_valueStringThe target value of the device.
CarbonBlackDefense.Alert.device_policyStringThe policy applied to the device.
CarbonBlackDefense.Alert.device_policy_idNumberThe policy ID applied to the device.
CarbonBlackDefense.Alert.device_osStringThe operating system of the device.
CarbonBlackDefense.Alert.device_os_versionStringThe operating system version of the device.
CarbonBlackDefense.Alert.device_usernameStringThe username associated with the device.
CarbonBlackDefense.Alert.device_locationStringThe location of the device.
CarbonBlackDefense.Alert.device_external_ipStringThe external IP address of the device.
CarbonBlackDefense.Alert.device_internal_ipStringThe internal IP address of the device.
CarbonBlackDefense.Alert.asset_groupUnknownThe asset group to which the device belongs.
CarbonBlackDefense.Alert.mdr_alertBooleanIndicates whether the alert is a Managed Detection and Response (MDR) alert.
CarbonBlackDefense.Alert.mdr_alert_notes_presentBooleanIndicates whether MDR alert notes are present.
CarbonBlackDefense.Alert.mdr_threat_notes_presentBooleanIndicates whether MDR threat notes are present.
CarbonBlackDefense.Alert.report_idStringThe report ID associated with the alert.
CarbonBlackDefense.Alert.report_nameStringThe name of the report associated with the alert.
CarbonBlackDefense.Alert.report_descriptionStringThe description of the report associated with the alert.
CarbonBlackDefense.Alert.report_tagsStringThe tags associated with the report.
CarbonBlackDefense.Alert.report_linkStringThe link to the report associated with the alert.
CarbonBlackDefense.Alert.ioc_idStringThe indicator of compromise (IOC) ID related to the alert.
CarbonBlackDefense.Alert.ioc_hitStringThe IOC hit associated with the alert.
CarbonBlackDefense.Alert.watchlists.idStringThe watchlist ID associated with the alert.
CarbonBlackDefense.Alert.watchlists.nameStringThe name of the watchlist associated with the alert.
CarbonBlackDefense.Alert.process_guidStringThe GUID of the process related to the alert.
CarbonBlackDefense.Alert.process_pidNumberThe PID of the process related to the alert.
CarbonBlackDefense.Alert.process_nameStringThe name of the process related to the alert.
CarbonBlackDefense.Alert.process_sha256StringThe SHA-256 hash of the process related to the alert.
CarbonBlackDefense.Alert.process_md5StringThe MD5 hash of the process related to the alert.
CarbonBlackDefense.Alert.process_effective_reputationStringThe effective reputation of the process related to the alert.
CarbonBlackDefense.Alert.process_reputationStringThe reputation of the process related to the alert.
CarbonBlackDefense.Alert.process_cmdlineStringThe command line of the process related to the alert.
CarbonBlackDefense.Alert.process_usernameStringThe username associated with the process related to the alert.
CarbonBlackDefense.Alert.process_issuerStringThe issuer of the process related to the alert.
CarbonBlackDefense.Alert.process_publisherStringThe publisher of the process related to the alert.
CarbonBlackDefense.Alert.parent_guidStringThe GUID of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_pidNumberThe PID of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_nameStringThe name of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_sha256StringThe SHA-256 hash of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_md5StringThe MD5 hash of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_effective_reputationStringThe effective reputation of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_reputationStringThe reputation of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_cmdlineStringThe command line of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_usernameStringThe username associated with the parent process related to the alert.
CarbonBlackDefense.Alert.childproc_guidStringThe GUID of the child process related to the alert.
CarbonBlackDefense.Alert.childproc_usernameStringThe username associated with the child process related to the alert.
CarbonBlackDefense.Alert.childproc_cmdlineStringThe command line of the child process related to the alert.
CarbonBlackDefense.Alert.ml_classification_final_verdictStringThe final verdict from the machine learning classification.
CarbonBlackDefense.Alert.ml_classification_global_prevalenceStringThe global prevalence from the machine learning classification.
CarbonBlackDefense.Alert.ml_classification_org_prevalenceStringThe organizational prevalence from the machine learning classification.
CarbonBlackDefense.Alert.ml_classification_anomaliesUnknownThe anomalies identified by the machine learning classification.

Command example#

!cbd-get-alert-details alertId=abc-123

Context Example#

{
"CarbonBlackDefense": {
"Alert": {
"alert_notes_present": true,
"alert_origin": "ALERT_ORIGIN_UNKNOWN",
"alert_url": "dummy_alert_url",
"asset_group": [],
"backend_timestamp": "2024-03-26T14:05:42.311Z",
"backend_update_timestamp": "2024-03-26T14:05:42.311Z",
"childproc_cmdline": "",
"childproc_guid": "",
"childproc_username": "",
"detection_timestamp": "2024-03-26T14:04:49.358Z",
"determination": {
"change_timestamp": "2024-04-07T15:08:37.805Z",
"changed_by": "BG6UTMG1LK",
"changed_by_type": "API",
"value": "NONE"
},
"device_external_ip": "1.1.1.1",
"device_id": "dummy_device_id",
"device_internal_ip": "1.1.1.1",
"device_location": "UNKNOWN",
"device_name": "EIP\\WW-20002",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": "dummy_device_policy_id",
"device_target_value": "MEDIUM",
"device_uem_id": "",
"device_username": "EIP\\Administrator",
"first_event_timestamp": "2024-03-26T14:00:05.730Z",
"id": "dummy_id",
"ioc_hit": "(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\\\\ccm\\\\systemtemp OR crossproc_name:windows\\\\ccm\\\\ccmexec.exe OR (process_publisher:\"VMware, Inc.\" AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))",
"ioc_id": "dummy_ioc_id",
"is_updated": false,
"last_event_timestamp": "2024-03-26T14:00:05.730Z",
"mdr_alert": false,
"mdr_alert_notes_present": false,
"mdr_threat_notes_present": false,
"ml_classification_anomalies": [],
"ml_classification_final_verdict": "NOT_ANOMALOUS",
"ml_classification_global_prevalence": "LOW",
"ml_classification_org_prevalence": "LOW",
"org_key": "dummy_org_key",
"parent_cmdline": "C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_guid": "dummy_parent_guid",
"parent_md5": "dummy_parent_md5",
"parent_name": "c:\\windows\\system32\\svchost.exe",
"parent_pid": "dummy_parent_pid",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_sha256": "dummy_parent_sha256",
"parent_username": "NT AUTHORITY\\SYSTEM",
"policy_applied": "NOT_APPLIED",
"primary_event_id": "dummy_primary_event_id",
"process_cmdline": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -EP Bypass \\\\eip.demo\\sysvol\\EIP.DEMO\\scripts\\Luminol.ps1",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_guid": "dummy_process_guid",
"process_issuer": [
"Microsoft Windows Production PCA 2011"
],
"process_md5": "dummy_parent_md5",
"process_name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_pid": "dummy_process_pid",
"process_publisher": [
"Microsoft Windows"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_sha256": "dummy_process_sha256",
"process_username": "NT AUTHORITY\\SYSTEM",
"reason": "Process powershell.exe was detected by the report \"Execution - AMSI - New Fileless Scheduled Task Behavior Detected\" in watchlist \"AMSI Threat Intelligence\"",
"reason_code": "dummy_reason_code",
"report_description": "Newer Powershell versions introduced built-in cmdlets to manage scheduled tasks natively without calling out to typical scheduled task processes like at.exe or schtasks.exe. This detection looks for behaviors related to the fileless execution of scheduled tasks. If you are responding to this alert, be sure to correlate the fileless scriptload events with events typically found in your environment Generally, attackers will create scheduled tasks with binaries that are located in user writable directories like AppData, Temp, or public folders.",
"report_id": "dummy_report_id",
"report_link": "https://attack.mitre.org/techniques/T1053/",
"report_name": "Execution - AMSI - New Fileless Scheduled Task Behavior Detected",
"report_tags": [
"execution",
"privesc",
"persistence",
"t1053",
"windows",
"amsi",
"attack",
"attackframework"
],
"run_state": "RAN",
"sensor_action": "ALLOW",
"severity": 5,
"tags": null,
"threat_id": "dummy_threat_id",
"threat_notes_present": false,
"type": "WATCHLIST",
"user_update_timestamp": "2024-04-07T15:31:33.704Z",
"watchlists": [
{
"id": "dummy_id",
"name": "AMSI Threat Intelligence"
}
],
"workflow": {
"change_timestamp": "2024-04-07T15:31:33.704Z",
"changed_by": "3LGD624UYW",
"changed_by_type": "API",
"closure_reason": "OTHER",
"status": "OPEN"
}
}
}
}

Human Readable Output#

Carbon Black Defense Get Alert Details#

IdDevice IdDevice NameDevice UsernameIoc HitReasonTypeThreat IdDevice PolicySeverity
dummy_id6612391EIP\WW-20002EIP\Administrator(fileless_scriptload_cmdline:Register-ScheduledTask OR fileless_scriptload_cmdline:New-ScheduledTask OR scriptload_content:Register-ScheduledTask OR scriptload_content:New-ScheduledTask) AND NOT (process_cmdline:windows\ccm\systemtemp OR crossproc_name:windows\ccm\ccmexec.exe OR (process_publisher:"VMware, Inc." AND process_publisher_state:FILE_SIGNATURE_STATE_TRUSTED))Process powershell.exe was detected by the report "Execution - AMSI - New Fileless Scheduled Task Behavior Detected" in watchlist "AMSI Threat Intelligence"WATCHLISTC21CA826573A8D974C1E93C8471AAB7Fdefault5

cbd-alerts-search#


Gets alert details, including alert metadata and the event associated with the alert.

Base Command#

cbd-alerts-search

Input#

Argument NameDescriptionRequired
typeThe alert type. Possible values are: cbanalytics, containerruntime, devicecontrol, hostnasedfirewall, intrusiondetectionsystem, watchlist, all. Default is all.Optional
device_idThe device ID.Optional
first_event_timeThe time of the first event associated with the alert. The syntax is {"start": "<dateTime>", "range": "<string>", "end": "<dateTime>" }. For example: { "start": "2010-09-25T00:10:50.277Z", "end": "2015-01-20T10:40:00.00Z"}.Optional
policy_idThe policy ID.Optional
process_sha256The SHA-256 hash of the primary involved process.Optional
reputationThe reputation of the primary involved process. Possible values are: ADAPTIVE_WHITE_LIST, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, PUP, TRUSTED_WHITE_LIST, RESOLVING, COMPROMISED_OBSOLETE, DLP_OBSOLETE, IGNORE, ADWARE, HEURISTIC, SUSPECT_MALWARE, KNOWN_MALWARE, ADMIN_RESTRICT_OBSOLETE, NOT_LISTED, GRAY_OBSOLETE, NOT_COMPANY_WHITE_OBSOLETE, LOCAL_WHITE, NOT_SUPPORTED.Optional
tagsThe tags associated with the alert.Optional
device_usernameThe username of the user logged on during the alert. If the user is not available, the device owner is used.Optional
queryThe query in Lucene syntax and/or value searches.Optional
rowsThe number of results to be returned.Optional
startThe number of the alert from where to start retrieving results.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.Alert.org_keyStringThe organization key associated with the alert.
CarbonBlackDefense.Alert.alert_urlStringThe URL to view the alert in the Carbon Black Defense console.
CarbonBlackDefense.Alert.idStringThe unique alert ID.
CarbonBlackDefense.Alert.typeStringThe type of the alert.
CarbonBlackDefense.Alert.backend_timestampDateThe timestamp when the alert was generated in the backend.
CarbonBlackDefense.Alert.user_update_timestampUnknownThe timestamp when the alert was last updated by a user.
CarbonBlackDefense.Alert.backend_update_timestampDateThe timestamp when the alert was last updated in the backend.
CarbonBlackDefense.Alert.detection_timestampDateThe timestamp when the alert was detected.
CarbonBlackDefense.Alert.first_event_timestampDateThe timestamp of the first event related to the alert.
CarbonBlackDefense.Alert.last_event_timestampDateThe timestamp of the last event related to the alert.
CarbonBlackDefense.Alert.severityNumberThe severity level of the alert.
CarbonBlackDefense.Alert.reasonStringThe reason for the alert.
CarbonBlackDefense.Alert.reason_codeStringThe reason code for the alert.
CarbonBlackDefense.Alert.threat_idStringThe unique alert ID
CarbonBlackDefense.Alert.primary_event_idStringThe primary event ID related to the alert.
CarbonBlackDefense.Alert.policy_appliedStringThe policy applied to the device when the alert was generated.
CarbonBlackDefense.Alert.run_stateStringThe run state of the alert.
CarbonBlackDefense.Alert.sensor_actionStringThe action taken by the sensor for the alert.
CarbonBlackDefense.Alert.workflow.change_timestampDateThe timestamp when the workflow status was last changed.
CarbonBlackDefense.Alert.workflow.changed_by_typeStringThe type of user who last changed the workflow status.
CarbonBlackDefense.Alert.workflow.changed_byStringThe user who last changed the workflow status.
CarbonBlackDefense.Alert.workflow.closure_reasonStringThe reason for closing the alert.
CarbonBlackDefense.Alert.workflow.statusStringThe current workflow status of the alert.
CarbonBlackDefense.Alert.determination.change_timestampDateThe timestamp when the determination was last changed.
CarbonBlackDefense.Alert.determination.valueStringThe value of the determination.
CarbonBlackDefense.Alert.determination.changed_by_typeStringThe type of user who last changed the determination.
CarbonBlackDefense.Alert.determination.changed_byStringThe user who last changed the determination.
CarbonBlackDefense.Alert.tagsUnknownThe tags associated with the alert.
CarbonBlackDefense.Alert.alert_notes_presentBooleanIndicates whether alert notes are present.
CarbonBlackDefense.Alert.threat_notes_presentBooleanIndicates whether threat notes are present.
CarbonBlackDefense.Alert.alert_originStringThe origin of the alert.
CarbonBlackDefense.Alert.is_updatedBooleanIndicates whether the alert has been updated.
CarbonBlackDefense.Alert.device_idNumberThe device ID related to the alert.
CarbonBlackDefense.Alert.device_nameStringThe name of the device related to the alert.
CarbonBlackDefense.Alert.device_uem_idStringThe Unified Endpoint Management (UEM) ID of the device.
CarbonBlackDefense.Alert.device_target_valueStringThe target value of the device.
CarbonBlackDefense.Alert.device_policyStringThe policy applied to the device.
CarbonBlackDefense.Alert.device_policy_idNumberThe policy ID applied to the device.
CarbonBlackDefense.Alert.device_osStringThe operating system of the device.
CarbonBlackDefense.Alert.device_os_versionStringThe operating system version of the device.
CarbonBlackDefense.Alert.device_usernameStringThe username associated with the device.
CarbonBlackDefense.Alert.device_locationStringThe location of the device.
CarbonBlackDefense.Alert.device_external_ipStringThe external IP address of the device.
CarbonBlackDefense.Alert.device_internal_ipStringThe internal IP address of the device.
CarbonBlackDefense.Alert.asset_groupUnknownThe asset group to which the device belongs.
CarbonBlackDefense.Alert.mdr_alertBooleanIndicates whether the alert is an MDR (Managed Detection and Response) alert.
CarbonBlackDefense.Alert.mdr_alert_notes_presentBooleanIndicates whether MDR alert notes are present.
CarbonBlackDefense.Alert.mdr_threat_notes_presentBooleanIndicates whether MDR threat notes are present.
CarbonBlackDefense.Alert.report_idStringThe report ID associated with the alert.
CarbonBlackDefense.Alert.report_nameStringThe name of the report associated with the alert.
CarbonBlackDefense.Alert.report_tagsUnknownThe tags associated with the report.
CarbonBlackDefense.Alert.ioc_idStringThe indicator of compromise (IOC) ID related to the alert.
CarbonBlackDefense.Alert.ioc_hitStringThe IOC hit associated with the alert.
CarbonBlackDefense.Alert.watchlists.idStringThe watchlist ID associated with the alert.
CarbonBlackDefense.Alert.watchlists.nameStringThe name of the watchlist associated with the alert.
CarbonBlackDefense.Alert.process_guidStringThe GUID of the process related to the alert.
CarbonBlackDefense.Alert.process_pidNumberThe PID of the process related to the alert.
CarbonBlackDefense.Alert.process_nameStringThe name of the process related to the alert.
CarbonBlackDefense.Alert.process_sha256StringThe SHA-256 hash of the process related to the alert.
CarbonBlackDefense.Alert.process_md5StringThe MD5 hash of the process related to the alert.
CarbonBlackDefense.Alert.process_effective_reputationStringThe effective reputation of the process related to the alert.
CarbonBlackDefense.Alert.process_reputationStringThe reputation of the process related to the alert.
CarbonBlackDefense.Alert.process_cmdlineStringThe command line of the process related to the alert.
CarbonBlackDefense.Alert.process_usernameStringThe username associated with the process related to the alert.
CarbonBlackDefense.Alert.process_issuerStringThe issuer of the process related to the alert.
CarbonBlackDefense.Alert.process_publisherStringThe publisher of the process related to the alert.
CarbonBlackDefense.Alert.parent_guidStringThe GUID of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_pidNumberThe PID of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_nameStringThe name of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_sha256StringThe SHA-256 hash of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_md5StringThe MD5 hash of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_effective_reputationStringThe effective reputation of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_reputationStringThe reputation of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_cmdlineStringThe command line of the parent process related to the alert.
CarbonBlackDefense.Alert.parent_usernameStringThe username associated with the parent process related to the alert.
CarbonBlackDefense.Alert.childproc_guidStringThe GUID of the child process related to the alert.
CarbonBlackDefense.Alert.childproc_usernameStringThe username associated with the child process related to the alert.
CarbonBlackDefense.Alert.childproc_cmdlineStringThe command line of the child process related to the alert.

