Skip to main content

VMware Carbon Black App Control v2

This Integration is part of the Carbon Black Enterprise Protection Pack.#

VMware Carbon Black App Control (formerly known as Carbon Black Enterprise Protection) is a next-generation endpoint threat prevention solution to deliver a portfolio of protection policies, real-time visibility across environments, and comprehensive compliance rule sets in a single platform. This integration only supports Carbon Black on-premise APIs.

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure VMware Carbon Black App Control v2 in Cortex#

ParameterRequired
Server URL (e.g. https://192.168.0.1)True
API TokenFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
Max incidents per fetchFalse
Fetch queryFalse
API TokenFalse
Fetch incidentsFalse
Incident typeFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cbp-fileCatalog-search#


Search for file catalogs. See more: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#filecatalog

Base Command#

cbp-fileCatalog-search

Input#

Argument NameDescriptionRequired
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field. Example: group=osShortName.Optional
limit(Int) Is maximum number of results to retrieve. If not specified: First 1000 results will be returned. If set to -1: Only result count will be returned, without actual results. Offset parameter is ignored in this case. If set to 0: All results will be returned. Offset parameter is ignored in this case. Note that some result sets could be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in data set.Optional
queryA condition contains three parts: name, operator, and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. See more: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
sortSorting is optional and can be defined with a single attribute: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order (if omitted) is ASC. xyz is field name from the result set.Optional
fileNameName of the file under which this unique hash was first seen.Optional
fileTypeType of the file.Optional
computerIdId of computer where this file was first seen. You can get this by executing cbp-computer-search command.Optional
threatThreat of this file. Can be one of:
-1=Unknown
0=Clean
50=Potential risk
100=Malicious. Possible values are: Unknown, Clean, Potential risk, Malicious.
Optional
fileStateFile state of this hash. Can be one of:
1=Unapproved
2=Approved
3=Banned
4=Approved by Policy
5=Banned by Policy. Possible values are: Unapproved, Approved, Banned, Approved by Policy, Banned by Polic.
Optional
hashHash of the file.Optional

Context Output#

PathTypeDescription
File.SizeUnknownSize of the file.
File.PathStringPath on the found hostname.
File.NameStringName of the file.
File.TypeStringFile type.
File.ProductNameStringThe name of the product to which this file belongs.
File.IDStringUnique fileCatalog ID.
File.PublisherStringThe publisher of the file.
File.CompanyStringThe company for the product.
File.ExtensionStringExtension of the file.

cbp-computer-search#


Search for computers. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#computer

Base Command#

cbp-computer-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator, and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with an operator and depends on field type. See more: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
offset(Int) Offset in data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order (if omitted) is ascending (ASC). xyz is field name from the result set.Optional
limitMaximum number of results to retrieve (Int). If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the Offset parameter is ignored. If set to "0", all results will be returned, and the Offset parameter is ignored. Some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
nameComputer name.Optional
ipAddressLast known IP address of this computer.Optional
macAddressMAC address of adapter used to connect to the CB Protection Server.Optional

Context Output#

PathTypeDescription
Endpoint.OSStringThe short OS name running on the endpoint.
MemoryNumberAmount of memory for the endpoint.

cbp-computer-update#


Updates computer objects. Note that some computer properties can be changed only if specific boolean parameters are set. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#computer

Base Command#

cbp-computer-update

Input#

Argument NameDescriptionRequired
id(Int) Unique computer ID.Required
name(String) Computer name can be changed only if computer is a template.Optional
computerTag(String) Custom computer tag.Optional
description(String) Description of this computer.Optional
policyId(Int) New ID of the policy for this computer. PolicyId is ignored if either automaticPolicy is "True" or localApproval is "True".Optional
automaticPolicy(Boolean) "True" if this policy is assigned automatically through AD. If localApproval is "True", this argument must be "False". Possible values are: True, False.Optional
localApproval(Boolean) "True" if this computer is currently in local approval mode. If automaticPolicy is "True", this argument must be "False". Possible values are: True, False.Optional
refreshFlags(Int) Change refresh flags for this agent. Can be a combination of: 0x01=Complete resynch of agent NAB and installer table is requested 0x02=Rescan of programs installed on the computer is requested 0x20=Tell agent to refresh config list 0x40=Force this agent to reregister with new cookie 0x200=Trigger agent Reboot. 0x1000=Tell agent to refresh config list from the file 0x4000 Boost the priority of this agent over all others permanently (until it is de-prioritized).Optional
prioritized(Boolean) Set to "True" to prioritize this computer. Possible values are: True, False.Optional
debugLevel(Int) Current debug level of the agent. Range is from 0 (none) to 8 (verbose). This value can be changed only if the "changeDiagnostics" request parameter is set to "True".Optional
kernelDebugLevel(Int) Current kernel debug level of the agent. Range is from 0 (none) to 5 (verbose). This value can be changed only if the "changeDiagnostics" request parameter is set to "True".Optional
debugFlags(Int) Debug flags. Can be 0 or combination of: 0x01 = Upload debug files now 0x10 = Enable full memory dumps 0x20 = Copy agent cache 0x40 = Delete debug files 0x80 = Upload agent cache 0x200 = Save verbose debug info + counters to the cache when copied/uploaded 0x400 = Generate and upload an analysis.bt9 file that contains various constraint violation analysis information 0x800 = Run a health check and send results to server. This value can be changed only if the "changeDiagnostics" request parameter is set to "True".Optional
debugDuration(Int) Debug duration in minutes. This value can be changed only if the "changeDiagnostics" request parameter is set to "True".Optional
cCLevel(Int) Cache consistency check level set for the agent. Can be one of: 0 = None 1 = Quick verification 2 = Rescan known files Full scan for new files. This value can be changed only if the "changeDiagnostics" request parameter is set to "True".Optional
cCFlags(Int) Cache consistency check flags set for agent. Can be 0 or combination of: 0x0001 = Whether this is just a test run or not 0x0002 = Should the state of invalid files be preserved 0x0004 = Should new files found be locally approved or not 0x0008 = Should we re-evaluate whether a file’s certificate information is still valid or not 0x0010 = Whether the check was scheduled or not 0x0020 = Whether the agent should run constraint checks to test for invalid results 0x0040 = Whether we are only searching for new script types as a result of a change to what ‘IsScript’ means 0x0080 = Whether we are doing a level 3 check for initialization 0x0100 = This cache check is to remediate CR# 18041 0x0200 = Force the re-evaluation of the IsCrawlable state and archive type.Optional
forceUpgrade(Boolean) Set to "True" to force an upgrade for this computer. Possible values are: True, False.Optional
template(Boolean) "True" if the computer is a VDI template. This value can be changed only if the "changeTemplate" request parameter is set to "True". Possible values are: True, False.Optional

Context Output#

PathTypeDescription
Endpoint.ProcessorsNumberThe number of processors.
Endpoint.OSStringThe short OS name running on the endpoint