Command example#

!cbd-alerts-search reputation=NOT_LISTED rows=3 type=all

Context Example#

{
"CarbonBlackDefense": {
"Alert": [
{
"alert_notes_present": false,
"alert_origin": "ALERT_ORIGIN_UNKNOWN",
"alert_url": "dummy_alert_url",
"asset_group": [],
"backend_timestamp": "2024-07-09T12:22:14.999Z",
"backend_update_timestamp": "2024-07-09T12:22:14.999Z",
"childproc_cmdline": "",
"childproc_guid": "",
"childproc_username": "",
"detection_timestamp": "2024-07-09T12:21:10.168Z",
"determination": {
"change_timestamp": "2024-07-09T12:22:14.999Z",
"changed_by": "ALERT_CREATION",
"changed_by_type": "SYSTEM",
"value": "NONE"
},
"device_external_ip": "1.1.1.1",
"device_id": "dummy_device_id",
"device_internal_ip": "1.1.1.1",
"device_location": "UNKNOWN",
"device_name": "win1122H2new",
"device_os": "WINDOWS",
"device_os_version": "Windows 11 x64",
"device_policy": "⚠️ Wide Open",
"device_policy_id": "dummy_device_policy_id",
"device_target_value": "LOW",
"device_uem_id": "",
"device_username": "Administrator",
"first_event_timestamp": "2024-07-09T12:19:01.963Z",
"id": "dummy_id",
"ioc_field": "netconn_ipv4",
"ioc_hit": "1.1.1.1",
"ioc_id": "dummy_ioc_id",
"is_updated": false,
"last_event_timestamp": "2024-07-09T12:19:01.963Z",
"mdr_alert": false,
"mdr_alert_notes_present": false,
"mdr_threat_notes_present": false,
"org_key": "dummy_org_key",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_guid": "dummy_parent_guid",
"parent_md5": "dummy_parent_md5",
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": "dummy_parent_pid",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_sha256": "dummy_parent_sha256",
"parent_username": "NT AUTHORITY\\SYSTEM",
"policy_applied": "NOT_APPLIED",
"primary_event_id": "dummy_primary_event_id",
"process_cmdline": "\"C:\\Program Files (x86)\\Netskope\\STAgent\\stAgentSvc.exe\"",
"process_effective_reputation": "LOCAL_WHITE",
"process_guid": "dummy_process_guid",
"process_issuer": [
""
],
"process_md5": "dummy_parent_md5",
"process_name": "c:\\program files (x86)\\netskope\\stagent\\stagentsvc.exe",
"process_pid": "dummy_process_pid",
"process_publisher": [
""
],
"process_reputation": "NOT_LISTED",
"process_sha256": "dummy_process_sha256",
"process_username": "NT AUTHORITY\\SYSTEM",
"reason": "Process stagentsvc.exe was detected by the report \"crest test-netconn_ipv4-1\" in watchlist \"Crest test\"",
"reason_code": "dummy_reason_code",
"report_description": "Service Now Threat Intel",
"report_id": "dummy_report_id",
"report_link": "https://dev188630.service-now.com/",
"report_name": "crest test-netconn_ipv4-1",
"report_tags": [],
"run_state": "RAN",
"sensor_action": "ALLOW",
"severity": 5,
"tags": null,
"threat_id": "dummy_threat_id",
"threat_notes_present": false,
"type": "WATCHLIST",
"user_update_timestamp": null,
"watchlists": [
{
"id": "dummy_id",
"name": "Crest test"
}
],
"workflow": {
"change_timestamp": "2024-07-09T12:22:14.999Z",
"changed_by": "ALERT_CREATION",
"changed_by_type": "SYSTEM",
"closure_reason": "NO_REASON",
"status": "OPEN"
}
},
{
"alert_notes_present": false,
"alert_origin": "ALERT_ORIGIN_UNKNOWN",
"alert_url": "dummy_alert_url",
"asset_group": [],
"backend_timestamp": "2024-07-09T11:55:04.223Z",
"backend_update_timestamp": "2024-07-09T11:55:04.223Z",
"childproc_cmdline": "",
"childproc_guid": "",
"childproc_username": "",
"detection_timestamp": "2024-07-09T11:53:53.751Z",
"determination": {
"change_timestamp": "2024-07-09T11:55:04.223Z",
"changed_by": "ALERT_CREATION",
"changed_by_type": "SYSTEM",
"value": "NONE"
},
"device_external_ip": "1.1.1.1",
"device_id": "dummy_device_id",
"device_internal_ip": "1.1.1.1",
"device_location": "UNKNOWN",
"device_name": "win1122H2new",
"device_os": "WINDOWS",
"device_os_version": "Windows 11 x64",
"device_policy": "⚠️ Wide Open",
"device_policy_id": "dummy_device_policy_id",
"device_target_value": "LOW",
"device_uem_id": "",
"device_username": "Administrator",
"first_event_timestamp": "2024-07-09T11:51:44.217Z",
"id": "dummy_id",
"ioc_field": "netconn_ipv4",
"ioc_hit": "1.1.1.1",
"ioc_id": "dummy_ioc_id",
"is_updated": false,
"last_event_timestamp": "2024-07-09T11:51:44.217Z",
"mdr_alert": false,
"mdr_alert_notes_present": false,
"mdr_threat_notes_present": false,
"org_key": "dummy_org_key",
"parent_cmdline": "",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_guid": "dummy_parent_guid",
"parent_md5": "",
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": "dummy_parent_pid",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_sha256": "dummy_parent_sha256",
"parent_username": "NT AUTHORITY\\SYSTEM",
"policy_applied": "NOT_APPLIED",
"primary_event_id": "dummy_primary_event_id",
"process_cmdline": "\"C:\\Program Files (x86)\\Netskope\\STAgent\\stAgentSvc.exe\"",
"process_effective_reputation": "LOCAL_WHITE",
"process_guid": "dummy_process_guid",
"process_issuer": [],
"process_md5": "",
"process_name": "c:\\program files (x86)\\netskope\\stagent\\stagentsvc.exe",
"process_pid": "dummy_process_pid",
"process_publisher": [],
"process_reputation": "NOT_LISTED",
"process_sha256": "dummy_process_sha256",
"process_username": "NT AUTHORITY\\SYSTEM",
"reason": "Process stagentsvc.exe was detected by the report \"crest test-netconn_ipv4-1\" in watchlist \"Crest test\"",
"reason_code": "dummy_reason_code",
"report_description": "Service Now Threat Intel",
"report_id": "dummy_report_id",
"report_link": "https://dev188630.service-now.com/",
"report_name": "crest test-netconn_ipv4-1",
"report_tags": [],
"run_state": "RAN",
"sensor_action": "ALLOW",
"severity": 5,
"tags": null,
"threat_id": "dummy_threat_id",
"threat_notes_present": false,
"type": "WATCHLIST",
"user_update_timestamp": null,
"watchlists": [
{
"id": "dummy_id",
"name": "Crest test"
}
],
"workflow": {
"change_timestamp": "2024-07-09T11:55:04.223Z",
"changed_by": "ALERT_CREATION",
"changed_by_type": "SYSTEM",
"closure_reason": "NO_REASON",
"status": "OPEN"
}
},
{
"alert_notes_present": false,
"alert_origin": "ALERT_ORIGIN_UNKNOWN",
"alert_url": "dummy_alert_url",
"asset_group": [],
"backend_timestamp": "2024-07-09T11:54:49.999Z",
"backend_update_timestamp": "2024-07-09T11:54:49.999Z",
"childproc_cmdline": "",
"childproc_guid": "",
"childproc_username": "",
"detection_timestamp": "2024-07-09T11:53:53.750Z",
"determination": {
"change_timestamp": "2024-07-09T11:54:49.999Z",
"changed_by": "ALERT_CREATION",
"changed_by_type": "SYSTEM",
"value": "NONE"
},
"device_external_ip": "1.1.1.1",
"device_id": "dummy_device_id",
"device_internal_ip": "1.1.1.1",
"device_location": "UNKNOWN",
"device_name": "win1122H2new",
"device_os": "WINDOWS",
"device_os_version": "Windows 11 x64",
"device_policy": "⚠️ Wide Open",
"device_policy_id": "dummy_device_policy_id",
"device_target_value": "LOW",
"device_uem_id": "",
"device_username": "Administrator",
"first_event_timestamp": "2024-07-09T11:51:44.218Z",
"id": "dummy_id",
"ioc_field": "netconn_ipv4",
"ioc_hit": "1.1.1.1",
"ioc_id": "dummy_ioc_id",
"is_updated": false,
"last_event_timestamp": "2024-07-09T11:51:44.218Z",
"mdr_alert": false,
"mdr_alert_notes_present": false,
"mdr_threat_notes_present": false,
"org_key": "dummy_org_key",
"parent_cmdline": "",
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_guid": "dummy_parent_guid",
"parent_md5": "",
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": "dummy_parent_pid",
"parent_reputation": "TRUSTED_WHITE_LIST",
"parent_sha256": "dummy_parent_sha256",
"parent_username": "NT AUTHORITY\\SYSTEM",
"policy_applied": "NOT_APPLIED",
"primary_event_id": "dummy_primary_event_id",
"process_cmdline": "\"C:\\Program Files (x86)\\Netskope\\STAgent\\stAgentSvc.exe\"",
"process_effective_reputation": "LOCAL_WHITE",
"process_guid": "dummy_process_guid",
"process_issuer": [],
"process_md5": "",
"process_name": "c:\\program files (x86)\\netskope\\stagent\\stagentsvc.exe",
"process_pid": "dummy_process_pid",
"process_publisher": [],
"process_reputation": "NOT_LISTED",
"process_sha256": "dummy_process_sha256",
"process_username": "NT AUTHORITY\\SYSTEM",
"reason": "Process stagentsvc.exe was detected by the report \"crest test-netconn_ipv4-1\" in watchlist \"Crest test\"",
"reason_code": "dummy_reason_code",
"report_description": "Service Now Threat Intel",
"report_id": "dummy_report_id",
"report_link": "https://dev188630.service-now.com/",
"report_name": "crest test-netconn_ipv4-1",
"report_tags": [],
"run_state": "RAN",
"sensor_action": "ALLOW",
"severity": 5,
"tags": null,
"threat_id": "dummy_threat_id",
"threat_notes_present": false,
"type": "WATCHLIST",
"user_update_timestamp": null,
"watchlists": [
{
"id": "dummy_id",
"name": "Crest test"
}
],
"workflow": {
"change_timestamp": "2024-07-09T11:54:49.999Z",
"changed_by": "ALERT_CREATION",
"changed_by_type": "SYSTEM",
"closure_reason": "NO_REASON",
"status": "OPEN"
}
}
]
}
}

Human Readable Output#

Carbon Black Defense Alerts List Results#

IdDevice IdDevice NameDevice UsernameBackend Timestamp
dummy_id8213794win1122H2newAdministrator2024-07-09T12:22:14.999Z
dummy_id8213794win1122H2newAdministrator2024-07-09T11:55:04.223Z
dummy_id8213794win1122H2newAdministrator2024-07-09T11:54:49.999Z

cbd-get-policy#


Retrieves a policy object by ID.

Base Command#

cbd-get-policy

Input#

Argument NameDescriptionRequired
policyIdThe policy ID.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Policy.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.Policy.idNumberThe unique policy ID.
CarbonBlackDefense.Policy.nameStringThe name of the policy.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vdi_interval_msNumberThe interval in milliseconds for automatically deregistering inactive VDI (Virtual Desktop Infrastructure) devices.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vm_workloads_interval_msNumberThe interval in milliseconds for automatically deregistering inactive VM (Virtual Machine) workloads.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.enabledBooleanIndicates whether the Avira Protection Cloud is enabled.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_exe_delayNumberThe maximum execution delay in milliseconds for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_file_sizeNumberThe maximum file size in bytes that can be uploaded to Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.risk_levelNumberThe risk level assigned by Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.enabledBooleanIndicates whether the on-access scan is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.modeStringThe mode of the on-access scan.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.enabledBooleanIndicates whether the on-demand scan is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.profileStringThe profile used for the on-demand scan.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_cd_dvdStringIndicates whether the on-demand scan includes CD/DVD drives.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_usbStringIndicates whether the on-demand scan includes USB drives.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.range_hoursNumberThe range of hours for scheduling the on-demand scan.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.recovery_scan_if_missedBooleanIndicates whether a recovery scan is performed if the scheduled scan is missed.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.start_hourNumberThe start hour for scheduling the on-demand scan.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.enabledBooleanIndicates whether signature updates are enabled.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.full_interval_hoursNumberThe full interval in hours for scheduling signature updates.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.initial_random_delay_hoursNumberThe initial random delay in hours for scheduling signature updates.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.interval_hoursNumberThe interval in hours for scheduling signature updates.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_offsite_devicesStringThe update servers used for offsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.preferredBooleanIndicates whether the server is preferred for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.serverStringThe update server used for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_overrideUnknownIndicates whether the update servers override the default settings.
CarbonBlackDefense.Policy.policy.directory_action_rules.file_uploadBooleanIndicates whether file uploads are allowed by the directory action rule.
CarbonBlackDefense.Policy.policy.directory_action_rules.pathStringThe directory path specified by the action rule.
CarbonBlackDefense.Policy.policy.directory_action_rules.protectionBooleanIndicates whether protection is enabled for the directory action rule.
CarbonBlackDefense.Policy.policy.is_systemBooleanIndicates whether the policy is a system policy.
CarbonBlackDefense.Policy.policy.org_keyStringThe organization key associated with the policy.
CarbonBlackDefense.Policy.policy.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.Policy.policy.rule_configs.categoryStringThe category of the rule configuration.
CarbonBlackDefense.Policy.policy.rule_configs.descriptionStringA description of the rule configuration.
CarbonBlackDefense.Policy.policy.rule_configs.idStringThe unique rule configuration ID.
CarbonBlackDefense.Policy.policy.rule_configs.inherited_fromStringThe source from which the rule configuration is inherited.
CarbonBlackDefense.Policy.policy.rule_configs.nameStringThe name of the rule configuration.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_network_data_collectionBooleanIndicates whether network data collection is enabled.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_auth_eventsBooleanIndicates whether authentication events are enabled.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.WindowsAssignmentModeStringThe Windows assignment mode for the rule configuration.
CarbonBlackDefense.Policy.policy.rule_configs.parametersUnknownThe parameters of the rule configuration.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.default_rule.actionStringThe default action of the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.default_rule.default_rule_access_check_guidStringThe access check GUID for the default rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.default_rule.default_rule_inbound_event_check_guidStringThe inbound event check GUID for the default rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.default_rule.default_rule_outbound_event_check_guidStringThe outbound event check GUID for the default rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_host_based_firewallBooleanIndicates whether the host-based firewall is enabled.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.descriptionStringA description of the rule group.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.nameStringThe name of the rule group.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.actionStringThe action specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.application_pathStringThe application path specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.directionStringThe direction (inbound or outbound) specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.enabledBooleanIndicates whether the rule is enabled.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.local_ip_addressStringThe local IP address specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.local_port_rangesStringThe local port ranges specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.nameStringThe name of the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.network_profileStringThe network profile specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.protocolStringThe protocol specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.remote_ip_addressStringThe remote IP address specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.remote_port_rangesStringThe remote port ranges specified by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.rule_access_check_guidStringThe access check GUID for the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.rule_inbound_event_check_guidStringThe inbound event check GUID for the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.rule_outbound_event_check_guidStringThe outbound event check GUID for the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.test_modeBooleanIndicates whether the rule is in test mode.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.rules.threat_scoreNumberThe threat score assigned by the rule.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.rule_groups.ruleset_idStringThe ID of the rule set.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.ubs_opt_inBooleanIndicates whether the UBS (User Behavior Settings) opt-in is enabled.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_prevalent_module_event_collectionBooleanIndicates whether prevalent module event collection is enabled.
CarbonBlackDefense.Policy.policy.rules.actionStringThe action specified by the rule.
CarbonBlackDefense.Policy.policy.rules.application.typeStringThe type of application specified by the rule.
CarbonBlackDefense.Policy.policy.rules.application.valueStringThe value of the application specified by the rule.
CarbonBlackDefense.Policy.policy.rules.idNumberThe unique rule ID.
CarbonBlackDefense.Policy.policy.rules.operationStringThe operation specified by the rule.
CarbonBlackDefense.Policy.policy.rules.requiredBooleanIndicates whether the rule is required.
CarbonBlackDefense.Policy.policy.sensor_configs.categoryStringThe category of the sensor configuration.
CarbonBlackDefense.Policy.policy.sensor_configs.descriptionStringA description of the sensor configuration.
CarbonBlackDefense.Policy.policy.sensor_configs.idStringThe unique sensor configuration ID.
CarbonBlackDefense.Policy.policy.sensor_configs.inherited_fromStringThe source from which the sensor configuration is inherited.
CarbonBlackDefense.Policy.policy.sensor_configs.nameStringThe name of the sensor configuration.
CarbonBlackDefense.Policy.policy.sensor_configs.parameters.inline_blocking_modeStringThe inline blocking mode specified by the sensor configuration.
CarbonBlackDefense.Policy.policy.sensor_settings.nameStringThe name of the sensor setting.
CarbonBlackDefense.Policy.policy.sensor_settings.valueStringThe value of the sensor setting.
CarbonBlackDefense.Policy.policy.update_timeDateThe last update time of the policy.
CarbonBlackDefense.Policy.priorityLevelStringThe priority level of the policy.

Command example#

!cbd-get-policy policyId=80947

Context Example#

{
"CarbonBlackDefense": {
"Policy": {
"description": "aaaaaaaa",
"id": "dummy_id",
"name": "AWN BAS",
"policy": {
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_deregister_inactive_vm_workloads_interval_ms": 0,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "AGGRESSIVE"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"scan_cd_dvd": "AUTOSCAN",
"scan_usb": "AUTOSCAN",
"schedule": {
"range_hours": 0,
"recovery_scan_if_missed": true,
"start_hour": 0
}
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_for_offsite_devices": [
"http://updates2.cdc.carbonblack.io/update2"
],
"servers_for_onsite_devices": [
{
"preferred": false,
"server": "http://updates2.cdc.carbonblack.io/update2"
}
],
"servers_override": []
}
},
"directory_action_rules": [
{
"file_upload": false,
"path": "",
"protection": false
}
],
"is_system": false,
"org_key": "dummy_org_key",
"position": 1,
"rule_configs": [
{
"category": "data_collection",
"description": "Turns on XDR network data collection at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "XDR",
"parameters": {
"enable_network_data_collection": true
}
},
{
"category": "data_collection",
"description": "Turns on Windows authentication events at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "Authentication Events",
"parameters": {
"enable_auth_events": false
}
},
{
"category": "core_prevention",
"description": "Addresses malicious fileless and file-backed scripts that leverage native programs and common scripting languages.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Advanced Scripting Prevention",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "core_prevention",
"description": "Addresses threat actors obtaining credentials and relies on detecting the malicious use of TTPs/behaviors that indicate such activity.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Credential Theft",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "core_prevention",
"description": "Addresses common and pervasive TTPs used for malicious activity as well as living off the land TTPs/behaviors detected by Carbon Black’s Threat Analysis Unit.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Carbon Black Threat Intel",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "core_prevention",
"description": "Addresses behaviors that indicate a threat actor has gained elevated access via a bug or misconfiguration within an operating system, and leverages the detection of TTPs/behaviors to prevent such activity.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Privilege Escalation",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "core_prevention",
"description": "Addresses common TTPs/behaviors that threat actors use to avoid detection such as uninstalling or disabling security software, obfuscating or encrypting data/scripts and abusing trusted processes to hide and disguise their malicious activity.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Defense Evasion",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "core_prevention",
"description": "Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that could cut off their access.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Persistence",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "bypass",
"description": "Allows customers to exclude specific processes and process events from reporting to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting and Sensor Operation Exclusions",
"parameters": {}
},
{
"category": "bypass",
"description": "Allows customers to exclude specific processes from reporting events to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting Exclusions",
"parameters": {}
},
{
"category": "host_based_firewall",
"description": "These are the Host based Firewall Rules which will be executed by the sensor. The Definition will be part of Main Policies.",
"id": "dummy_id",
"inherited_from": "",
"name": "Host Based Firewall",
"parameters": {
"default_rule": {
"action": "ALLOW",
"default_rule_access_check_guid": "dummy_default_rule_access_check_guid",
"default_rule_inbound_event_check_guid": "dummy_default_rule_inbound_event_check_guid",
"default_rule_outbound_event_check_guid": "dummy_default_rule_outbound_event_check_guid"
},
"enable_host_based_firewall": true,
"rule_groups": [
{
"description": "C&C used by SocGholish",
"name": "Block C&C Traffic",
"rules": [
{
"action": "BLOCK_ALERT",
"application_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"direction": "OUT",
"enabled": true,
"local_ip_address": "*",
"local_port_ranges": "*",
"name": "SocGholish 2024-01-03",
"network_profile": [
"PUBLIC",
"PRIVATE",
"DOMAIN"
],
"protocol": "TCP",
"remote_ip_address": "1.1.1.1/22",
"remote_port_ranges": "443",
"rule_access_check_guid": "dummy_rule_access_check_guid",
"rule_inbound_event_check_guid": "dummy_rule_inbound_event_check_guid",
"rule_outbound_event_check_guid": "dummy_rule_outbound_event_check_guid",
"test_mode": false,
"threat_score": 8
}
],
"ruleset_id": "dummy_ruleset_id"
}
]
}
},
{
"category": "data_collection",
"description": "Enterprise EDR Event Collection",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Enterprise EDR Event Collection",
"parameters": {
"ubs_opt_in": true
}
},
{
"category": "data_collection",
"description": "Collects events created when a process loads a common library. Enabling this will increase the number of events reported for expected process behavior.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Prevalent Module Exclusions",
"parameters": {
"enable_prevalent_module_event_collection": false
}
}
],
"rules": [
{
"action": "IGNORE",
"application": {
"type": "NAME_PATH",
"value": "COMMON_WHITE_LIST"
},
"id": "dummy_id",
"operation": "RANSOM",
"required": false
}
],
"sensor_configs": [
{
"category": "sensor_settings",
"description": "Manages sensor settings specific to endpoint standard product",
"id": "dummy_id",
"inherited_from": "",
"name": "Endpoint standard sensor settings at policy scope",
"parameters": {
"inline_blocking_mode": "disabled"
}
}
],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
},
{
"name": "ALLOW_UPLOADS",
"value": "false"
},
{
"name": "LEARNING_MODE",
"value": "0"
},
{
"name": "ALLOW_INLINE_BLOCKING",
"value": "true"
}
],
"update_time": 1720436305029
},
"priorityLevel": "MEDIUM"
}
}
}

Human Readable Output#

Carbon Black Defense Policy#

IdNamePriority LevelIs SystemDescription
dummy_idAWN BASMEDIUMfalseaaaaaaaa

cbd-get-policies-summary#


Get an overview of the policies available in the organization.

Base Command#

cbd-get-policies-summary

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CarbonBlackDefense.PolicySummary.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.PolicySummary.idNumberThe unique policy ID.
CarbonBlackDefense.PolicySummary.is_systemBooleanIndicates whether the policy is a system policy.
CarbonBlackDefense.PolicySummary.nameStringThe name of the policy.
CarbonBlackDefense.PolicySummary.num_devicesNumberThe number of devices currently using the policy.
CarbonBlackDefense.PolicySummary.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.PolicySummary.priority_levelStringThe priority level of the policy.
CarbonBlackDefense.PolicySummary.total_num_devicesNumberThe total number of devices associated with the policy.

Command example#

!cbd-get-policies-summary

Context Example#

{
"CarbonBlackDefense": {
"PolicySummary": [
{
"description": "aaaaaaaa",
"id": "dummy_id",
"is_system": false,
"name": "AWN BAS",
"num_devices": 2,
"position": 1,
"priority_level": "MEDIUM",
"total_num_devices": 2
},
{
"description": "",
"id": "dummy_id",
"is_system": false,
"name": "Abhi-CB-policy",
"num_devices": 1,
"position": 2,
"priority_level": "LOW",
"total_num_devices": 1
},
{
"description": "Don't worry about this. It won't be here long.",
"id": "dummy_id",
"is_system": false,
"name": "Splunk Policy To_be_deleted_1652997758",
"num_devices": 0,
"position": 39,
"priority_level": "MEDIUM"
},
{
"description": "Splunk Policy invalid value",
"id": "dummy_id",
"is_system": false,
"name": "Splunk Policy invalid value1652962163",
"num_devices": 0,
"position": 42,
"priority_level": "HIGH"
},
{
"description": "aaaaaaaa",
"id": "dummy_id",
"is_system": false,
"name": "test42",
"num_devices": 0,
"position": 107,
"priority_level": "MEDIUM"
}
]
}
}

Human Readable Output#

Policies summaries#

IdNamePriority LevelIs System
80947AWN BASMEDIUMfalse
87816Abhi-CB-policyLOWfalse
103786CBCLOUD PolicyMEDIUMfalse
33819Cigent PolicyHIGHfalse
68727Confluera Policy 1LOWfalse
69390Cyborg_MonitorLOWfalse
102049DarkNegevMEDIUMfalse
12147DefenseStorm PolicyMEDIUMfalse
109968Devo-MP-SkovilleMEDIUMfalse
105029EasyNAC domainMEDIUMfalse
35704Fortress PolicyMISSION_CRITICALfalse
130711Hunters High TestHIGHfalse
41528Hunters PolicyMEDIUMfalse
128135Hunters Policy testMISSION_CRITICALfalse
99682Iron-policyMEDIUMfalse
63139LRDemo-JHMEDIUMfalse
138424Lions (Victor+Long)MISSION_CRITICALfalse
9246LogRhythm PolicyMEDIUMfalse
104163LumuMEDIUMfalse
65120Lumu PolicyLOWfalse
96535Moja Skopska polisaLOWfalse

cbd-create-policy#


Creates a new policy on the CB Defense backend.

Base Command#

cbd-create-policy

Input#

Argument NameDescriptionRequired
descriptionA description of the policy. Can be multiple lines.Optional
nameA unique one-line name for the policy.Optional
priorityLevelThe priority score associated with sensors assigned to this policy. Possible values: "MISSION_CRITICAL", "HIGH", "MEDIUM", and "LOW".Optional
policyThe JSON object containing the policy details. Make sure a valid policy object is passed. You can use the get-policy command to retrieve a similar policy object. Then you can reset some of the policy's fields with the set-policy command, and pass the edited object.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Policy.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.Policy.idNumberThe unique policy ID.
CarbonBlackDefense.Policy.nameStringThe name of the policy.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vdi_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VDI.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vm_workloads_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VM workloads.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.enabledBooleanIndicates if Avira Protection Cloud is enabled.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_exe_delayNumberThe maximum execution delay for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_file_sizeNumberThe maximum file size for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.risk_levelNumberThe risk level for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.enabledBooleanIndicates if on-access scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.modeStringThe mode of on-access scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.enabledBooleanIndicates if on-demand scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.profileStringThe profile for on-demand scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_cd_dvdStringIndicates if on-demand scanning of CD/DVD is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_usbStringIndicates if on-demand scanning of USB devices is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.range_hoursNumberThe range of hours for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.recovery_scan_if_missedBooleanIndicates if a recovery scan is scheduled if the previous scan is missed.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.start_hourNumberThe start hour for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.enabledBooleanIndicates if signature updates are enabled.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.full_interval_hoursNumberThe full interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.initial_random_delay_hoursNumberThe initial random delay in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.interval_hoursNumberThe interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_offsite_devicesStringThe servers used for offsite devices for updates.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.preferredBooleanIndicates if the server is preferred for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.serverStringThe server used for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_overrideUnknownIndicates if server overrides are enabled for updates.
CarbonBlackDefense.Policy.policy.directory_action_rules.file_uploadBooleanIndicates if file upload is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.pathStringThe path for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.protectionBooleanIndicates if protection is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.is_systemBooleanIndicates if the policy is a system policy.
CarbonBlackDefense.Policy.policy.org_keyStringThe organization key associated with the policy.
CarbonBlackDefense.Policy.policy.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.Policy.policy.rapid_configs.descriptionStringA description of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.idStringThe ID of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.inherited_fromStringIndicates the source from which the rapid configurations are inherited.
CarbonBlackDefense.Policy.policy.rapid_configs.nameStringThe name of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_network_data_collectionBooleanIndicates if network data collection is enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_auth_eventsBooleanIndicates if authentication events are enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.inline_blocking_modeStringThe inline blocking mode for rapid configurations.
CarbonBlackDefense.Policy.policy.rule_configs.categoryStringThe category of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.descriptionStringA description of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.idStringThe ID of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.inherited_fromStringIndicates the source from which the rule configurations are inherited.
CarbonBlackDefense.Policy.policy.rule_configs.nameStringThe name of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parametersUnknownThe parameters of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.ubs_opt_inBooleanIndicates if UBS opt-in is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_prevalent_module_event_collectionBooleanIndicates if prevalent module event collection is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rules.idNumberThe ID of the rules.
CarbonBlackDefense.Policy.policy.rules.requiredBooleanIndicates if the rules are required.
CarbonBlackDefense.Policy.policy.rules.actionStringThe action specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.typeStringThe type of application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.valueStringThe value of the application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.operationStringThe operation specified in the rules.
CarbonBlackDefense.Policy.policy.sensor_configs.categoryStringThe category of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.descriptionStringA description of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.idStringThe ID of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.inherited_fromStringIndicates the source from which the sensor configurations are inherited.
CarbonBlackDefense.Policy.policy.sensor_configs.nameStringThe name of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.parameters.inline_blocking_modeStringThe inline blocking mode for sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_settings.nameStringThe name of the sensor settings.
CarbonBlackDefense.Policy.policy.sensor_settings.valueStringThe value of the sensor settings.
CarbonBlackDefense.Policy.policy.update_timeDateThe time when the policy was last updated.
CarbonBlackDefense.Policy.priorityLevelStringThe priority level of the policy.

Command example#

!cbd-create-policy policy="{\"name\": \"test4\", \"description\": \"aaaaaaaa\",\"org_key\": \"7DESJ9GN\", \"priority_level\": \"MEDIUM\", \"rules\": [], \"sensor_settings\": [{\"name\": \"ALLOW_UNINSTALL\", \"value\": \"true\"}]}"

Context Example#

{
"CarbonBlackDefense": {
"Policy": {
"description": "aaaaaaaa",
"id": "dummy_id",
"name": "test4",
"policy": {
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_deregister_inactive_vm_workloads_interval_ms": 0,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"scan_cd_dvd": "AUTOSCAN",
"scan_usb": "AUTOSCAN",
"schedule": {
"range_hours": 0,
"recovery_scan_if_missed": true,
"start_hour": 0
}
},
"signature_update": {
"enabled": false,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 2
}
},
"update_servers": {
"servers_for_offsite_devices": [
"http://updates2.cdc.carbonblack.io/update2"
],
"servers_for_onsite_devices": [
{
"preferred": true,
"server": "http://updates2.cdc.carbonblack.io/update2"
}
],
"servers_override": []
}
},
"directory_action_rules": [
{
"file_upload": false,
"path": "",
"protection": false
}
],
"is_system": false,
"org_key": "dummy_org_key",
"position": 108,
"rapid_configs": [
{
"description": "Turns on XDR network data collection at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "XDR",
"parameters": {
"enable_network_data_collection": true
}
},
{
"description": "Turns on Windows authentication events at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "Authentication Events",
"parameters": {
"enable_auth_events": false
}
},
{
"description": "Manages sensor settings specific to endpoint standard product",
"id": "dummy_id",
"inherited_from": "",
"name": "Endpoint standard sensor settings at policy scope",
"parameters": {
"inline_blocking_mode": "disabled"
}
},
{
"category": "data_collection",
"description": "Collects events created when a process loads a common library. Enabling this will increase the number of events reported for expected process behavior.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Prevalent Module Exclusions",
"parameters": {
"enable_prevalent_module_event_collection": false
}
}
],
"rules": [],
"sensor_configs": [
{
"category": "sensor_settings",
"description": "Manages sensor settings specific to endpoint standard product",
"id": "dummy_id",
"inherited_from": "",
"name": "Endpoint standard sensor settings at policy scope",
"parameters": {
"inline_blocking_mode": "disabled"
}
}
],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
},
{
"name": "LEARNING_MODE",
"value": "0"
},
{
"name": "ALLOW_INLINE_BLOCKING",
"value": "true"
}
],
"update_time": 1720539000191
},
"priorityLevel": "MEDIUM"
}
}
}

Human Readable Output#

Policy created successfully#

IdDescriptionNamePriority LevelIs System
170044aaaaaaaatest4MEDIUMfalse

cbd-update-policy#


Update an existing policy on the CB Defense backend.

Base Command#

cbd-update-policy

Input#

Argument NameDescriptionRequired
descriptionA description of the policy. Can be multiple lines.Optional
nameA unique one-line name for the policy.Optional
priorityLevelThe priority score associated with sensors assigned to this policy. Possible values: "MISSION_CRITICAL", "HIGH", "MEDIUM", and "LOW".Optional
idThe policy ID to update.Required
policyThe JSON object containing the policy details. Make sure a valid policy object is passed. You can use the get-policy command to retrieve a similar policy object. Then you can reset some of the policy's fields with the set-policy command, and pass the edited object.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Policy.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.Policy.idNumberThe unique policy ID.
CarbonBlackDefense.Policy.nameStringThe name of the policy.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vdi_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VDI.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vm_workloads_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VM workloads.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.enabledBooleanIndicates if Avira Protection Cloud is enabled.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_exe_delayNumberThe maximum execution delay for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_file_sizeNumberThe maximum file size for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.risk_levelNumberThe risk level for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.enabledBooleanIndicates if on-access scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.modeStringThe mode of on-access scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.enabledBooleanIndicates if on-demand scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.profileStringThe profile for on-demand scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_cd_dvdStringIndicates if on-demand scanning of CD/DVD is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_usbStringIndicates if on-demand scanning of USB devices is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.range_hoursNumberThe range of hours for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.recovery_scan_if_missedBooleanIndicates if a recovery scan is scheduled if the previous scan is missed.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.start_hourNumberThe start hour for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.enabledBooleanIndicates if signature updates are enabled.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.full_interval_hoursNumberThe full interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.initial_random_delay_hoursNumberThe initial random delay in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.interval_hoursNumberThe interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_offsite_devicesStringThe servers used for offsite devices for updates.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.preferredBooleanIndicates if the server is preferred for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.serverStringThe server used for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_overrideUnknownIndicates if server overrides are enabled for updates.
CarbonBlackDefense.Policy.policy.directory_action_rules.file_uploadBooleanIndicates if file upload is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.pathStringThe path for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.protectionBooleanIndicates if protection is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.is_systemBooleanIndicates if the policy is a system policy.
CarbonBlackDefense.Policy.policy.org_keyStringThe organization key associated with the policy.
CarbonBlackDefense.Policy.policy.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.Policy.policy.rapid_configs.descriptionStringA description of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.idStringThe ID of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.inherited_fromStringIndicates the source from which the rapid configurations are inherited.
CarbonBlackDefense.Policy.policy.rapid_configs.nameStringThe name of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_network_data_collectionBooleanIndicates if network data collection is enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_auth_eventsBooleanIndicates if authentication events are enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.inline_blocking_modeStringThe inline blocking mode for rapid configurations.
CarbonBlackDefense.Policy.policy.rule_configs.categoryStringThe category of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.descriptionStringA description of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.idStringThe ID of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.inherited_fromStringIndicates the source from which the rule configurations are inherited.
CarbonBlackDefense.Policy.policy.rule_configs.nameStringThe name of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parametersUnknownThe parameters of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.ubs_opt_inBooleanIndicates if UBS opt-in is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_prevalent_module_event_collectionBooleanIndicates if prevalent module event collection is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rules.idNumberThe ID of the rules.
CarbonBlackDefense.Policy.policy.rules.requiredBooleanIndicates if the rules are required.
CarbonBlackDefense.Policy.policy.rules.actionStringThe action specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.typeStringThe type of application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.valueStringThe value of the application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.operationStringThe operation specified in the rules.
CarbonBlackDefense.Policy.policy.sensor_configs.categoryStringThe category of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.descriptionStringA description of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.idStringThe ID of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.inherited_fromStringIndicates the source from which the sensor configurations are inherited.
CarbonBlackDefense.Policy.policy.sensor_configs.nameStringThe name of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.parameters.inline_blocking_modeStringThe inline blocking mode for sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_settings.nameStringThe name of the sensor settings.
CarbonBlackDefense.Policy.policy.sensor_settings.valueStringThe value of the sensor settings.
CarbonBlackDefense.Policy.policy.update_timeDateThe time when the policy was last updated.
CarbonBlackDefense.Policy.priorityLevelStringThe priority level of the policy.

Command example#

!cbd-update-policy id=80947 policy="{\"name\": \"AWN BAS\", \"description\": \"aaaaaaaa\",\"org_key\": \"7DESJ9GN\", \"priority_level\": \"MEDIUM\", \"rules\": [], \"sensor_settings\": [{\"name\": \"ALLOW_UNINSTALL\", \"value\": \"true\"}]}"

Context Example#

{
"CarbonBlackDefense": {
"Policy": {
"description": "aaaaaaaa",
"id": "dummy_id",
"name": "AWN BAS",
"policy": {
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_deregister_inactive_vm_workloads_interval_ms": 0,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "AGGRESSIVE"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"scan_cd_dvd": "AUTOSCAN",
"scan_usb": "AUTOSCAN",
"schedule": {
"range_hours": 0,
"recovery_scan_if_missed": true,
"start_hour": 0
}
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_for_offsite_devices": [
"http://updates2.cdc.carbonblack.io/update2"
],
"servers_for_onsite_devices": [
{
"preferred": false,
"server": "http://updates2.cdc.carbonblack.io/update2"
}
],
"servers_override": []
}
},
"directory_action_rules": [
{
"file_upload": false,
"path": "",
"protection": false
}
],
"is_system": false,
"org_key": "dummy_org_key",
"position": 1,
"rapid_configs": [
{
"description": "Turns on XDR network data collection at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "XDR",
"parameters": {
"enable_network_data_collection": true
}
},
{
"description": "Addresses common TTPs/behaviors that threat actors use to avoid detection such as uninstalling or disabling security software, obfuscating or encrypting data/scripts and abusing trusted processes to hide and disguise their malicious activity.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Defense Evasion",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"description": "Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that could cut off their access.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Persistence",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"description": "Allows customers to exclude specific processes and process events from reporting to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting and Sensor Operation Exclusions",
"parameters": {}
},
{
"description": "Allows customers to exclude specific processes from reporting events to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting Exclusions",
"parameters": {}
},
{
"description": "These are the Host based Firewall Rules which will be executed by the sensor. The Definition will be part of Main Policies.",
"id": "dummy_id",
"inherited_from": "",
"name": "Host Based Firewall",
"parameters": {
"default_rule": {
"action": "ALLOW",
"default_rule_access_check_guid": "dummy_default_rule_access_check_guid",
"default_rule_inbound_event_check_guid": "dummy_default_rule_inbound_event_check_guid",
"default_rule_outbound_event_check_guid": "dummy_default_rule_outbound_event_check_guid"
},
"enable_host_based_firewall": true,
"rule_groups": [
{
"description": "C&C used by SocGholish",
"name": "Block C&C Traffic",
"rules": [
{
"action": "BLOCK_ALERT",
"application_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"direction": "OUT",
"enabled": true,
"local_ip_address": "*",
"local_port_ranges": "*",
"name": "SocGholish 2024-01-03",
"network_profile": [
"PUBLIC",
"PRIVATE",
"DOMAIN"
],
"protocol": "TCP",
"remote_ip_address": "1.1.1.1/22",
"remote_port_ranges": "443",
"rule_access_check_guid": "dummy_rule_access_check_guid",
"rule_inbound_event_check_guid": "dummy_rule_inbound_event_check_guid",
"rule_outbound_event_check_guid": "dummy_rule_outbound_event_check_guid",
"test_mode": false,
"threat_score": 8
}
],
"ruleset_id": "dummy_ruleset_id"
}
]
}
},
{
"description": "Enterprise EDR Event Collection",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Enterprise EDR Event Collection",
"parameters": {
"ubs_opt_in": true
}
},
{
"description": "Collects events created when a process loads a common library. Enabling this will increase the number of events reported for expected process behavior.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Prevalent Module Exclusions",
"parameters": {
"enable_prevalent_module_event_collection": false
}
}
],
"rule_configs": [
{
"category": "data_collection",
"description": "Turns on XDR network data collection at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "XDR",
"parameters": {
"enable_network_data_collection": true
}
},
{
"category": "core_prevention",
"description": "Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that could cut off their access.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Persistence",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "bypass",
"description": "Allows customers to exclude specific processes and process events from reporting to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting and Sensor Operation Exclusions",
"parameters": {}
},
{
"category": "bypass",
"description": "Allows customers to exclude specific processes from reporting events to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting Exclusions",
"parameters": {}
},
{
"category": "host_based_firewall",
"description": "These are the Host based Firewall Rules which will be executed by the sensor. The Definition will be part of Main Policies.",
"id": "dummy_id",
"inherited_from": "",
"name": "Host Based Firewall",
"parameters": {
"default_rule": {
"action": "ALLOW",
"default_rule_access_check_guid": "dummy_default_rule_access_check_guid",
"default_rule_inbound_event_check_guid": "dummy_default_rule_inbound_event_check_guid",
"default_rule_outbound_event_check_guid": "dummy_default_rule_outbound_event_check_guid"
},
"enable_host_based_firewall": true,
"rule_groups": [
{
"description": "C&C used by SocGholish",
"name": "Block C&C Traffic",
"rules": [
{
"action": "BLOCK_ALERT",
"application_path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"direction": "OUT",
"enabled": true,
"local_ip_address": "*",
"local_port_ranges": "*",
"name": "SocGholish 2024-01-03",
"network_profile": [
"PUBLIC",
"PRIVATE",
"DOMAIN"
],
"protocol": "TCP",
"remote_ip_address": "1.1.1.1/22",
"remote_port_ranges": "443",
"rule_access_check_guid": "dummy_rule_access_check_guid",
"rule_inbound_event_check_guid": "dummy_rule_inbound_event_check_guid",
"rule_outbound_event_check_guid": "dummy_rule_outbound_event_check_guid",
"test_mode": false,
"threat_score": 8
}
],
"ruleset_id": "dummy_ruleset_id"
}
]
}
},
{
"category": "data_collection",
"description": "Enterprise EDR Event Collection",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Enterprise EDR Event Collection",
"parameters": {
"ubs_opt_in": true
}
},
{
"category": "data_collection",
"description": "Collects events created when a process loads a common library. Enabling this will increase the number of events reported for expected process behavior.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Prevalent Module Exclusions",
"parameters": {
"enable_prevalent_module_event_collection": false
}
}
],
"rules": [],
"sensor_configs": [
{
"category": "sensor_settings",
"description": "Manages sensor settings specific to endpoint standard product",
"id": "dummy_id",
"inherited_from": "",
"name": "Endpoint standard sensor settings at policy scope",
"parameters": {
"inline_blocking_mode": "disabled"
}
}
],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
},
{
"name": "ALLOW_UPLOADS",
"value": "false"
},
{
"name": "SHOW_UI",
"value": "true"
},
{
"name": "LEARNING_MODE",
"value": "0"
},
{
"name": "ALLOW_INLINE_BLOCKING",
"value": "true"
}
],
"update_time": 1720539005619
},
"priorityLevel": "MEDIUM"
}
}
}

Human Readable Output#

Policy with ID: 80947 updated successfully#

IdDescriptionNamePriority LevelIs System
80947aaaaaaaaAWN BASMEDIUMfalse

cbd-set-policy#


Set existing policy's fields on the CB Defense backend.

Base Command#

cbd-set-policy

Input#

Argument NameDescriptionRequired
policyThe policy ID to set.Required
keyValueThe JSON object containing the policy details. Make sure a valid policy object is passed. You can use the get-policy command to retrieve a similar policy object. Then you can reset some of the policy's fields with the set-policy command, and pass the edited object.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Policy.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.Policy.idNumberThe unique policy ID.
CarbonBlackDefense.Policy.nameStringThe name of the policy.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vdi_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VDI.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vm_workloads_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VM workloads.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.enabledBooleanIndicates if Avira Protection Cloud is enabled.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_exe_delayNumberThe maximum execution delay for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_file_sizeNumberThe maximum file size for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.risk_levelNumberThe risk level for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.enabledBooleanIndicates if on-access scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.modeStringThe mode of on-access scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.enabledBooleanIndicates if on-demand scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.profileStringThe profile for on-demand scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_cd_dvdStringIndicates if on-demand scanning of CD/DVD is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_usbStringIndicates if on-demand scanning of USB devices is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.range_hoursNumberThe range of hours for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.recovery_scan_if_missedBooleanIndicates if a recovery scan is scheduled if the previous scan is missed.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.start_hourNumberThe start hour for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.enabledBooleanIndicates if signature updates are enabled.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.full_interval_hoursNumberThe full interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.initial_random_delay_hoursNumberThe initial random delay in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.interval_hoursNumberThe interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_offsite_devicesStringThe servers used for offsite devices for updates.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.preferredBooleanIndicates if the server is preferred for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.serverStringThe server used for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_overrideUnknownIndicates if server overrides are enabled for updates.
CarbonBlackDefense.Policy.policy.directory_action_rules.file_uploadBooleanIndicates if file upload is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.pathStringThe path for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.protectionBooleanIndicates if protection is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.is_systemBooleanIndicates if the policy is a system policy.
CarbonBlackDefense.Policy.policy.org_keyStringThe organization key associated with the policy.
CarbonBlackDefense.Policy.policy.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.Policy.policy.rapid_configs.descriptionStringA description of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.idStringThe ID of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.inherited_fromStringIndicates the source from which the rapid configurations are inherited.
CarbonBlackDefense.Policy.policy.rapid_configs.nameStringThe name of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_network_data_collectionBooleanIndicates if network data collection is enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_auth_eventsBooleanIndicates if authentication events are enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.inline_blocking_modeStringThe inline blocking mode for rapid configurations.
CarbonBlackDefense.Policy.policy.rule_configs.categoryStringThe category of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.descriptionStringA description of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.idStringThe ID of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.inherited_fromStringIndicates the source from which the rule configurations are inherited.
CarbonBlackDefense.Policy.policy.rule_configs.nameStringThe name of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parametersUnknownThe parameters of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.ubs_opt_inBooleanIndicates if UBS opt-in is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_prevalent_module_event_collectionBooleanIndicates if prevalent module event collection is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rules.idNumberThe ID of the rules.
CarbonBlackDefense.Policy.policy.rules.requiredBooleanIndicates if the rules are required.
CarbonBlackDefense.Policy.policy.rules.actionStringThe action specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.typeStringThe type of application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.valueStringThe value of the application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.operationStringThe operation specified in the rules.
CarbonBlackDefense.Policy.policy.sensor_configs.categoryStringThe category of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.descriptionStringA description of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.idStringThe ID of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.inherited_fromStringIndicates the source from which the sensor configurations are inherited.
CarbonBlackDefense.Policy.policy.sensor_configs.nameStringThe name of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.parameters.inline_blocking_modeStringThe inline blocking mode for sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_settings.nameStringThe name of the sensor settings.
CarbonBlackDefense.Policy.policy.sensor_settings.valueStringThe value of the sensor settings.
CarbonBlackDefense.Policy.policy.update_timeDateThe time when the policy was last updated.
CarbonBlackDefense.Policy.priorityLevelStringThe priority level of the policy.

cbd-delete-policy#


Deletes a policy from the CB Defense backend. This may return an error if devices are actively assigned to the policy ID requested for deletion. Note: System policies cannot be deleted.

Base Command#

cbd-delete-policy

Input#

Argument NameDescriptionRequired
policyIdThe policy ID.Required

Context Output#

There is no context output for this command.

Command example#

!cbd-delete-policy policyId=169977

Human Readable Output#

Policy with ID 169977 was deleted successfully

cbd-add-rule-to-policy#


Adds a new rule to an existing policy. Note: System policies cannot be modified.

Base Command#

cbd-add-rule-to-policy

Input#

Argument NameDescriptionRequired
actionRule action. Possible values: "TERMINATE", "IGNORE", "TERMINATE_THREAD", "ALLOW", "DENY, and "TERMINATE_PROCESS".Required
operationRule operation. Possible values: BYPASS_ALL, BYPASS_API, INVOKE_SCRIPT, INVOKE_SYSAPP, POL_INVOKE_NOT_TRUSTED, INVOKE_CMD_INTERPRETER, RANSOM, NETWORK, CODE_INJECTION, PROCESS_ISOLATION, MEMORY_SCRAPE, RUN_INMEMORY_CODE, ESCALATE, RUN.Required
requiredWhether the rule is required. Possible values: true, false.Required
typeApplication type. Possible values: "REPUTATION", "SIGNED_BY", and "NAME_PATH".Required
valueApplication value. Possible values: ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST.Required
policyIdThe policy ID.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Policy.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.Policy.idNumberThe unique policy ID.
CarbonBlackDefense.Policy.nameStringThe name of the policy.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vdi_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VDI.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vm_workloads_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VM workloads.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.enabledBooleanIndicates if Avira Protection Cloud is enabled.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_exe_delayNumberThe maximum execution delay for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_file_sizeNumberThe maximum file size for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.risk_levelNumberThe risk level for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.enabledBooleanIndicates if on-access scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.modeStringThe mode of on-access scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.enabledBooleanIndicates if on-demand scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.profileStringThe profile for on-demand scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_cd_dvdStringIndicates if on-demand scanning of CD/DVD is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_usbStringIndicates if on-demand scanning of USB devices is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.range_hoursNumberThe range of hours for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.recovery_scan_if_missedBooleanIndicates if a recovery scan is scheduled if the previous scan is missed.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.start_hourNumberThe start hour for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.enabledBooleanIndicates if signature updates are enabled.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.full_interval_hoursNumberThe full interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.initial_random_delay_hoursNumberThe initial random delay in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.interval_hoursNumberThe interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_offsite_devicesStringThe servers used for offsite devices for updates.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.preferredBooleanIndicates if the server is preferred for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.serverStringThe server used for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_overrideUnknownIndicates if server overrides are enabled for updates.
CarbonBlackDefense.Policy.policy.directory_action_rules.file_uploadBooleanIndicates if file upload is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.pathStringThe path for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.protectionBooleanIndicates if protection is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.is_systemBooleanIndicates if the policy is a system policy.
CarbonBlackDefense.Policy.policy.org_keyStringThe organization key associated with the policy.
CarbonBlackDefense.Policy.policy.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.Policy.policy.rapid_configs.descriptionStringA description of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.idStringThe ID of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.inherited_fromStringIndicates the source from which the rapid configurations are inherited.
CarbonBlackDefense.Policy.policy.rapid_configs.nameStringThe name of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_network_data_collectionBooleanIndicates if network data collection is enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_auth_eventsBooleanIndicates if authentication events are enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.inline_blocking_modeStringThe inline blocking mode for rapid configurations.
CarbonBlackDefense.Policy.policy.rule_configs.categoryStringThe category of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.descriptionStringA description of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.idStringThe ID of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.inherited_fromStringIndicates the source from which the rule configurations are inherited.
CarbonBlackDefense.Policy.policy.rule_configs.nameStringThe name of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parametersUnknownThe parameters of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.ubs_opt_inBooleanIndicates if UBS opt-in is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_prevalent_module_event_collectionBooleanIndicates if prevalent module event collection is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rules.idNumberThe ID of the rules.
CarbonBlackDefense.Policy.policy.rules.requiredBooleanIndicates if the rules are required.
CarbonBlackDefense.Policy.policy.rules.actionStringThe action specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.typeStringThe type of application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.valueStringThe value of the application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.operationStringThe operation specified in the rules.
CarbonBlackDefense.Policy.policy.sensor_configs.categoryStringThe category of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.descriptionStringA description of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.idStringThe ID of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.inherited_fromStringIndicates the source from which the sensor configurations are inherited.
CarbonBlackDefense.Policy.policy.sensor_configs.nameStringThe name of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.parameters.inline_blocking_modeStringThe inline blocking mode for sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_settings.nameStringThe name of the sensor settings.
CarbonBlackDefense.Policy.policy.sensor_settings.valueStringThe value of the sensor settings.
CarbonBlackDefense.Policy.policy.update_timeDateThe time when the policy was last updated.
CarbonBlackDefense.Policy.priorityLevelStringThe priority level of the policy.

cbd-update-rule-in-policy#


Updates an existing rule with a new rule. Note: System policies cannot be modified.

Base Command#

cbd-update-rule-in-policy

Input#

Argument NameDescriptionRequired
actionRule action. Possible values: "TERMINATE", "IGNORE", "TERMINATE_THREAD", "ALLOW", "DENY", and "TERMINATE_PROCESS".Required
operationRule operation. Possible values: BYPASS_ALL, BYPASS_API, INVOKE_SCRIPT, INVOKE_SYSAPP, POL_INVOKE_NOT_TRUSTED, INVOKE_CMD_INTERPRETER, RANSOM, NETWORK, CODE_INJECTION, PROCESS_ISOLATION, MEMORY_SCRAPE, RUN_INMEMORY_CODE, ESCALATE, RUN.Required
requiredWhether the rule is required. Possible values: true, false.Required
idRule ID.Required
typeApplication type. Possible values: "REPUTATION", "SIGNED_BY", and "NAME_PATH".Required
valueApplication value. Possible values: ADWARE, COMMON_WHITE_LIST, COMPANY_BLACK_LIST, COMPANY_WHITE_LIST, HEURISTIC, IGNORE, KNOWN_MALWARE, LOCAL_WHITE, NOT_LISTED, PUP, RESOLVING, SUSPECT_MALWARE, TRUSTED_WHITE_LIST.Required
policyIdThe policy ID.Required

Context Output#

PathTypeDescription
CarbonBlackDefense.Policy.descriptionStringA brief summary or description of the policy.
CarbonBlackDefense.Policy.idNumberThe unique policy ID.
CarbonBlackDefense.Policy.nameStringThe name of the policy.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vdi_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VDI.
CarbonBlackDefense.Policy.policy.auto_deregister_inactive_vm_workloads_interval_msNumberThe interval in milliseconds for auto-deregistering inactive VM workloads.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.enabledBooleanIndicates if Avira Protection Cloud is enabled.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_exe_delayNumberThe maximum execution delay for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.max_file_sizeNumberThe maximum file size for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.avira_protection_cloud.risk_levelNumberThe risk level for Avira Protection Cloud.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.enabledBooleanIndicates if on-access scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_access_scan.modeStringThe mode of on-access scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.enabledBooleanIndicates if on-demand scanning is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.profileStringThe profile for on-demand scanning.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_cd_dvdStringIndicates if on-demand scanning of CD/DVD is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.scan_usbStringIndicates if on-demand scanning of USB devices is enabled.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.range_hoursNumberThe range of hours for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.recovery_scan_if_missedBooleanIndicates if a recovery scan is scheduled if the previous scan is missed.
CarbonBlackDefense.Policy.policy.av_settings.on_demand_scan.schedule.start_hourNumberThe start hour for the on-demand scan schedule.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.enabledBooleanIndicates if signature updates are enabled.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.full_interval_hoursNumberThe full interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.initial_random_delay_hoursNumberThe initial random delay in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.signature_update.schedule.interval_hoursNumberThe interval in hours for signature update scheduling.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_offsite_devicesStringThe servers used for offsite devices for updates.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.preferredBooleanIndicates if the server is preferred for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_for_onsite_devices.serverStringThe server used for onsite devices.
CarbonBlackDefense.Policy.policy.av_settings.update_servers.servers_overrideUnknownIndicates if server overrides are enabled for updates.
CarbonBlackDefense.Policy.policy.directory_action_rules.file_uploadBooleanIndicates if file upload is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.pathStringThe path for directory action rules.
CarbonBlackDefense.Policy.policy.directory_action_rules.protectionBooleanIndicates if protection is enabled for directory action rules.
CarbonBlackDefense.Policy.policy.is_systemBooleanIndicates if the policy is a system policy.
CarbonBlackDefense.Policy.policy.org_keyStringThe organization key associated with the policy.
CarbonBlackDefense.Policy.policy.positionNumberThe position of the policy in the list of policies.
CarbonBlackDefense.Policy.policy.rapid_configs.descriptionStringA description of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.idStringThe ID of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.inherited_fromStringIndicates the source from which the rapid configurations are inherited.
CarbonBlackDefense.Policy.policy.rapid_configs.nameStringThe name of the rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_network_data_collectionBooleanIndicates if network data collection is enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.enable_auth_eventsBooleanIndicates if authentication events are enabled in rapid configurations.
CarbonBlackDefense.Policy.policy.rapid_configs.parameters.inline_blocking_modeStringThe inline blocking mode for rapid configurations.
CarbonBlackDefense.Policy.policy.rule_configs.categoryStringThe category of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.descriptionStringA description of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.idStringThe ID of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.inherited_fromStringIndicates the source from which the rule configurations are inherited.
CarbonBlackDefense.Policy.policy.rule_configs.nameStringThe name of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parametersUnknownThe parameters of the rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.ubs_opt_inBooleanIndicates if UBS opt-in is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rule_configs.parameters.enable_prevalent_module_event_collectionBooleanIndicates if prevalent module event collection is enabled in rule configurations.
CarbonBlackDefense.Policy.policy.rules.idNumberThe ID of the rules.
CarbonBlackDefense.Policy.policy.rules.requiredBooleanIndicates if the rules are required.
CarbonBlackDefense.Policy.policy.rules.actionStringThe action specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.typeStringThe type of application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.application.valueStringThe value of the application specified in the rules.
CarbonBlackDefense.Policy.policy.rules.operationStringThe operation specified in the rules.
CarbonBlackDefense.Policy.policy.sensor_configs.categoryStringThe category of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.descriptionStringA description of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.idStringThe ID of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.inherited_fromStringIndicates the source from which the sensor configurations are inherited.
CarbonBlackDefense.Policy.policy.sensor_configs.nameStringThe name of the sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_configs.parameters.inline_blocking_modeStringThe inline blocking mode for sensor configurations.
CarbonBlackDefense.Policy.policy.sensor_settings.nameStringThe name of the sensor settings.
CarbonBlackDefense.Policy.policy.sensor_settings.valueStringThe value of the sensor settings.
CarbonBlackDefense.Policy.policy.update_timeDateThe time when the policy was last updated.
CarbonBlackDefense.Policy.priorityLevelStringThe priority level of the policy.

Command example#

!cbd-update-rule-in-policy action=IGNORE type=REPUTATION value=COMMON_WHITE_LIST operation=MEMORY_SCRAPE required=true policyId=12345 id=47

Context Example#

{
"CarbonBlackDefense": {
"Policy": {
"description": "aaaaaaaa",
"id": "dummy_id",
"name": "tesssttsss",
"policy": {
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_deregister_inactive_vm_workloads_interval_ms": 0,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"scan_cd_dvd": "AUTOSCAN",
"scan_usb": "AUTOSCAN",
"schedule": {
"range_hours": 0,
"recovery_scan_if_missed": true,
"start_hour": 0
}
},
"signature_update": {
"enabled": false,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 2
}
},
"update_servers": {
"servers_for_offsite_devices": [
"http://updates2.cdc.carbonblack.io/update2"
],
"servers_for_onsite_devices": [
{
"preferred": true,
"server": "http://updates2.cdc.carbonblack.io/update2"
}
],
"servers_override": []
}
},
"directory_action_rules": [
{
"file_upload": false,
"path": "",
"protection": false
}
],
"is_system": false,
"org_key": "dummy_org_key",
"position": 105,
"rule_configs": [
{
"category": "data_collection",
"description": "Turns on XDR network data collection at the sensor",
"id": "dummy_id",
"inherited_from": "",
"name": "XDR",
"parameters": {
"enable_network_data_collection": true
}
},
{
"category": "core_prevention",
"description": "Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that could cut off their access.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Persistence",
"parameters": {
"WindowsAssignmentMode": "BLOCK"
}
},
{
"category": "bypass",
"description": "Allows customers to exclude specific processes and process events from reporting to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting and Sensor Operation Exclusions",
"parameters": {}
},
{
"category": "bypass",
"description": "Allows customers to exclude specific processes from reporting events to CBC",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Event Reporting Exclusions",
"parameters": {}
},
{
"category": "data_collection",
"description": "Enterprise EDR Event Collection",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Enterprise EDR Event Collection",
"parameters": {
"ubs_opt_in": true
}
},
{
"category": "data_collection",
"description": "Collects events created when a process loads a common library. Enabling this will increase the number of events reported for expected process behavior.",
"id": "dummy_id",
"inherited_from": "psc:region",
"name": "Prevalent Module Exclusions",
"parameters": {
"enable_prevalent_module_event_collection": false
}
}
],
"rules": [
{
"action": "IGNORE",
"application": {
"type": "REPUTATION",
"value": "COMMON_WHITE_LIST"
},
"id": "dummy_id",
"operation": "MEMORY_SCRAPE",
"required": true
}
],
"sensor_configs": [
{
"category": "sensor_settings",
"description": "Manages sensor settings specific to endpoint standard product",
"id": "dummy_id",
"inherited_from": "",
"name": "Endpoint standard sensor settings at policy scope",
"parameters": {
"inline_blocking_mode": "disabled"
}
}
],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
},
{
"name": "QUEUE_SIZE",
"value": "100"
},
{
"name": "LEARNING_MODE",
"value": "0"
},
{
"name": "ALLOW_INLINE_BLOCKING",
"value": "true"
}
],
"update_time": 1720539019776
},
"priorityLevel": "MEDIUM"
}
}
}

Human Readable Output#

Carbon Black Defense Policy#

IdNamePriority LevelIs SystemDescription
169994tesssttsssMEDIUMfalseaaaaaaaa

cbd-delete-rule-from-policy#


Removes a rule from an existing policy. Note: System policies cannot be modified.

Base Command#

cbd-delete-rule-from-policy

Input#

Argument NameDescriptionRequired
policyIdThe policy ID.Required
ruleIdThe rule ID.Required

Context Output#

There is no context output for this command.

Command example#

!cbd-delete-rule-from-policy ruleId=47 policyId=169994

Human Readable Output#

Rule id 47 was successfully deleted from policy id 169994

cbd-find-processes#


Creates a process search job and retrieves the search results. At least one of the arguments (not including: rows, start, and time_range) is required.

Base Command#

cbd-find-processes

Input#

Argument NameDescriptionRequired
pollingWhen set to "no", the function will not use polling and will return the process job ID. Possible values: yes, no. Default is yes.Optional
job_idThe unique process search job ID. This ID is used to retrieve the results of the process search initiated by the Carbon Black Cloud. If not provided, a new search job will be created based on the other provided arguments.Optional
alert_categoryThe Carbon Black Cloud classification for events tagged to an alert. Possible values: "THREAT" and "OBSERVED".Optional
device_external_ipThe IP address of the endpoint according to Carbon Black Cloud. This IP address can differ from the device_internal_ip due to network proxy or NAT. Can be either IPv4 or IPv6 format.Optional
device_idThe ID assigned to the endpoint by Carbon Black Cloud. This ID is unique across all Carbon Black Cloud environments.Optional
device_internal_ipThe IP address of the endpoint reported by the sensor. Can be either IPv4 or IPv6 format.Optional
device_nameThe hostname of the endpoint recorded by the sensor when last initialized.Optional
device_osThe operating system of the endpoint. Possible values: "WINDOWS", "MAC", "LINUX".Optional
device_timestampThe sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud. specified as ISO 8601 timestamp in UTC for example: 2020-01-19T04:28:40.190Z.Optional
event_typeThe type of enriched event observed. Possible value: "filemod", "netconn", "regmod", "modload", "crossproc", "childproc", "scriptload", and "fileless_scriptload". Possible values : filemod, netconn, regmod, modload, crossproc, childproc, scriptload, fileless_scriptload.Optional
parent_nameThe file system path of the parent process binary.Optional
parent_reputationThe reputation of the parent process applied by Carbon Black Cloud when the event is initially processed. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST".Optional
process_cmdlineThe command line executed by the actor process.Optional
process_guidThe unique process ID for the the actor process.Optional
hashAggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash).Optional
process_nameThe file system path of the actor process binary.Optional
process_pidThe process ID assigned by the operating system. This can be multi-valued for fork() or exec() process operations on Linux and macOS.Optional
process_reputationThe reputation of the actor process applied when the event is processed by Carbon Black Cloud. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST".Optional
process_start_timeThe sensor reported timestamp of when the process started. specified as ISO 8601 timestamp in UTC for example: 2020-05-04T21:34:03.968Z. This is not available for processes running before the sensor starts.Optional
process_terminatedWhether the process has terminated. Always "false" for enriched events (process termination not recorded). Possible values: true, false.Optional
process_usernameThe user context in which the actor process was executed.
MacOS - all users for the PID for fork() and exec() transitions.
Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid().
Optional
sensor_actionThe action performed by the sensor on the process. Possible values: "TERMINATE", "DENY", and "SUSPEND".Optional
queryThe query in Lucene syntax and/or value searches.Optional
rowsThe number of rows to request.Optional
startThe first row to use for pagination.Optional
time_rangeThe time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp.Optional
interval_in_secondsUsed for polling.Optional
time_outUsed for polling.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.Process.job_idStringThe process job id when polling set to false.
CarbonBlackDefense.Process.Results.backend_timestampDateThe timestamp when the process data was collected from the backend.
CarbonBlackDefense.Process.Results.childproc_countNumberThe number of child processes spawned by the process.
CarbonBlackDefense.Process.Results.crossproc_countNumberThe number of cross-process interactions involving the process.
CarbonBlackDefense.Process.Results.device_idNumberThe unique ID of the device where the process is running.
CarbonBlackDefense.Process.Results.device_nameStringThe name of the device where the process is running.
CarbonBlackDefense.Process.Results.device_policy_idNumberThe policy ID associated with the device.
CarbonBlackDefense.Process.Results.device_timestampDateThe timestamp when the process data was collected from the device.
CarbonBlackDefense.Process.Results.filemod_countNumberThe number of file modifications made by the process.
CarbonBlackDefense.Process.Results.index_classStringThe classification of the process based on indexing.
CarbonBlackDefense.Process.Results.modload_countNumberThe number of modules loaded by the process.
CarbonBlackDefense.Process.Results.netconn_countNumberThe number of network connections established by the process.
CarbonBlackDefense.Process.Results.org_idStringThe organization ID associated with the process.
CarbonBlackDefense.Process.Results.parent_guidStringThe GUID of the parent process.
CarbonBlackDefense.Process.Results.parent_pidNumberThe PID of the parent process.
CarbonBlackDefense.Process.Results.partition_idNumberThe partition ID associated with the process.
CarbonBlackDefense.Process.Results.process_guidStringThe GUID of the process.
CarbonBlackDefense.Process.Results.process_hashStringThe hash of the process.
CarbonBlackDefense.Process.Results.process_nameStringThe name of the process.
CarbonBlackDefense.Process.Results.process_pidNumberThe PID of the process.
CarbonBlackDefense.Process.Results.process_usernameStringThe username under which the process is running.
CarbonBlackDefense.Process.Results.regmod_countNumberThe number of registry modifications made by the process.
CarbonBlackDefense.Process.Results.scriptload_countNumberThe number of scripts loaded by the process.

Command example#

!cbd-find-processes device_id=5217044

Context Example#

{
"CarbonBlackDefense": {
"Process": {
"Results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"49becb5d-8cca-4b39-b7f4-d94401533dab",
"6038e242-2c44-470c-92e3-bf3a0c32dc26",
"a7056445-388b-46d8-9d8e-3885bfe28fc0"
],
"backend_timestamp": "2024-07-11T14:51:29.069Z",
"childproc_count": 1,
"crossproc_count": 7,
"device_group_id": 0,
"device_id": 12345,
"device_name": "r7betalab\\r7betalab-arw04",
"device_policy_id": 80947,
"device_timestamp": "2024-07-11T14:44:11.754Z",
"filemod_count": 11,
"ingress_time": 1720709467661,
"modload_count": 40,
"netconn_count": 0,
"org_id": "7DESJ9GN",
"parent_guid": "dummy_parent_guid",
"parent_pid": 4380,
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_hash",
],
"process_name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_pid": [
2192
],
"process_username": [
"R7BETALAB\\svc_idr"
],
"regmod_count": 4,
"scriptload_count": 1,
"watchlist_hit": []
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-07-11T14:34:13.616Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_group_id": 0,
"device_id": 12345,
"device_name": "cb-markotest",
"device_policy_id": 6525,
"device_timestamp": "2024-07-11T14:30:39.203Z",
"filemod_count": 0,
"ingress_time": 1720708414089,
"modload_count": 0,
"netconn_count": 1,
"org_id": "7DESJ9GN",
"parent_guid": "dummy_parent_guid",
"parent_pid": 688,
"process_guid": "dummy_process_guid",
"process_hash": [],
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_pid": [
2264
],
"process_username": [
"NT AUTHORITY\\NETWORK SERVICE"
],
"regmod_count": 0,
"scriptload_count": 0,
"watchlist_hit": [
"abcd123"
]
}
]
}
}
}

Human Readable Output#

The Results For The Process Search#

Device IdDevice NameProcess NameDevice Policy Id
1234r7betalab\r7betalab-arw04c:\windows\system32\windowspowershell\v1.0\powershell.exe80947
1111cb-markotestc:\windows\system32\svchost.exe6525

cbd-find-observation-details#


Fetches Carbon Black events details based on specified parameters. Supports polling to wait for the search job completion.

Base Command#

cbd-find-observation-details

Input#

Argument NameDescriptionRequired
pollingWhen set to false, the function will not use polling and will return the process job ID. Possible values: yes, no. Default is True.Optional
job_idThe ID of the job to retrieve the details. This is used internally for polling.Optional
alert_idThe ID of the alert to retrieve the observation details. Must be specified alone.Optional
observation_idsA list of observation IDs to retrieve the details. Must be specified alone.Optional
process_hashThe hash of the process to search for. Can be combined with rows, and with device_id or count_unique_devices, but not both.Optional
device_idThe ID of the device to filter the observations. Must be combined with process_hash. Cannot be combined with alert_id, observation_ids, count_unique_devices.Optional
count_unique_devicesA boolean indicating whether to count unique devices executing the process hash. Must be combined with process_hash. Cannot be combined with alert_id, observation_ids, device_id.Optional
rowsThe maximum number of rows to return, up to 10,000. Can only be combined with process_hash.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.EventDetails.job_idStringThe process job id when polling set to false.
CarbonBlackDefense.EventDetails.Results.alert_categoryStringThe category of the alert associated with the observation.
CarbonBlackDefense.EventDetails.Results.alert_idStringThe unique ID of the alert associated with the observation.
CarbonBlackDefense.EventDetails.Results.backend_timestampDateThe timestamp when the observation data was collected from the backend.
CarbonBlackDefense.EventDetails.Results.childproc_countNumberThe number of child processes spawned by the observed process.
CarbonBlackDefense.EventDetails.Results.crossproc_countNumberThe number of cross-process interactions involving the observed process.
CarbonBlackDefense.EventDetails.Results.device_external_ipStringThe external IP address of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_group_idNumberThe group ID associated with the device.
CarbonBlackDefense.EventDetails.Results.device_idNumberThe unique ID of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_installed_byStringThe user or process that installed the device.
CarbonBlackDefense.EventDetails.Results.device_internal_ipStringThe internal IP address of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_locationStringThe physical or network location of the device.
CarbonBlackDefense.EventDetails.Results.device_nameStringThe name of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_osStringThe operating system of the device.
CarbonBlackDefense.EventDetails.Results.device_os_versionStringThe version of the operating system of the device.
CarbonBlackDefense.EventDetails.Results.device_policyStringThe policy applied to the device.
CarbonBlackDefense.EventDetails.Results.device_policy_idNumberThe unique ID of the policy applied to the device.
CarbonBlackDefense.EventDetails.Results.device_sensor_versionStringThe version of the sensor installed on the device.
CarbonBlackDefense.EventDetails.Results.device_target_priorityStringThe priority level of the device as a target.
CarbonBlackDefense.EventDetails.Results.device_timestampDateThe timestamp when the observation was recorded on the device.
CarbonBlackDefense.EventDetails.Results.document_guidStringThe GUID of the document associated with the observation.
CarbonBlackDefense.EventDetails.Results.enrichedBooleanIndicates whether the observation data has been enriched with additional information.
CarbonBlackDefense.EventDetails.Results.enriched_event_typeStringThe type of event after enrichment.
CarbonBlackDefense.EventDetails.Results.event_threat_scoreNumberThe threat score associated with the event.
CarbonBlackDefense.EventDetails.Results.filemod_countNumberThe number of file modifications made by the observed process.
CarbonBlackDefense.EventDetails.Results.ingress_timeDateThe time when the observation data was ingested into the system.
CarbonBlackDefense.EventDetails.Results.legacyBooleanIndicates whether the observation is from a legacy system or data source.
CarbonBlackDefense.EventDetails.Results.modload_countNumberThe number of modules loaded by the observed process.
CarbonBlackDefense.EventDetails.Results.netconn_countNumberThe number of network connections established by the observed process.
CarbonBlackDefense.EventDetails.Results.observation_descriptionStringA description of the observation.
CarbonBlackDefense.EventDetails.Results.observation_idStringThe unique observation ID.
CarbonBlackDefense.EventDetails.Results.observation_typeStringThe type of observation.
CarbonBlackDefense.EventDetails.Results.org_idStringThe organization ID associated with the observation.
CarbonBlackDefense.EventDetails.Results.parent_cmdlineStringThe command line arguments of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_cmdline_lengthNumberThe length of the command line arguments of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_effective_reputationStringThe effective reputation of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_effective_reputation_sourceStringThe source of the effective reputation of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_guidStringThe GUID of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_hashStringThe hash of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_nameStringThe name of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_pidNumberThe PID of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_publisherStringThe publisher of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_publisher_stateStringThe state of the publisher of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_reputationStringThe reputation of the parent process.
CarbonBlackDefense.EventDetails.Results.process_cmdlineStringThe command line arguments of the observed process.
CarbonBlackDefense.EventDetails.Results.process_cmdline_lengthNumberThe length of the command line arguments of the observed process.
CarbonBlackDefense.EventDetails.Results.process_company_nameStringThe company name associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_effective_reputationStringThe effective reputation of the observed process.
CarbonBlackDefense.EventDetails.Results.process_effective_reputation_sourceStringThe source of the effective reputation of the observed process.
CarbonBlackDefense.EventDetails.Results.process_elevatedBooleanIndicates whether the observed process is running with elevated privileges.
CarbonBlackDefense.EventDetails.Results.process_file_descriptionStringThe description of the observed process file.
CarbonBlackDefense.EventDetails.Results.process_guidStringThe GUID of the observed process.
CarbonBlackDefense.EventDetails.Results.process_hashStringThe hash of the observed process.
CarbonBlackDefense.EventDetails.Results.process_integrity_levelStringThe integrity level of the observed process.
CarbonBlackDefense.EventDetails.Results.process_internal_nameStringThe internal name of the observed process.
CarbonBlackDefense.EventDetails.Results.process_nameStringThe name of the observed process.
CarbonBlackDefense.EventDetails.Results.process_original_filenameStringThe original filename of the observed process.
CarbonBlackDefense.EventDetails.Results.process_pidNumberThe PID of the observed process.
CarbonBlackDefense.EventDetails.Results.process_privilegesStringThe privileges associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_product_nameStringThe product name associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_product_versionStringThe product version associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_publisherStringThe publisher of the observed process.
CarbonBlackDefense.EventDetails.Results.process_publisher_stateStringThe state of the publisher of the observed process.
CarbonBlackDefense.EventDetails.Results.process_reputationStringThe reputation of the observed process.
CarbonBlackDefense.EventDetails.Results.process_service_nameStringThe service name associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_sha256unknownThe SHA-256 hash.

Command example#

!cbd-find-observation-details process_hash=abc1234

Context Example#

{
"CarbonBlackDefense": {
"EventDetails": {
"Results": {
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-04-17T01:52:29.056Z",
"blocked_effective_reputation": "TRUSTED_WHITE_LIST",
"blocked_hash": [
"dummy_blocked_hash"
],
"blocked_name": "c:\windows\system32\windowspowershell\v1.0\powershell.exe",
"childproc_cmdline": "\"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\" (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() ",
"childproc_cmdline_length": 124,
"childproc_effective_reputation": "TRUSTED_WHITE_LIST",
"childproc_effective_reputation_source": "CLOUD",
"childproc_guid": "dummy_childproc_guid",
"childproc_hash": [
"dummy_chidproc_hash"
],
"childproc_issuer": [
"Microsoft Windows Production PCA 2011"
],
"childproc_name": "c:\windows\system32\windowspowershell\v1.0\powershell.exe",
"childproc_pid": 1020,
"childproc_publisher": [
"Microsoft Windows"
],
"childproc_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"childproc_reputation": "TRUSTED_WHITE_LIST",
"childproc_username": "NT AUTHORITY\SYSTEM",
"device_external_ip": "1.1.1.1",
"device_group_id": 0,
"device_id": 12345,
"device_installed_by": "user@example.com",
"device_internal_ip": "1.1.1.1",
"device_location": "OFFSITE",
"device_name": "corp\wsamzn-lshqdrdc",
"device_os": "WINDOWS",
"device_os_version": "Windows Server 2019 x64",
"device_policy": "tines-policy",
"device_policy_id": 1234,
"device_sensor_version": "1.1.1.1",
"device_target_priority": "LOW",
"device_timestamp": "2024-04-17T01:50:54.057Z",
"document_guid": "dummy_document_guid",
"enriched": true,
"enriched_event_type": "CREATE_PROCESS",
"event_attack_stage": [
"INSTALL_RUN"
],
"event_description": "The script \"<share><link hash=\"dummy_hash\">C:\program files\amazon\skylight\scripts\windows_update_status.ps1</link></share>\" invoked the application \"<share><link hash=\"dummy_hash\">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>\". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",
"event_id": "dummy_event_id",
"event_type": "childproc",
"ingress_time": 1713318735609,
"legacy": true,
"observation_description": "The application windows_update_status.ps1 invoked another application (powershell.exe). A Deny Policy Action was applied.",
"observation_id": "dummy_observation_id",
"observation_type": "CB_ANALYTICS",
"org_id": "abc123",
"parent_effective_reputation": "LOCAL_WHITE",
"parent_effective_reputation_source": "PRE_EXISTING",
"parent_guid": "dummy_parent_guid",
"parent_hash": [
"dummy_parent_hash"
],
"parent_name": "c:\program files\amazon\skylight\skylightworkspaceconfigservice.exe",
"parent_pid": 1234,
"parent_reputation": "NOT_LISTED",
"parent_username": "NT AUTHORITY\SYSTEM",
"process_cmdline": [
"\"powershell.exe\" -NonInteractive -ExecutionPolicy AllSigned -File \"C:\Program files\Amazon\SkyLight\scripts\windows_update_status.ps1\" -scriptId windows_update_status.ps1 CheckStatus"
],
"process_cmdline_length": [
182
],
"process_effective_reputation": "ADAPTIVE_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_hash",
],
"process_loaded_script_hash": [
"dummy_process_loaded_script_hash"
],
"process_loaded_script_name": [
"c:\program files\amazon\skylight\scripts\windows_update_status.ps1"
],
"process_name": "c:\program files\amazon\skylight\scripts\windows_update_status.ps1",
"process_pid": [
1234
],
"process_reputation": "NOT_LISTED",
"process_sha256": "dummy_process_sha256",
"process_start_time": "2024-04-17T01:50:48.244Z",
"process_user_id": "S-1-5-18",
"process_username": [
"NT AUTHORITY\SYSTEM"
],
"sensor_action": [
"TERMINATE"
],
"ttp": [
"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
"POLICY_DENY",
"MITRE_T1059_001_POWERSHELL"
]
}
}
}
}

Human Readable Output#

Defense Event Details Results#

Observation IdEvent IdDevice IdDevice External IpDevice Internal IpEnriched Event Type
dummy_observation_iddummy_event_id12341.1.1.11.1.1.1CREATE_PROCESS

cbd-find-observation#


Fetches Carbon Black events details based on specified parameters. Supports polling to wait for the search job completion.

Base Command#

cbd-find-observation

Input#

Argument NameDescriptionRequired
pollingWhen set to false, the function will not use polling and will return the process job ID. Possible values are: yes, no. Default is True.Optional
job_idThe ID of the job to retrieve the observation. This is used internally for polling.Optional
alert_categoryThe Carbon Black Cloud classification for events tagged to an alert. Possible values: "THREAT" and "OBSERVED".Optional
device_external_ipThe IP address of the endpoint according to Carbon Black Cloud. This IP address can differ from the device_internal_ip due to network proxy or NAT. Can be either IPv4 or IPv6 format.Optional
device_idThe ID assigned to the endpoint by Carbon Black Cloud. This ID is unique across all Carbon Black Cloud environments.Optional
device_internal_ipThe IP address of the endpoint reported by the sensor. Can be either IPv4 or IPv6 format.Optional
device_nameThe hostname of the endpoint recorded by the sensor when last initialized.Optional
device_osThe operating system of the endpoint. Possible values: "WINDOWS", "MAC", "LINUX".Optional
device_timestampThe sensor-reported timestamp of the batch of events in which this record was submitted to Carbon Black Cloud. specified as ISO 8601 timestamp in UTC for example: 2020-01-19T04:28:40.190Z.Optional
event_typeThe type of enriched event observed. Possible value: "filemod", "netconn", "regmod", "modload", "crossproc", "childproc", "scriptload", and "fileless_scriptload". Possible values: filemod, netconn, regmod, modload, crossproc, childproc, scriptload, fileless_scriptload.Optional
parent_nameThe file system path of the parent process binary.Optional
parent_reputationThe reputation of the parent process applied by Carbon Black Cloud when the event is initially processed. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST".Optional
process_cmdlineThe command line executed by the actor process.Optional
process_guidThe unique process ID for the actor process.Optional
hashAggregate set of MD5 and SHA-256 hashes associated with the process (including childproc_hash, crossproc_hash, filemod_hash, modload_hash, process_hash).Optional
process_nameThe file system path of the actor process binary.Optional
process_pidThe process ID assigned by the operating system. This can be multi-valued for fork() or exec() process operations on Linux and macOS.Optional
process_reputationThe reputation of the actor process applied when the event is processed by Carbon Black Cloud. Possible values: "ADAPTIVE_WHITE_LIST", "ADWARE", "COMMON_WHITE_LIST", "COMPANY_BLACK_LIST", "COMPANY_WHITE_LIST", "HEURISTIC", "IGNORE", "KNOWN_MALWARE", "LOCAL_WHITE", "NOT_LISTED", "PUP", "RESOLVING", "SUSPECT_MALWARE", and "TRUSTED_WHITE_LIST".Optional
process_start_timeThe sensor reported timestamp of when the process started. specified as ISO 8601 timestamp in UTC for example: 2020-05-04T21:34:03.968Z. This is not available for processes running before the sensor starts.Optional
process_terminatedWhether the process has terminated. Possible values: "true" and "false". Always "false" for enriched events (process termination not recorded).Optional
process_usernameThe user context in which the actor process was executed.
MacOS - all users for the PID for fork() and exec() transitions.
Linux - process user for exec() events, but in a future sensor release can be multi-valued due to setuid().
Optional
sensor_actionThe action performed by the sensor on the process. Possible values: "TERMINATE", "DENY", and "SUSPEND".Optional
queryThe query in Lucene syntax and/or value searches.Optional
rowsThe number of rows to request.Optional
startThe first row to use for pagination.Optional
time_rangeThe time window in which to restrict the search to match using device_timestamp as the reference. The window value will take priority over the start and end times if provided. For example {"end": "2020-01-21T18:34:04Z", "start": "2020-01-18T18:34:04Z", "window": "-2w"}, window: “-2w” (where y=year, w=week, d=day, h=hour, m=minute, s=second) start: ISO 8601 timestamp, end: ISO 8601 timestamp.Optional
interval_in_secondsUsed for polling.Optional
time_outUsed for polling.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.Events.job_idStringThe process job id when polling set to false.
CarbonBlackDefense.Events.Results.alert_categoryStringCategory of the alert associated with the event.
CarbonBlackDefense.Events.Results.alert_idStringThe unique alert ID.
CarbonBlackDefense.Events.Results.backend_timestampDateTimestamp when the event was processed on the backend.
CarbonBlackDefense.Events.Results.childproc_countNumberNumber of child processes spawned by the process.
CarbonBlackDefense.Events.Results.crossproc_countNumberNumber of cross-process operations performed by the process.
CarbonBlackDefense.Events.Results.device_external_ipStringExternal IP address of the device.
CarbonBlackDefense.Events.Results.device_group_idNumberThe device group ID.
CarbonBlackDefense.Events.Results.device_idNumberThe unique device ID.
CarbonBlackDefense.Events.Results.device_installed_byStringUser or entity that installed the device.
CarbonBlackDefense.Events.Results.device_internal_ipStringInternal IP address of the device.
CarbonBlackDefense.Events.Results.device_locationStringPhysical or network location of the device.
CarbonBlackDefense.Events.Results.device_nameStringName of the device.
CarbonBlackDefense.Events.Results.device_osStringOperating system running on the device.
CarbonBlackDefense.Events.Results.device_os_versionStringVersion of the operating system running on the device.
CarbonBlackDefense.Events.Results.device_policyStringSecurity policy applied to the device.
CarbonBlackDefense.Events.Results.device_policy_idNumberThe the security policy ID applied to the device.
CarbonBlackDefense.Events.Results.device_sensor_versionStringVersion of the sensor installed on the device.
CarbonBlackDefense.Events.Results.device_target_priorityStringPriority of the device as a target.
CarbonBlackDefense.Events.Results.device_timestampDateTimestamp of the event as recorded by the device.
CarbonBlackDefense.Events.Results.document_guidStringThe global unique ID for the document associated with the event.
CarbonBlackDefense.Events.Results.enrichedBooleanIndicates whether the event data has been enriched.
CarbonBlackDefense.Events.Results.enriched_event_typeStringType of the enriched event.
CarbonBlackDefense.Events.Results.event_threat_scoreNumberThreat score assigned to the event.
CarbonBlackDefense.Events.Results.filemod_countNumberNumber of file modifications performed by the process.
CarbonBlackDefense.Events.Results.ingress_timeDateTime when the event was ingested by the system.
CarbonBlackDefense.Events.Results.legacyBooleanIndicates whether the event is considered a legacy event.
CarbonBlackDefense.Events.Results.modload_countNumberNumber of modules loaded by the process.
CarbonBlackDefense.Events.Results.netconn_countNumberNumber of network connections established by the process.
CarbonBlackDefense.Events.Results.observation_descriptionStringDescription of the observation associated with the event.
CarbonBlackDefense.Events.Results.observation_idStringThe unique observation ID.
CarbonBlackDefense.Events.Results.observation_typeStringType of the observation associated with the event.
CarbonBlackDefense.Events.Results.org_idStringThe organization ID associated with the event.
CarbonBlackDefense.Events.Results.parent_cmdlineStringCommand line used to execute the parent process.
CarbonBlackDefense.Events.Results.parent_cmdline_lengthNumberLength of the command line used to execute the parent process.
CarbonBlackDefense.Events.Results.parent_effective_reputationStringEffective reputation of the parent process.
CarbonBlackDefense.Events.Results.parent_effective_reputation_sourceStringSource of the effective reputation of the parent process.
CarbonBlackDefense.Events.Results.parent_guidStringThe global unique ID for the parent process.
CarbonBlackDefense.Events.Results.parent_hashStringHash of the parent process.
CarbonBlackDefense.Events.Results.parent_nameStringName of the parent process.
CarbonBlackDefense.Events.Results.parent_pidNumberThe parent process ID.
CarbonBlackDefense.Events.Results.parent_publisherStringPublisher of the parent process.
CarbonBlackDefense.Events.Results.parent_publisher_stateStringPublisher state of the parent process.
CarbonBlackDefense.Events.Results.parent_reputationStringReputation of the parent process.
CarbonBlackDefense.Events.Results.process_cmdlineStringCommand line used to execute the process.
CarbonBlackDefense.Events.Results.process_cmdline_lengthNumberLength of the command line used to execute the process.
CarbonBlackDefense.Events.Results.process_company_nameStringCompany name associated with the process.
CarbonBlackDefense.Events.Results.process_effective_reputationStringEffective reputation of the process.
CarbonBlackDefense.Events.Results.process_effective_reputation_sourceStringSource of the effective reputation of the process.
CarbonBlackDefense.Events.Results.process_elevatedBooleanIndicates whether the process is running with elevated privileges.
CarbonBlackDefense.Events.Results.process_file_descriptionStringFile description of the process.
CarbonBlackDefense.Events.Results.process_guidStringThe global unique process ID.
CarbonBlackDefense.Events.Results.process_hashStringHash of the process.
CarbonBlackDefense.Events.Results.process_integrity_levelStringIntegrity level of the process.
CarbonBlackDefense.Events.Results.process_internal_nameStringInternal name of the process.
CarbonBlackDefense.Events.Results.process_nameStringName of the process.
CarbonBlackDefense.Events.Results.process_original_filenameStringOriginal filename of the process.
CarbonBlackDefense.Events.Results.process_pidNumberThe process ID of the process.
CarbonBlackDefense.Events.Results.process_privilegesStringPrivileges associated with the process.
CarbonBlackDefense.Events.Results.process_product_nameStringProduct name associated with the process.
CarbonBlackDefense.Events.Results.process_product_versionStringProduct version associated with the process.
CarbonBlackDefense.Events.Results.process_publisherStringPublisher of the process.
CarbonBlackDefense.Events.Results.process_publisher_stateStringPublisher state of the process.
CarbonBlackDefense.Events.Results.process_reputationStringReputation of the process.
CarbonBlackDefense.Events.Results.process_service_nameStringService name associated with the process.
CarbonBlackDefense.Events.Results.process_sha256StringSHA-256 hash of the process.
CarbonBlackDefense.Events.Results.process_start_timeDateStart time of the process.
CarbonBlackDefense.Events.Results.process_usernameStringUsername under which the process is running.
CarbonBlackDefense.Events.Results.regmod_countNumberNumber of registry modifications performed by the process.
CarbonBlackDefense.Events.Results.scriptload_countNumberNumber of scripts loaded by the process.
CarbonBlackDefense.Events.Results.sensor_actionStringAction taken by the sensor for the event.
CarbonBlackDefense.Events.Results.ttpStringTactics, techniques, and procedures associated with the event.
CarbonBlackDefense.Events.Results.watchlist_hitStringIndicates if the event matches a watchlist entry.

Command example#

!cbd-find-observation device_id=12345

Context Example#

{
"CarbonBlackDefense": {
"Events": {
"Results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-07-05T09:42:06.625Z",
"blocked_effective_reputation": "COMPANY_BLACK_LIST",
"blocked_hash": [
"dummy_bloched_hash"
],
"blocked_name": "c:\windows\system32\sdiagnhost.exe",
"device_group_id": 0,
"device_id": 1234,
"device_name": "desktop-ua4omu0",
"device_policy_id": 1234,
"device_timestamp": "2024-07-05T09:39:07.695Z",
"enriched": true,
"enriched_event_type": [
"CREATE_PROCESS"
],
"event_description": "The application \"<share><link hash=\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\">C:\Windows\system32\svchost.exe -k DcomLaunch -p</link></share>\" invoked the application \"<share><link hash=\"e5ec6b5b20a16383cc953ad5e478dcdf95ba46281f4fe971673c954d4145c0c4\">c:\windows\system32\sdiagnhost.exe</link></share>\". The operation was <accent>blocked by Carbon Black</accent>.",
"event_id": "dummy_event_id",
"event_type": "childproc",
"ingress_time": 1720172480035,
"legacy": true,
"observation_description": " sdiagnhost.exe on the Company Black List was detected running. A Deny Policy Action was applied.",
"observation_id": "dummy_observation_id",
"observation_type": "CB_ANALYTICS",
"org_id": "dummy_org_id",
"parent_guid": "dummy_parent_guid",
"parent_pid": 616,
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_gash",
"dummy_process_hash"
],
"process_name": "c:\windows\system32\svchost.exe",
"process_pid": [
768
],
"process_username": [
"NT AUTHORITY\SYSTEM"
],
"sensor_action": [
"DENY",
"BLOCK"
]
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-07-03T16:27:53.810Z",
"blocked_effective_reputation": "COMPANY_BLACK_LIST",
"blocked_hash": [
"dummy_blocked_hash"
],
"blocked_name": "c:\windows\system32\windowspowershell\v1.0\powershell.exe",
"device_group_id": 0,
"device_id": 1234,
"device_name": "desktop-ua4omu0",
"device_policy_id": 1234,
"device_timestamp": "2024-07-03T16:25:21.686Z",
"enriched": true,
"enriched_event_type": [
"CREATE_PROCESS"
],
"event_description": "The application \"<share><link hash=\"20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50\">c:\windows\system32\backgroundtaskhost.exe</link></share>\" was prevented from accessing the file \"<share><link hash=\"9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f\">c:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>\" due to a <accent>Deny operation or Terminate process</accent> policy action.",
"event_id": "dummy_event_id",
"event_type": "childproc",
"ingress_time": 1720024053609,
"legacy": true,
"observation_description": "The application backgroundtaskhost.exe invoked another application (powershell.exe). A Deny Policy Action was applied.",
"observation_id": "f82a46c4395811efab18238ba409ec8f:d13802a2-e8a1-180d-8359-fdc0a8c9f007",
"observation_type": "CB_ANALYTICS",
"org_id": "dummy_org_id",
"parent_guid": "dummy_parent_guid",
"parent_pid": 768,
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_hash",
"dummy_process_hash"
],
"process_name": "c:\windows\system32\backgroundtaskhost.exe",
"process_pid": [
1234
],
"process_username": [
"DESKTOP-UA4OMU0\qe-admin"
],
"sensor_action": [
"DENY",
"BLOCK"
]
}
]
}
}
}

Human Readable Output#

Defense Event Results#

Event IdDevice IdEnriched Event Type
8d815dc93ab211efb74fe9e3b00b3b6a6685063CREATE_PROCESS
f82a46c4395811efab18238ba409ec8f6685063CREATE_PROCESS

cbd-device-search#


Searches devices in your organization.

Base Command#

cbd-device-search

Input#

Argument NameDescriptionRequired
device_idThe device ID.Optional
osThe operating system. Possible values: "WINDOWS", "MAC", "LINUX", and "OTHER".Optional
statusThe status of the device. Possible values: "PENDING", "REGISTERED", "DEREGISTERED", "BYPASS", "ACTIVE", "INACTIVE", "ERROR", "ALL", "BYPASS_ON", "LIVE", "SENSOR_PENDING_UPDATE".Optional
start_timeThe time to start getting results. specified as ISO-8601 strings for example: "2021-01-27T12:43:26.243Z".Optional
target_priorityThe “Target value” configured in the policy assigned to the sensor. Possible values: "LOW", "MEDIUM", "HIGH", "MISSION_CRITICAL".Optional
queryThe query in Lucene syntax and/or value searches.Optional
end_timeThe time to stop getting results. specified as ISO-8601 strings for example: "2021-02-27T12:43:26.243Z".Optional
rowsThe maximum number of rows to return. Default is 20. Default is 20.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.Device.activation_codeStringThe device activation code to register the sensor with a specific organization.
CarbonBlackDefense.Device.activation_code_expiry_timeDateThe time when the activation code expires and cannot be used to register a device. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.ad_group_idNumberThe Active Directory group ID to match.
CarbonBlackDefense.Device.appliance_nameStringThe name of the appliance the Virtual Machine (VM) is associated with.
CarbonBlackDefense.Device.appliance_uuidStringThe UUID of the appliance the VM is associated with.
CarbonBlackDefense.Device.av_ave_versionStringThe AVE version (part of AV Version).
CarbonBlackDefense.Device.av_engineStringThe current antivirus (AV) version.
CarbonBlackDefense.Device.av_last_scan_timeDateThe last time a local scan completed. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.av_masterBooleanWhether the device is an AV Master.
CarbonBlackDefense.Device.av_pack_versionStringThe pack version (part of AV version).
CarbonBlackDefense.Device.av_product_versionStringThe product version (part of AV version).
CarbonBlackDefense.Device.av_statusStringThe status of the local scan. For example [ "AV_ACTIVE", "AV_REGISTERED" ]. (AV_NOT_REGISTERED, AV_REGISTERED, AV_DEREGISTERED, AV_ACTIVE, AV_BYPASS, SIGNATURE_UPDATE_DISABLED, ONACCESS_SCAN_DISABLED, ONDEMAND_SCAN_DISABLED, PRODUCT_UPDATE_DISABLED).
CarbonBlackDefense.Device.av_update_serversUnknownA list of the device’s AV servers. For example [ "string", "string" ].
CarbonBlackDefense.Device.av_vdf_versionStringVDF version (part of AV version).
CarbonBlackDefense.Device.cluster_nameStringName of the cluster. A cluster is a group of hosts.
CarbonBlackDefense.Device.current_sensor_policy_nameStringThe name of the policy currently configured on the sensor.
CarbonBlackDefense.Device.datacenter_nameStringThe name of the underlying data center. The data center managed object provides the interface to the common container object for hosts, virtual machines, networks, and datastores.
CarbonBlackDefense.Device.deployment_typeStringThe device’s deployment type. This is a classification that is determined by its lifecycle management policy. (ENDPOINT, WORKLOAD).
CarbonBlackDefense.Device.deregistered_timeDateThe time when the deregister request was received. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.device_meta_data_item_list.key_nameStringThe key name that describes the device.
CarbonBlackDefense.Device.device_meta_data_item_list.key_valueStringThe key value that describes the device.
CarbonBlackDefense.Device.device_meta_data_item_list.positionNumberThe position that describes the device.
CarbonBlackDefense.Device.device_owner_idNumberThe ID of the device owner associated with the device.
CarbonBlackDefense.Device.emailStringThe email address for the device owner.
CarbonBlackDefense.Device.encoded_activation_codeStringThe encoded activation code.
CarbonBlackDefense.Device.esx_host_nameStringThe name of the ESX host on which the VM is deployed.
CarbonBlackDefense.Device.esx_host_uuidStringThe UUID of the ESX host on which the VM is deployed.
CarbonBlackDefense.Device.first_nameStringThe first name of the device owner.
CarbonBlackDefense.Device.idNumberThe ID of the device.
CarbonBlackDefense.Device.last_contact_timeDateThe last time the sensor contacted Carbon Black Cloud. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.last_device_policy_changed_timeDateThe last time the sensor changed from one policy to another. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.last_device_policy_requested_timeDateThe last time the sensor checked for changes to the policy. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.last_external_ip_addressStringThe last IP address of the device according to Carbon Black Cloud. This can differ from the last_internal_ip_address due to the network proxy or NAT. Can be either IPv4 or IPv6 format.
CarbonBlackDefense.Device.last_internal_ip_addressStringThe last IP address of the device reported by the sensor. Can be either IPv4 or IPv6 format.
CarbonBlackDefense.Device.last_locationStringThe device’s current location relative to the organization’s network, based on the current IP address and the device’s registered DNS domain suffix. (UNKNOWN, ONSITE, OFFSITE).
CarbonBlackDefense.Device.last_nameStringThe last name of the device owner.
CarbonBlackDefense.Device.last_policy_updated_timeDateThe last time the current policy received an update. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.last_reported_timeDateThe last time Carbon Black Cloud received one or more events reported by the sensor. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.last_reset_timeDateThe last time the device was reset. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.last_shutdown_timeDateThe last time the device was shutdown. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.linux_kernel_versionStringNot implemented.
CarbonBlackDefense.Device.login_user_nameStringThe last user who logged in to the device. (Requires Windows Carbon Black Cloud sensor).
CarbonBlackDefense.Device.mac_addressStringThe media access control (MAC) address for the device’s primary interface. (Requires Windows CBC sensor version 1.1.1.1 or later, or macOS CBC sensor).
CarbonBlackDefense.Device.middle_nameStringThe middle name of the device owner.
CarbonBlackDefense.Device.nameStringThe hostname of the endpoint recorded by the sensor when last initialized.
CarbonBlackDefense.Device.organization_idNumberThe organization ID.
CarbonBlackDefense.Device.organization_nameStringThe organization name.
CarbonBlackDefense.Device.osStringThe operating system. (WINDOWS, MAC, LINUX, OTHER).
CarbonBlackDefense.Device.os_versionStringThe operating system and version of the endpoint.
CarbonBlackDefense.Device.passive_modeBooleanWhether the device is in bypass mode.
CarbonBlackDefense.Device.policy_idNumberThe policy ID assigned to the device.
CarbonBlackDefense.Device.policy_nameStringThe policy name assigned to the device. This name may not match the current_sensor_policy_name until the sensor checks back in.
CarbonBlackDefense.Device.policy_overrideBooleanWhether the policy was manually assigned to override mass sensor management.
CarbonBlackDefense.Device.quarantinedBooleanThe indicator that the device is in quarantine mode.
CarbonBlackDefense.Device.registered_timeDateThe time when the device was registered with Carbon Black Cloud. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.scan_last_action_timeDateThe last time the background scan was started or stopped. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.scan_last_complete_timeDateThe time the last background scan completed. (ISO 8601 timestamp in UTC).
CarbonBlackDefense.Device.scan_statusStringThe status of the background scan. (NEVER_RUN, STOPPED, IN_PROGRESS, COMPLETED).
CarbonBlackDefense.Device.sensor_kit_typeStringThe type of sensor installed on the device. (XP, WINDOWS, MAC, AV_SIG, OTHER, RHEL, UBUNTU, SUSE, AMAZON_LINUX, MAC_OSX).
CarbonBlackDefense.Device.sensor_out_of_dateBooleanWhether there is a new version available to be installed.
CarbonBlackDefense.Device.sensor_pending_updateBooleanWhether the sensor is marked by the sensor updater service for a sensor upgrade.
CarbonBlackDefense.Device.sensor_statesStringThe states the sensor is in. For example [ "ACTIVE", "LIVE_RESPONSE_ENABLED" ]. (ACTIVE, PANICS_DETECTED, LOOP_DETECTED, DB_CORRUPTION_DETECTED, CSR_ACTION, REPUX_ACTION, DRIVER_INIT_ERROR, REMGR_INIT_ERROR, UNSUPPORTED_OS, SENSOR_UPGRADE_IN_PROGRESS, SENSOR_UNREGISTERED, WATCHDOG, SENSOR_RESET_IN_PROGRESS, DRIVER_INIT_REBOOT_REQUIRED, DRIVER_LOAD_NOT_GRANTED, SENSOR_SHUTDOWN, SENSOR_MAINTENANCE, FULL_DISK_ACCESS_NOT_GRANTED, DEBUG_MODE_ENABLED, AUTO_UPDATE_DISABLED, SELF_PROTECT_DISABLED, VDI_MODE_ENABLED, POC_MODE_ENABLED, SECURITY_CENTER_OPTLN_DISABLED, LIVE_RESPONSE_RUNNING, LIVE_RESPONSE_NOT_RUNNING, LIVE_RESPONSE_KILLED, LIVE_RESPONSE_NOT_KILLED, LIVE_RESPONSE_ENABLED, LIVE_RESPONSE_DISABLED, DRIVER_KERNEL, DRIVER_USERSPACE).
CarbonBlackDefense.Device.sensor_versionStringThe version of the installed sensor in the format: #.#.#.#.
CarbonBlackDefense.Device.statusStringThe status of the device. (PENDING, REGISTERED, DEREGISTERED, BYPASS Additional searchable statuses that are not returnable ACTIVE, INACTIVE, ERROR, ALL, BYPASS_ON, LIVE, SENSOR_PENDING_UPDATE).
CarbonBlackDefense.Device.target_priorityStringDevice target priorities to match. (LOW, MEDIUM, HIGH, MISSION_CRITICAL).
CarbonBlackDefense.Device.uninstall_codeStringThe code to enter when uninstalling the sensor.
CarbonBlackDefense.Device.vcenter_host_urlStringThe vCenter host URL.
CarbonBlackDefense.Device.vcenter_nameStringThe name of the vCenter the VM is associated with.
CarbonBlackDefense.Device.vcenter_uuidStringThe 128-bit SMBIOS UUID of a vCenter represented as a hexadecimal string.
CarbonBlackDefense.Device.vdi_base_deviceNumberThe ID of the device from which this device was cloned/re-registered.
CarbonBlackDefense.Device.virtual_machineBooleanWhether this device is a virtual machine (VMware AppDefense integration). Deprecated for deployment_type.
CarbonBlackDefense.Device.virtualization_providerStringThe name of the VM virtualization provider.
CarbonBlackDefense.Device.vm_ipStringThe IP address of the VM.
CarbonBlackDefense.Device.vm_nameStringThe name of the VM that the sensor is deployed on.
CarbonBlackDefense.Device.vm_uuidStringThe 128-bit SMBIOS UUID of a virtual machine represented as a hexadecimal string. (Format: 12345678-abcd-1234-cdef-123456789abc).
CarbonBlackDefense.Device.vulnerability_scoreNumberThe vulnerability score from 0 to 100 indicating the workload’s level of vulnerability with 100 being highly vulnerable.
CarbonBlackDefense.Device.vulnerability_severityStringThe severity level indicating the workload’s vulnerability. (CRITICAL, MODERATE, IMPORTANT, LOW).
CarbonBlackDefense.Device.windows_platformStringDeprecated for os_version. (CLIENT_X86, CLIENT_X64, SERVER_X86, SERVER_X64, CLIENT_ARM64, SERVER_ARM64).

Command example#

!cbd-device-search

Context Example#

{
"CarbonBlackDefense": {
"Device": [
{
"activation_code": null,
"activation_code_expiry_time": "2023-01-19T12:11:11.883Z",
"ad_domain": null,
"ad_group_id": 0,
"ad_org_unit": null,
"appliance_name": null,
"appliance_uuid": null,
"asset_group": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
}
],
"auto_scaling_group_name": null,
"av_ave_version": null,
"av_engine": null,
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": null,
"av_product_version": null,
"av_status": [
"AV_ACTIVE",
"SIGNATURE_UPDATE_DISABLED",
"ONACCESS_SCAN_DISABLED",
"ONDEMAND_SCAN_DISABLED"
],
"av_update_servers": null,
"av_vdf_version": null,
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_managed_identity": null,
"cloud_provider_network": null,
"cloud_provider_resource_group": null,
"cloud_provider_resource_id": null,
"cloud_provider_scale_group": null,
"cloud_provider_tags": [],
"cluster_name": null,
"compliance_status": "NOT_ASSESSED",
"current_sensor_policy_name": "default",
"datacenter_name": null,
"deployment_type": "WORKLOAD",
"deregistered_time": null,
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows 10",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "1.1.1.1",
"position": 0
}
],
"device_owner_id": "dummy_device_owner_id",
"email": "CB-H10\\Admin",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"groups": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
}
],
"host_based_firewall_reasons": [],
"host_based_firewall_status": null,
"id": "dummy_id",
"infrastructure_provider": "NONE",
"last_contact_time": "2024-07-09T15:30:29.175Z",
"last_device_policy_changed_time": "2024-02-01T10:30:40.624Z",
"last_device_policy_requested_time": "2024-07-09T15:30:31.028Z",
"last_external_ip_address": "1.1.1.1",
"last_internal_ip_address": "1.1.1.1",
"last_location": "OFFSITE",
"last_name": null,
"last_policy_updated_time": "2024-06-17T09:21:35.212Z",
"last_reported_time": "2024-07-09T15:30:29.797Z",
"last_reset_time": null,
"last_shutdown_time": "2024-07-09T14:30:21.720Z",
"linux_kernel_version": null,
"login_user_name": "CB-H10\\Admin",
"mac_address": "005056a285bc",
"middle_name": null,
"name": "CB-H10",
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": "dummy_organization_id",
"organization_name": "cb-internal-alliances.com",
"os": "WINDOWS",
"os_version": "Windows 10 x64",
"passive_mode": false,
"policy_assignment_type": "MANUAL",
"policy_id": "dummy_policy_id",
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": "2023-01-12T12:11:11.930Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_gateway_url": null,
"sensor_gateway_uuid": null,
"sensor_kit_type": "WINDOWS",
"sensor_out_of_date": true,
"sensor_pending_update": false,
"sensor_states": [
"ACTIVE",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED"
],
"sensor_version": "1.1.1.1",
"status": "REGISTERED",
"target_priority": "MEDIUM",
"uninstall_code": "dummy_uninstall_code",
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": 6039303,
"vdi_provider": "NONE",
"virtual_machine": true,
"virtual_private_cloud_id": null,
"virtualization_provider": "VMW_ESX",
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 0,
"vulnerability_severity": null,
"windows_platform": null
},
{
"activation_code": null,
"activation_code_expiry_time": "2020-10-27T13:49:46.641Z",
"ad_domain": null,
"ad_group_id": 0,
"ad_org_unit": null,
"appliance_name": null,
"appliance_uuid": null,
"asset_group": null,
"auto_scaling_group_name": null,
"av_ave_version": null,
"av_engine": null,
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": null,
"av_product_version": null,
"av_status": [],
"av_update_servers": null,
"av_vdf_version": null,
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_managed_identity": null,
"cloud_provider_network": null,
"cloud_provider_resource_group": null,
"cloud_provider_resource_id": null,
"cloud_provider_scale_group": null,
"cloud_provider_tags": [],
"cluster_name": null,
"compliance_status": "NOT_ASSESSED",
"current_sensor_policy_name": "default",
"datacenter_name": null,
"deployment_type": "WORKLOAD",
"deregistered_time": null,
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "CentOS 7",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "1.1.1.1",
"position": 0
}
],
"device_owner_id": "dummy_device_owner_id",
"email": "localhost.localdomain",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"groups": null,
"host_based_firewall_reasons": [],
"host_based_firewall_status": null,
"id": "dummy_id",
"infrastructure_provider": "NONE",
"last_contact_time": "2024-07-09T15:29:27.472Z",
"last_device_policy_changed_time": "2024-05-24T09:24:52.884Z",
"last_device_policy_requested_time": "2024-06-21T20:15:56.512Z",
"last_external_ip_address": "1.1.1.1",
"last_internal_ip_address": "1.1.1.1",
"last_location": "UNKNOWN",
"last_name": null,
"last_policy_updated_time": "2024-06-17T09:21:35.212Z",
"last_reported_time": "2024-07-09T10:51:07.343Z",
"last_reset_time": null,
"last_shutdown_time": null,
"linux_kernel_version": null,
"login_user_name": null,
"mac_address": "0050568135bc",
"middle_name": null,
"name": "localhost.localdomain",
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": "dummy_organization_id",
"organization_name": "cb-internal-alliances.com",
"os": "LINUX",
"os_version": "CentOS 7.9-2009 x64",
"passive_mode": false,
"policy_assignment_type": "MANUAL",
"policy_id": "dummy_policy_id",
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": "2024-01-31T05:16:55.865Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_gateway_url": null,
"sensor_gateway_uuid": null,
"sensor_kit_type": "RHEL",
"sensor_out_of_date": true,
"sensor_pending_update": false,
"sensor_states": [
"LIVE_RESPONSE_ENABLED",
"LIVE_RESPONSE_NOT_KILLED",
"ACTIVE"
],
"sensor_version": "1.1.1.10133",
"status": "REGISTERED",
"target_priority": "MEDIUM",
"uninstall_code": "dummy_uninstall_code",
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"vdi_provider": "NONE",
"virtual_machine": true,
"virtual_private_cloud_id": null,
"virtualization_provider": "VMW_ESX",
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 9.8,
"vulnerability_severity": "CRITICAL",
"windows_platform": null
},
{
"activation_code": "dummy_activation_code",
"activation_code_expiry_time": "2021-03-08T22:36:37.549Z",
"ad_domain": [
"SDE.LOGRHYTHM.COM"
],
"ad_group_id": 0,
"ad_org_unit": [
"OPERATIONS",
"SERVERS"
],
"appliance_name": null,
"appliance_uuid": null,
"asset_group": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
}
],
"auto_scaling_group_name": null,
"av_ave_version": "1.1.1.1",
"av_engine": "1.1.1.1-ave.1.1.1.1",
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": "1.1.1.1",
"av_product_version": "1.1.1.1",
"av_status": [
"AV_ACTIVE",
"SIGNATURE_UPDATE_DISABLED",
"ONDEMAND_SCAN_DISABLED"
],
"av_update_servers": null,
"av_vdf_version": "1.1.1.1",
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_managed_identity": null,
"cloud_provider_network": null,
"cloud_provider_resource_group": null,
"cloud_provider_resource_id": null,
"cloud_provider_scale_group": null,
"cloud_provider_tags": [],
"cluster_name": null,
"compliance_status": "NOT_ASSESSED",
"current_sensor_policy_name": "default",
"datacenter_name": null,
"deployment_type": "WORKLOAD",
"deregistered_time": null,
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows",
"position": 0
},
{
"key_name": "AD_LDAP",
"key_value": "OU=Operations,OU=Servers,DC=sde,DC=logrhythm,DC=com",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "1.1.1.1",
"position": 0
}
],
"device_owner_id": "dummy_device_owner_id",
"email": "jake.haldeman@logrhythm.com",
"encoded_activation_code": "dummy_encoded_activation_code",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": "Jake",
"golden_device": null,
"golden_device_id": null,
"groups": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
}
],
"host_based_firewall_reasons": [],
"host_based_firewall_status": null,
"id": "dummy_id",
"infrastructure_provider": null,
"last_contact_time": "2024-07-09T15:29:23.630Z",
"last_device_policy_changed_time": "2024-05-24T09:23:08.184Z",
"last_device_policy_requested_time": "2024-06-17T09:22:32.585Z",
"last_external_ip_address": "1.1.1.1",
"last_internal_ip_address": "1.1.1.1",
"last_location": "OFFSITE",
"last_name": "Haldeman",
"last_policy_updated_time": "2024-06-17T09:21:35.212Z",
"last_reported_time": "2024-07-05T23:41:48.091Z",
"last_reset_time": null,
"last_shutdown_time": null,
"linux_kernel_version": null,
"login_user_name": "SDE\\luis.castaneda",
"mac_address": "00505694822c",
"middle_name": null,
"name": "SDE\\USBO1SEFS-01",
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": "dummy_organization_id",
"organization_name": "cb-internal-alliances.com",
"os": "WINDOWS",
"os_version": "Server 2012 R2 x64",
"passive_mode": true,
"policy_assignment_type": "MANUAL",
"policy_id": "dummy_policy_id",
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": "2021-03-01T22:38:55.160Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_gateway_url": null,
"sensor_gateway_uuid": null,
"sensor_kit_type": "WINDOWS",
"sensor_out_of_date": true,
"sensor_pending_update": false,
"sensor_states": [
"REPUX_ACTION",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED"
],
"sensor_version": "1.1.1.19",
"status": "BYPASS",
"target_priority": "MEDIUM",
"uninstall_code": "dummy_uninstall_code",
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"vdi_provider": null,
"virtual_machine": true,
"virtual_private_cloud_id": null,
"virtualization_provider": "VMW_ESX",
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 9.8,
"vulnerability_severity": "CRITICAL",
"windows_platform": null
},
{
"activation_code": null,
"activation_code_expiry_time": "2023-10-27T18:45:09.805Z",
"ad_domain": [
"RTEST.COM"
],
"ad_group_id": 0,
"ad_org_unit": null,
"appliance_name": null,
"appliance_uuid": null,
"asset_group": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
}
],
"auto_scaling_group_name": null,
"av_ave_version": "1.1.1.1",
"av_engine": "1.1.1.1-ave.1.1.1.1:avpack.1.1.1.1:vdf.1.1.1.1:vdfdate.20231205",
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": "1.1.1.1",
"av_product_version": "1.1.1.1",
"av_status": [
"AV_ACTIVE",
"SIGNATURE_UPDATE_DISABLED",
"ONDEMAND_SCAN_DISABLED"
],
"av_update_servers": null,
"av_vdf_version": "1.1.1.1",
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_managed_identity": null,
"cloud_provider_network": null,
"cloud_provider_resource_group": null,
"cloud_provider_resource_id": null,
"cloud_provider_scale_group": null,
"cloud_provider_tags": [],
"cluster_name": null,
"compliance_status": "NOT_ASSESSED",
"current_sensor_policy_name": "default",
"datacenter_name": null,
"deployment_type": "WORKLOAD",
"deregistered_time": null,
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows 10",
"position": 0
},
{
"key_name": "AD_LDAP",
"key_value": "DC=rtest,DC=com",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "1.1.1.1",
"position": 0
}
],
"device_owner_id": "dummy_device_owner_id",
"email": "bvanpelt",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"groups": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
}
],
"host_based_firewall_reasons": [],
"host_based_firewall_status": "NOT_ENABLED",
"id": "dummy_id",
"infrastructure_provider": "NONE",
"last_contact_time": "2024-07-09T15:29:05.974Z",
"last_device_policy_changed_time": "2023-12-05T10:14:32.584Z",
"last_device_policy_requested_time": "2024-06-17T09:21:56.441Z",
"last_external_ip_address": "1.1.1.1",
"last_internal_ip_address": "1.1.1.1",
"last_location": "OFFSITE",
"last_name": null,
"last_policy_updated_time": "2024-06-17T09:21:35.212Z",
"last_reported_time": "2024-07-09T10:03:10.504Z",
"last_reset_time": null,
"last_shutdown_time": "2024-04-27T00:06:14.478Z",
"linux_kernel_version": null,
"login_user_name": "RTEST\\bvanpelt",
"mac_address": "005056adf705",
"middle_name": null,
"name": "RTEST\\bvp-carbonblack",
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": "dummy_organization_id",
"organization_name": "cb-internal-alliances.com",
"os": "WINDOWS",
"os_version": "Windows 10 x64",
"passive_mode": false,
"policy_assignment_type": "MANUAL",
"policy_id": "dummy_policy_id",
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": "2023-10-20T18:45:09.842Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_gateway_url": null,
"sensor_gateway_uuid": null,
"sensor_kit_type": "WINDOWS",
"sensor_out_of_date": true,
"sensor_pending_update": false,
"sensor_states": [
"ACTIVE",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED",
"CB_FIREWALL_INACTIVE"
],
"sensor_version": "1.1.1.18",
"status": "REGISTERED",
"target_priority": "MEDIUM",
"uninstall_code": "dummy_uninstall_code",
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"vdi_provider": "NONE",
"virtual_machine": true,
"virtual_private_cloud_id": null,
"virtualization_provider": "VMW_ESX",
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 8.8,
"vulnerability_severity": "IMPORTANT",
"windows_platform": null
},
{
"activation_code": null,
"activation_code_expiry_time": "2023-09-10T08:35:13.955Z",
"ad_domain": null,
"ad_group_id": 0,
"ad_org_unit": null,
"appliance_name": null,
"appliance_uuid": null,
"asset_group": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
}
],
"auto_scaling_group_name": null,
"av_ave_version": null,
"av_engine": null,
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": null,
"av_product_version": null,
"av_status": [
"AV_ACTIVE",
"SIGNATURE_UPDATE_DISABLED",
"ONDEMAND_SCAN_DISABLED"
],
"av_update_servers": null,
"av_vdf_version": null,
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_managed_identity": null,
"cloud_provider_network": null,
"cloud_provider_resource_group": null,
"cloud_provider_resource_id": null,
"cloud_provider_scale_group": null,
"cloud_provider_tags": [],
"cluster_name": null,
"compliance_status": "NOT_ASSESSED",
"current_sensor_policy_name": "default",
"datacenter_name": null,
"deployment_type": "ENDPOINT",
"deregistered_time": null,
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows 11",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "1.1.1.1",
"position": 0
}
],
"device_owner_id": "dummy_device_owner_id",
"email": "microsoftwindowsserver2022datacenterfe8013b5d1a8b08636a7",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"groups": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
}
],
"host_based_firewall_reasons": [],
"host_based_firewall_status": "NOT_ENABLED",
"id": "dummy_id",
"infrastructure_provider": "NONE",
"last_contact_time": "2024-07-09T15:28:45.119Z",
"last_device_policy_changed_time": "2024-02-01T10:28:55.298Z",
"last_device_policy_requested_time": "2024-06-17T09:21:35.726Z",
"last_external_ip_address": "1.1.1.1",
"last_internal_ip_address": "1.1.1.1",
"last_location": "OFFSITE",
"last_name": null,
"last_policy_updated_time": "2024-06-17T09:21:35.212Z",
"last_reported_time": "2024-07-09T09:04:06.948Z",
"last_reset_time": null,
"last_shutdown_time": "2023-09-13T07:34:15.360Z",
"linux_kernel_version": null,
"login_user_name": "INT01-CARBONBLA\\Administrator",
"mac_address": "0236414d5bd9",
"middle_name": null,
"name": "int01-carbonblack",
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": "dummy_organization_id",
"organization_name": "cb-internal-alliances.com",
"os": "WINDOWS",
"os_version": "Windows Server 2022 x64",
"passive_mode": true,
"policy_assignment_type": "MANUAL",
"policy_id": "dummy_policy_id",
"policy_name": "default",
"policy_override": true,
"quarantined": true,
"registered_time": "2023-09-03T08:35:13.991Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_gateway_url": null,
"sensor_gateway_uuid": null,
"sensor_kit_type": "WINDOWS",
"sensor_out_of_date": true,
"sensor_pending_update": false,
"sensor_states": [
"CSR_ACTION",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED",
"CB_FIREWALL_INACTIVE"
],
"sensor_version": "1.1.1.18",
"status": "BYPASS",
"target_priority": "MEDIUM",
"uninstall_code": "dummy_uninstall_code",
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"vdi_provider": "NONE",
"virtual_machine": true,
"virtual_private_cloud_id": null,
"virtualization_provider": "OTHER",
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 9.8,
"vulnerability_severity": "CRITICAL",
"windows_platform": null
},
{
"activation_code": null,
"activation_code_expiry_time": "2017-12-21T11:35:18.286Z",
"ad_domain": null,
"ad_group_id": 0,
"ad_org_unit": null,
"appliance_name": null,
"appliance_uuid": null,
"asset_group": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
}
],
"auto_scaling_group_name": null,
"av_ave_version": "1.1.1.1",
"av_engine": "1.2.3.4-ave.1.2.3.4:avpack.1.2.3.4:vdf.1.2.3.4",
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": "1.1.1.1",
"av_product_version": "1.1.1.1",
"av_status": [
"AV_ACTIVE",
"SIGNATURE_UPDATE_DISABLED",
"ONDEMAND_SCAN_DISABLED"
],
"av_update_servers": null,
"av_vdf_version": "1.1.1.1",
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_managed_identity": null,
"cloud_provider_network": null,
"cloud_provider_resource_group": null,
"cloud_provider_resource_id": null,
"cloud_provider_scale_group": null,
"cloud_provider_tags": [],
"cluster_name": null,
"compliance_status": "NOT_ASSESSED",
"current_sensor_policy_name": null,
"datacenter_name": null,
"deployment_type": "ENDPOINT",
"deregistered_time": null,
"device_meta_data_item_list": [
{
"key_name": "OS_MAJOR_VERSION",
"key_value": "Windows",
"position": 0
},
{
"key_name": "SUBNET",
"key_value": "1.1.1.1",
"position": 0
}
],
"device_owner_id": "dummy_device_owner_id",
"email": "EPO-AGENT-PC\\EPO",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"groups": [
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "My Example Asset Group"
},
{
"id": "dummy_id",
"membership_type": "DYNAMIC",
"name": "Windows No Policy"
}
],
"host_based_firewall_reasons": [],
"host_based_firewall_status": null,
"id": "dummy_id",
"infrastructure_provider": null,
"last_contact_time": "2024-07-09T15:28:44.460Z",
"last_device_policy_changed_time": "2024-01-05T20:26:17.411Z",
"last_device_policy_requested_time": "2024-06-19T15:54:20.202Z",
"last_external_ip_address": "1.1.1.1",
"last_internal_ip_address": "1.1.1.1",
"last_location": "OFFSITE",
"last_name": null,
"last_policy_updated_time": "2024-06-17T09:21:35.212Z",
"last_reported_time": "2024-06-19T16:00:46.224Z",
"last_reset_time": null,
"last_shutdown_time": "2023-07-03T07:29:15.161Z",
"linux_kernel_version": null,
"login_user_name": null,
"mac_address": null,
"middle_name": null,
"name": "EPO-AGENT-PC",
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": "dummy_organization_id",
"organization_name": "cb-internal-alliances.com",
"os": "WINDOWS",
"os_version": "Windows 7 x64 SP: 1",
"passive_mode": true,
"policy_assignment_type": "MANUAL",
"policy_id": "dummy_policy_id",
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": "2017-12-14T11:35:18.317Z",
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_gateway_url": null,
"sensor_gateway_uuid": null,
"sensor_kit_type": "WINDOWS",
"sensor_out_of_date": true,
"sensor_pending_update": false,
"sensor_states": [
"CSR_ACTION",
"LIVE_RESPONSE_NOT_RUNNING",
"LIVE_RESPONSE_NOT_KILLED",
"LIVE_RESPONSE_ENABLED"
],
"sensor_version": "1.1.1.1",
"status": "BYPASS",
"target_priority": "MEDIUM",
"uninstall_code": "dummy_uninstall_code",
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"vdi_provider": null,
"virtual_machine": false,
"virtual_private_cloud_id": null,
"virtualization_provider": null,
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 0,
"vulnerability_severity": null,
"windows_platform": null
}
]
}
}

Human Readable Output#

Carbon Black Defense Devices List Results#

IdNameOsPolicy NameQuarantinedStatusTarget PriorityLast Internal Ip AddressLast External Ip AddressLast Contact TimeLast Location
6494305CB-H10WINDOWSdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:29.175ZOFFSITE
7762940cb-linux-1LINUXdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:22.439ZUNKNOWN
4136358DESKTOP-F70DSE6WINDOWSdefaultfalseBYPASSMEDIUM1.1.1.11.1.1.12024-07-09T15:30:20.279ZOFFSITE
6697317SKOVILLE\pequinWINDOWSdefaulttrueBYPASSMEDIUM1.1.1.11.1.1.12024-07-09T15:30:19.954ZOFFSITE
6227495CB-MarkoTestWINDOWSdefaulttrueREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:19.640ZOFFSITE
7533319R7BETALAB\R7BETALAB-ARW04WINDOWSAWN BASfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:09.740ZOFFSITE
7762975cb-linux-2LINUXdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:09.305ZUNKNOWN
6268346Kognos-CB-2WINDOWSdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:05.050ZOFFSITE
5654865misp1LINUXdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:30:04.821ZUNKNOWN
6286530DESKTOP-PGMSAIEWINDOWSdefaulttrueREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:29:52.511ZOFFSITE
8213794win1122H2newWINDOWS⚠️ Wide OpenfalseREGISTEREDLOW1.1.1.11.1.1.12024-07-09T15:29:45.110ZOFFSITE
3777587bo1tapsandbox-01LINUXdefaultfalseBYPASSMEDIUM1.1.1.11.1.1.12024-07-09T15:29:40.803ZUNKNOWN
6697325cayenneLINUXdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:29:33.955ZUNKNOWN
7773496localhost.localdomainLINUXdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:29:27.472ZUNKNOWN
4081930SDE\USBO1SEFS-01WINDOWSdefaultfalseBYPASSMEDIUM1.1.1.11.1.1.12024-07-09T15:29:23.630ZOFFSITE
7460343RTEST\bvp-carbonblackWINDOWSdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:29:05.974ZOFFSITE
6612402EIP\WW-20003WINDOWSdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:28:51.666ZOFFSITE
6697318SKOVILLE\jalapenoWINDOWSdefaultfalseREGISTEREDMEDIUM1.1.1.11.1.1.12024-07-09T15:28:50.821ZOFFSITE
7315458int01-carbonblackWINDOWSdefaulttrueBYPASSMEDIUM1.1.1.11.1.1.12024-07-09T15:28:45.119ZOFFSITE
607519EPO-AGENT-PCWINDOWSdefaultfalseBYPASSMEDIUM1.1.1.11.1.1.12024-07-09T15:28:44.460ZOFFSITE

cbd-device-quarantine#


Quarantines the device. Not supported for devices in a Linux operating system.

Base Command#

cbd-device-quarantine

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required

Context Output#

There is no context output for this command.

cbd-device-unquarantine#


Unquarantines the device. Not supported for devices in a Linux operating system.

Base Command#

cbd-device-unquarantine

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required

Context Output#

There is no context output for this command.

cbd-device-background-scan#


Starts a background scan on the device. Not supported for devices in a Linux operating system.

Base Command#

cbd-device-background-scan

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required

Context Output#

There is no context output for this command.

cbd-device-background-scan-stop#


Stops a background scan on the device. Not supported for devices in a Linux operating system.

Base Command#

cbd-device-background-scan-stop

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required

Context Output#

There is no context output for this command.

cbd-device-bypass#


Bypasses a device.

Base Command#

cbd-device-bypass

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required

Context Output#

There is no context output for this command.

cbd-device-unbypass#


Unbypasses a device.

Base Command#

cbd-device-unbypass

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required

Context Output#

There is no context output for this command.

cbd-device-policy-update#


Updates the devices to the specified policy ID.

Base Command#

cbd-device-policy-update

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required
policy_idThe ID of the policy.Required

Context Output#

There is no context output for this command.

cbd-device-update-sensor-version#


Updates the version of a sensor.

Base Command#

cbd-device-update-sensor-version

Input#

Argument NameDescriptionRequired
device_idThe ID of the device.Required
sensor_versionThe new version of the sensor. For example: { "MAC": "1.1.1.1" }. Supported types: XP, WINDOWS, MAC, AV_SIG, OTHER, RHEL, UBUNTU, SUSE, AMAZON_LINUX, MAC_OSX. Possible values are: {"XP":}, {"WINDOWS":}, {"MAC":}, {"AV_SIG":}, {"OTHER":}, {"RHEL":}, {"UBUNTU":}, {"SUSE":}, {"AMAZON_LINUX":}, {"MAC_OSX":}.Required

Context Output#

There is no context output for this command.

cbd-find-processes-results#


Retrieves the search results using the specified job ID.

Base Command#

cbd-find-processes-results

Input#

Argument NameDescriptionRequired
pollingWhen set to false, the function will not use polling and will return the process status or the result if the process is complete.Optional
job_idThe unique ID for the process search job. This ID is used to retrieve the results of the process search initiated by Carbon Black Cloud.Required
rowsThe number of rows to request.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.Process.Results.backend_timestampDateThe timestamp when the process data was collected from the backend.
CarbonBlackDefense.Process.Results.childproc_countNumberThe number of child processes spawned by the process.
CarbonBlackDefense.Process.Results.crossproc_countNumberThe number of cross-process interactions involving the process.
CarbonBlackDefense.Process.Results.device_idNumberThe unique ID of the device where the process is running.
CarbonBlackDefense.Process.Results.device_nameStringThe name of the device where the process is running.
CarbonBlackDefense.Process.Results.device_policy_idNumberThe policy ID associated with the device.
CarbonBlackDefense.Process.Results.device_timestampDateThe timestamp when the process data was collected from the device.
CarbonBlackDefense.Process.Results.filemod_countNumberThe number of file modifications made by the process.
CarbonBlackDefense.Process.Results.index_classStringThe classification of the process based on indexing.
CarbonBlackDefense.Process.Results.modload_countNumberThe number of modules loaded by the process.
CarbonBlackDefense.Process.Results.netconn_countNumberThe number of network connections established by the process.
CarbonBlackDefense.Process.Results.org_idStringThe organization ID associated with the process.
CarbonBlackDefense.Process.Results.parent_guidStringThe GUID of the parent process.
CarbonBlackDefense.Process.Results.parent_pidNumberThe PID of the parent process.
CarbonBlackDefense.Process.Results.partition_idNumberThe partition ID associated with the process.
CarbonBlackDefense.Process.Results.process_guidStringThe GUID of the process.
CarbonBlackDefense.Process.Results.process_hashStringThe hash of the process.
CarbonBlackDefense.Process.Results.process_nameStringThe name of the process.
CarbonBlackDefense.Process.Results.process_pidNumberThe PID of the process.
CarbonBlackDefense.Process.Results.process_usernameStringThe username under which the process is running.
CarbonBlackDefense.Process.Results.regmod_countNumberThe number of registry modifications made by the process.
CarbonBlackDefense.Process.Results.scriptload_countNumberThe number of scripts loaded by the process.

Command example#

!cbd-find-processes-results job_id=abc-123 rows=2

Context Example#

{
"CarbonBlackDefense": {
"Process": {
"Results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"49becb5d-8cca-4b39-b7f4-d94401533dab",
"6038e242-2c44-470c-92e3-bf3a0c32dc26",
"a7056445-388b-46d8-9d8e-3885bfe28fc0"
],
"backend_timestamp": "2024-07-11T14:51:29.069Z",
"childproc_count": 1,
"crossproc_count": 7,
"device_group_id": 0,
"device_id": 12345,
"device_name": "r7betalab\\r7betalab-arw04",
"device_policy_id": 80947,
"device_timestamp": "2024-07-11T14:44:11.754Z",
"filemod_count": 11,
"ingress_time": 1720709467661,
"modload_count": 40,
"netconn_count": 0,
"org_id": "7DESJ9GN",
"parent_guid": "dummy_parent_guid",
"parent_pid": 4380,
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_hash",
],
"process_name": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
"process_pid": [
2192
],
"process_username": [
"R7BETALAB\\svc_idr"
],
"regmod_count": 4,
"scriptload_count": 1,
"watchlist_hit": []
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-07-11T14:34:13.616Z",
"childproc_count": 0,
"crossproc_count": 0,
"device_group_id": 0,
"device_id": 12345,
"device_name": "cb-markotest",
"device_policy_id": 6525,
"device_timestamp": "2024-07-11T14:30:39.203Z",
"filemod_count": 0,
"ingress_time": 1720708414089,
"modload_count": 0,
"netconn_count": 1,
"org_id": "7DESJ9GN",
"parent_guid": "dummy_parent_guid",
"parent_pid": 688,
"process_guid": "dummy_process_guid",
"process_hash": [],
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_pid": [
2264
],
"process_username": [
"NT AUTHORITY\\NETWORK SERVICE"
],
"regmod_count": 0,
"scriptload_count": 0,
"watchlist_hit": [
"abcd123"
]
}
]
}
}
}

Human Readable Output#

The Results For The Process Search#

Device IdDevice NameProcess NameDevice Policy Id
1234r7betalab\r7betalab-arw04c:\windows\system32\windowspowershell\v1.0\powershell.exe80947
1111cb-markotestc:\windows\system32\svchost.exe6525

cbd-find-observation-details-results#


Retrieves the search results using the specified job ID.

Base Command#

cbd-find-observation-details-results

Input#

Argument NameDescriptionRequired
job_idThe unique ID for the process search job. This ID is used to retrieve the results of the process search initiated by Carbon Black Cloud.Required
rowsThe number of rows to request.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.EventDetails.Results.alert_categoryStringThe category of the alert associated with the observation.
CarbonBlackDefense.EventDetails.Results.alert_idStringThe unique ID of the alert associated with the observation.
CarbonBlackDefense.EventDetails.Results.backend_timestampDateThe timestamp when the observation data was collected from the backend.
CarbonBlackDefense.EventDetails.Results.childproc_countNumberThe number of child processes spawned by the observed process.
CarbonBlackDefense.EventDetails.Results.crossproc_countNumberThe number of cross-process interactions involving the observed process.
CarbonBlackDefense.EventDetails.Results.device_external_ipStringThe external IP address of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_group_idNumberThe group ID associated with the device.
CarbonBlackDefense.EventDetails.Results.device_idNumberThe unique ID of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_installed_byStringThe user or process that installed the device.
CarbonBlackDefense.EventDetails.Results.device_internal_ipStringThe internal IP address of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_locationStringThe physical or network location of the device.
CarbonBlackDefense.EventDetails.Results.device_nameStringThe name of the device where the observation was made.
CarbonBlackDefense.EventDetails.Results.device_osStringThe operating system of the device.
CarbonBlackDefense.EventDetails.Results.device_os_versionStringThe version of the operating system of the device.
CarbonBlackDefense.EventDetails.Results.device_policyStringThe policy applied to the device.
CarbonBlackDefense.EventDetails.Results.device_policy_idNumberThe unique ID of the policy applied to the device.
CarbonBlackDefense.EventDetails.Results.device_sensor_versionStringThe version of the sensor installed on the device.
CarbonBlackDefense.EventDetails.Results.device_target_priorityStringThe priority level of the device as a target.
CarbonBlackDefense.EventDetails.Results.device_timestampDateThe timestamp when the observation was recorded on the device.
CarbonBlackDefense.EventDetails.Results.document_guidStringThe GUID of the document associated with the observation.
CarbonBlackDefense.EventDetails.Results.enrichedBooleanIndicates whether the observation data has been enriched with additional information.
CarbonBlackDefense.EventDetails.Results.enriched_event_typeStringThe type of event after enrichment.
CarbonBlackDefense.EventDetails.Results.event_threat_scoreNumberThe threat score associated with the event.
CarbonBlackDefense.EventDetails.Results.filemod_countNumberThe number of file modifications made by the observed process.
CarbonBlackDefense.EventDetails.Results.ingress_timeDateThe time when the observation data was ingested into the system.
CarbonBlackDefense.EventDetails.Results.legacyBooleanIndicates whether the observation is from a legacy system or data source.
CarbonBlackDefense.EventDetails.Results.modload_countNumberThe number of modules loaded by the observed process.
CarbonBlackDefense.EventDetails.Results.netconn_countNumberThe number of network connections established by the observed process.
CarbonBlackDefense.EventDetails.Results.observation_descriptionStringA description of the observation.
CarbonBlackDefense.EventDetails.Results.observation_idStringThe unique observation ID
CarbonBlackDefense.EventDetails.Results.observation_typeStringThe type of observation.
CarbonBlackDefense.EventDetails.Results.org_idStringThe organization ID associated with the observation.
CarbonBlackDefense.EventDetails.Results.parent_cmdlineStringThe command line arguments of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_cmdline_lengthNumberThe length of the command line arguments of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_effective_reputationStringThe effective reputation of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_effective_reputation_sourceStringThe source of the effective reputation of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_guidStringThe GUID of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_hashStringThe hash of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_nameStringThe name of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_pidNumberThe PID of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_publisherStringThe publisher of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_publisher_stateStringThe state of the publisher of the parent process.
CarbonBlackDefense.EventDetails.Results.parent_reputationStringThe reputation of the parent process.
CarbonBlackDefense.EventDetails.Results.process_cmdlineStringThe command line arguments of the observed process.
CarbonBlackDefense.EventDetails.Results.process_cmdline_lengthNumberThe length of the command line arguments of the observed process.
CarbonBlackDefense.EventDetails.Results.process_company_nameStringThe company name associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_effective_reputationStringThe effective reputation of the observed process.
CarbonBlackDefense.EventDetails.Results.process_effective_reputation_sourceStringThe source of the effective reputation of the observed process.
CarbonBlackDefense.EventDetails.Results.process_elevatedBooleanIndicates whether the observed process is running with elevated privileges.
CarbonBlackDefense.EventDetails.Results.process_file_descriptionStringThe description of the observed process file.
CarbonBlackDefense.EventDetails.Results.process_guidStringThe GUID of the observed process.
CarbonBlackDefense.EventDetails.Results.process_hashStringThe hash of the observed process.
CarbonBlackDefense.EventDetails.Results.process_integrity_levelStringThe integrity level of the observed process.
CarbonBlackDefense.EventDetails.Results.process_internal_nameStringThe internal name of the observed process.
CarbonBlackDefense.EventDetails.Results.process_nameStringThe name of the observed process.
CarbonBlackDefense.EventDetails.Results.process_original_filenameStringThe original filename of the observed process.
CarbonBlackDefense.EventDetails.Results.process_pidNumberThe PID of the observed process.
CarbonBlackDefense.EventDetails.Results.process_privilegesStringThe privileges associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_product_nameStringThe product name associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_product_versionStringThe product version associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_publisherStringThe publisher of the observed process.
CarbonBlackDefense.EventDetails.Results.process_publisher_stateStringThe state of the publisher of the observed process.
CarbonBlackDefense.EventDetails.Results.process_reputationStringThe reputation of the observed process.
CarbonBlackDefense.EventDetails.Results.process_service_nameStringThe service name associated with the observed process.
CarbonBlackDefense.EventDetails.Results.process_sha256unknownThe SHA-256 hash.

Command example#

!cbd-find-observation-details-results job_id=abc-1234 rows=2

Context Example#

{
"CarbonBlackDefense": {
"EventDetails": {
"Results": {
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-04-17T01:52:29.056Z",
"blocked_effective_reputation": "TRUSTED_WHITE_LIST",
"blocked_hash": [
"dummy_blocked_hash"
],
"blocked_name": "c:\windows\system32\windowspowershell\v1.0\powershell.exe",
"childproc_cmdline": "\"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\" (New-Object -ComObject Microsoft.Update.AutoUpdate).DetectNow() ",
"childproc_cmdline_length": 124,
"childproc_effective_reputation": "TRUSTED_WHITE_LIST",
"childproc_effective_reputation_source": "CLOUD",
"childproc_guid": "dummy_childproc_guid",
"childproc_hash": [
"dummy_chidproc_hash"
],
"childproc_issuer": [
"Microsoft Windows Production PCA 2011"
],
"childproc_name": "c:\windows\system32\windowspowershell\v1.0\powershell.exe",
"childproc_pid": 1020,
"childproc_publisher": [
"Microsoft Windows"
],
"childproc_publisher_state": [
"FILE_SIGNATURE_STATE_VERIFIED",
"FILE_SIGNATURE_STATE_SIGNED"
],
"childproc_reputation": "TRUSTED_WHITE_LIST",
"childproc_username": "NT AUTHORITY\SYSTEM",
"device_external_ip": "1.1.1.1",
"device_group_id": 0,
"device_id": 12345,
"device_installed_by": "user@example.com",
"device_internal_ip": "1.1.1.1",
"device_location": "OFFSITE",
"device_name": "corp\wsamzn-lshqdrdc",
"device_os": "WINDOWS",
"device_os_version": "Windows Server 2019 x64",
"device_policy": "tines-policy",
"device_policy_id": 1234,
"device_sensor_version": "1.1.1.1",
"device_target_priority": "LOW",
"device_timestamp": "2024-04-17T01:50:54.057Z",
"document_guid": "dummy_document_guid",
"enriched": true,
"enriched_event_type": "CREATE_PROCESS",
"event_attack_stage": [
"INSTALL_RUN"
],
"event_description": "The script \"<share><link hash=\"dummy_hash\">C:\program files\amazon\skylight\scripts\windows_update_status.ps1</link></share>\" invoked the application \"<share><link hash=\"dummy_hash\">C:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>\". The operation was <accent>blocked</accent> and the application <accent>terminated by Carbon Black</accent>.",
"event_id": "dummy_event_id",
"event_type": "childproc",
"ingress_time": 1713318735609,
"legacy": true,
"observation_description": "The application windows_update_status.ps1 invoked another application (powershell.exe). A Deny Policy Action was applied.",
"observation_id": "dummy_observation_id",
"observation_type": "CB_ANALYTICS",
"org_id": "abc123",
"parent_effective_reputation": "LOCAL_WHITE",
"parent_effective_reputation_source": "PRE_EXISTING",
"parent_guid": "dummy_parent_guid",
"parent_hash": [
"dummy_parent_hash"
],
"parent_name": "c:\program files\amazon\skylight\skylightworkspaceconfigservice.exe",
"parent_pid": 1234,
"parent_reputation": "NOT_LISTED",
"parent_username": "NT AUTHORITY\SYSTEM",
"process_cmdline": [
"\"powershell.exe\" -NonInteractive -ExecutionPolicy AllSigned -File \"C:\Program files\Amazon\SkyLight\scripts\windows_update_status.ps1\" -scriptId windows_update_status.ps1 CheckStatus"
],
"process_cmdline_length": [
182
],
"process_effective_reputation": "ADAPTIVE_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_hash",
],
"process_loaded_script_hash": [
"dummy_process_loaded_script_hash"
],
"process_loaded_script_name": [
"c:\program files\amazon\skylight\scripts\windows_update_status.ps1"
],
"process_name": "c:\program files\amazon\skylight\scripts\windows_update_status.ps1",
"process_pid": [
1234
],
"process_reputation": "NOT_LISTED",
"process_sha256": "dummy_process_sha256",
"process_start_time": "2024-04-17T01:50:48.244Z",
"process_user_id": "S-1-5-18",
"process_username": [
"NT AUTHORITY\SYSTEM"
],
"sensor_action": [
"TERMINATE"
],
"ttp": [
"MITRE_T1059_CMD_LINE_OR_SCRIPT_INTER",
"POLICY_DENY",
"MITRE_T1059_001_POWERSHELL"
]
}
}
}
}

Human Readable Output#

Defense Event Details Results#

Observation IdEvent IdDevice IdDevice External IpDevice Internal IpEnriched Event Type
dummy_observation_iddummy_event_id12341.1.1.11.1.1.1CREATE_PROCESS

cbd-find-observation-results#


Retrieves the search results using the specified job ID.

Base Command#

cbd-find-observation-results

Input#

Argument NameDescriptionRequired
job_idThe unique ID for the process search job. This ID is used to retrieve the results of the process search initiated by Carbon Black Cloud.Required
rowsThe number of rows to request.Optional

Context Output#

PathTypeDescription
CarbonBlackDefense.Events.Results.alert_categoryStringCategory of the alert associated with the event.
CarbonBlackDefense.Events.Results.alert_idStringThe unique alert ID.
CarbonBlackDefense.Events.Results.backend_timestampDateTimestamp when the event was processed on the backend.
CarbonBlackDefense.Events.Results.childproc_countNumberNumber of child processes spawned by the process.
CarbonBlackDefense.Events.Results.crossproc_countNumberNumber of cross-process operations performed by the process.
CarbonBlackDefense.Events.Results.device_external_ipStringExternal IP address of the device.
CarbonBlackDefense.Events.Results.device_group_idNumberThe device group ID.
CarbonBlackDefense.Events.Results.device_idNumberThe unique device ID.
CarbonBlackDefense.Events.Results.device_installed_byStringUser or entity that installed the device.
CarbonBlackDefense.Events.Results.device_internal_ipStringInternal IP address of the device.
CarbonBlackDefense.Events.Results.device_locationStringPhysical or network location of the device.
CarbonBlackDefense.Events.Results.device_nameStringName of the device.
CarbonBlackDefense.Events.Results.device_osStringOperating system running on the device.
CarbonBlackDefense.Events.Results.device_os_versionStringVersion of the operating system running on the device.
CarbonBlackDefense.Events.Results.device_policyStringSecurity policy applied to the device.
CarbonBlackDefense.Events.Results.device_policy_idNumberThe ID of the security policy applied to the device.
CarbonBlackDefense.Events.Results.device_sensor_versionStringVersion of the sensor installed on the device.
CarbonBlackDefense.Events.Results.device_target_priorityStringPriority of the device as a target.
CarbonBlackDefense.Events.Results.device_timestampDateTimestamp of the event as recorded by the device.
CarbonBlackDefense.Events.Results.document_guidStringThe global unique ID for the document associated with the event.
CarbonBlackDefense.Events.Results.enrichedBooleanIndicates whether the event data has been enriched.
CarbonBlackDefense.Events.Results.enriched_event_typeStringType of the enriched event.
CarbonBlackDefense.Events.Results.event_threat_scoreNumberThreat score assigned to the event.
CarbonBlackDefense.Events.Results.filemod_countNumberNumber of file modifications performed by the process.
CarbonBlackDefense.Events.Results.ingress_timeDateTime when the event was ingested by the system.
CarbonBlackDefense.Events.Results.legacyBooleanIndicates whether the event is considered a legacy event.
CarbonBlackDefense.Events.Results.modload_countNumberNumber of modules loaded by the process.
CarbonBlackDefense.Events.Results.netconn_countNumberNumber of network connections established by the process.
CarbonBlackDefense.Events.Results.observation_descriptionStringDescription of the observation associated with the event.
CarbonBlackDefense.Events.Results.observation_idStringThe unique observation ID.
CarbonBlackDefense.Events.Results.observation_typeStringType of the observation associated with the event.
CarbonBlackDefense.Events.Results.org_idStringThe ID of the organization associated with the event.
CarbonBlackDefense.Events.Results.parent_cmdlineStringCommand line used to execute the parent process.
CarbonBlackDefense.Events.Results.parent_cmdline_lengthNumberLength of the command line used to execute the parent process.
CarbonBlackDefense.Events.Results.parent_effective_reputationStringEffective reputation of the parent process.
CarbonBlackDefense.Events.Results.parent_effective_reputation_sourceStringSource of the effective reputation of the parent process.
CarbonBlackDefense.Events.Results.parent_guidStringThe global unique ID for the parent process.
CarbonBlackDefense.Events.Results.parent_hashStringHash of the parent process.
CarbonBlackDefense.Events.Results.parent_nameStringName of the parent process.
CarbonBlackDefense.Events.Results.parent_pidNumberThe process ID of the parent process.
CarbonBlackDefense.Events.Results.parent_publisherStringPublisher of the parent process.
CarbonBlackDefense.Events.Results.parent_publisher_stateStringPublisher state of the parent process.
CarbonBlackDefense.Events.Results.parent_reputationStringReputation of the parent process.
CarbonBlackDefense.Events.Results.process_cmdlineStringCommand line used to execute the process.
CarbonBlackDefense.Events.Results.process_cmdline_lengthNumberLength of the command line used to execute the process.
CarbonBlackDefense.Events.Results.process_company_nameStringCompany name associated with the process.
CarbonBlackDefense.Events.Results.process_effective_reputationStringEffective reputation of the process.
CarbonBlackDefense.Events.Results.process_effective_reputation_sourceStringSource of the effective reputation of the process.
CarbonBlackDefense.Events.Results.process_elevatedBooleanIndicates whether the process is running with elevated privileges.
CarbonBlackDefense.Events.Results.process_file_descriptionStringFile description of the process.
CarbonBlackDefense.Events.Results.process_guidStringThe global unique process ID.
CarbonBlackDefense.Events.Results.process_hashStringHash of the process.
CarbonBlackDefense.Events.Results.process_integrity_levelStringIntegrity level of the process.
CarbonBlackDefense.Events.Results.process_internal_nameStringInternal name of the process.
CarbonBlackDefense.Events.Results.process_nameStringName of the process.
CarbonBlackDefense.Events.Results.process_original_filenameStringOriginal filename of the process.
CarbonBlackDefense.Events.Results.process_pidNumberThe process ID of the process.
CarbonBlackDefense.Events.Results.process_privilegesStringPrivileges associated with the process.
CarbonBlackDefense.Events.Results.process_product_nameStringProduct name associated with the process.
CarbonBlackDefense.Events.Results.process_product_versionStringProduct version associated with the process.
CarbonBlackDefense.Events.Results.process_publisherStringPublisher of the process.
CarbonBlackDefense.Events.Results.process_publisher_stateStringPublisher state of the process.
CarbonBlackDefense.Events.Results.process_reputationStringReputation of the process.
CarbonBlackDefense.Events.Results.process_service_nameStringService name associated with the process.
CarbonBlackDefense.Events.Results.process_sha256StringSHA-256 hash of the process.
CarbonBlackDefense.Events.Results.process_start_timeDateStart time of the process.
CarbonBlackDefense.Events.Results.process_usernameStringUsername under which the process is running.
CarbonBlackDefense.Events.Results.regmod_countNumberNumber of registry modifications performed by the process.
CarbonBlackDefense.Events.Results.scriptload_countNumberNumber of scripts loaded by the process.
CarbonBlackDefense.Events.Results.sensor_actionStringAction taken by the sensor for the event.
CarbonBlackDefense.Events.Results.ttpStringTactics, techniques, and procedures associated with the event.
CarbonBlackDefense.Events.Results.watchlist_hitStringIndicates if the event matches a watchlist entry.

Command example#

!cbd-find-observation-results job_id=abc-1234 rows=2

Context Example#

{
"CarbonBlackDefense": {
"Events": {
"Results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-07-05T09:42:06.625Z",
"blocked_effective_reputation": "COMPANY_BLACK_LIST",
"blocked_hash": [
"dummy_bloched_hash"
],
"blocked_name": "c:\windows\system32\sdiagnhost.exe",
"device_group_id": 0,
"device_id": 1234,
"device_name": "desktop-ua4omu0",
"device_policy_id": 1234,
"device_timestamp": "2024-07-05T09:39:07.695Z",
"enriched": true,
"enriched_event_type": [
"CREATE_PROCESS"
],
"event_description": "The application \"<share><link hash=\"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88\">C:\Windows\system32\svchost.exe -k DcomLaunch -p</link></share>\" invoked the application \"<share><link hash=\"e5ec6b5b20a16383cc953ad5e478dcdf95ba46281f4fe971673c954d4145c0c4\">c:\windows\system32\sdiagnhost.exe</link></share>\". The operation was <accent>blocked by Carbon Black</accent>.",
"event_id": "dummy_event_id",
"event_type": "childproc",
"ingress_time": 1720172480035,
"legacy": true,
"observation_description": " sdiagnhost.exe on the Company Black List was detected running. A Deny Policy Action was applied.",
"observation_id": "dummy_observation_id",
"observation_type": "CB_ANALYTICS",
"org_id": "dummy_org_id",
"parent_guid": "dummy_parent_guid",
"parent_pid": 616,
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_gash",
"dummy_process_hash"
],
"process_name": "c:\windows\system32\svchost.exe",
"process_pid": [
768
],
"process_username": [
"NT AUTHORITY\SYSTEM"
],
"sensor_action": [
"DENY",
"BLOCK"
]
},
{
"alert_category": [
"THREAT"
],
"alert_id": [
"dummy_alert_id"
],
"backend_timestamp": "2024-07-03T16:27:53.810Z",
"blocked_effective_reputation": "COMPANY_BLACK_LIST",
"blocked_hash": [
"dummy_blocked_hash"
],
"blocked_name": "c:\windows\system32\windowspowershell\v1.0\powershell.exe",
"device_group_id": 0,
"device_id": 1234,
"device_name": "desktop-ua4omu0",
"device_policy_id": 1234,
"device_timestamp": "2024-07-03T16:25:21.686Z",
"enriched": true,
"enriched_event_type": [
"CREATE_PROCESS"
],
"event_description": "The application \"<share><link hash=\"20330d3ca71d58f4aeb432676cb6a3d5b97005954e45132fb083e90782efdd50\">c:\windows\system32\backgroundtaskhost.exe</link></share>\" was prevented from accessing the file \"<share><link hash=\"9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f\">c:\windows\system32\windowspowershell\v1.0\powershell.exe</link></share>\" due to a <accent>Deny operation or Terminate process</accent> policy action.",
"event_id": "dummy_event_id",
"event_type": "childproc",
"ingress_time": 1720024053609,
"legacy": true,
"observation_description": "The application backgroundtaskhost.exe invoked another application (powershell.exe). A Deny Policy Action was applied.",
"observation_id": "f82a46c4395811efab18238ba409ec8f:d13802a2-e8a1-180d-8359-fdc0a8c9f007",
"observation_type": "CB_ANALYTICS",
"org_id": "dummy_org_id",
"parent_guid": "dummy_parent_guid",
"parent_pid": 768,
"process_guid": "dummy_process_guid",
"process_hash": [
"dummy_process_hash",
"dummy_process_hash"
],
"process_name": "c:\windows\system32\backgroundtaskhost.exe",
"process_pid": [
1234
],
"process_username": [
"DESKTOP-UA4OMU0\qe-admin"
],
"sensor_action": [
"DENY",
"BLOCK"
]
}
]
}
}
}

Human Readable Output#

Defense Event Results#

Event IdDevice IdEnriched Event Type
8d815dc93ab211efb74fe9e3b00b3b6a6685063CREATE_PROCESS
f82a46c4395811efab18238ba409ec8f6685063CREATE_PROCESS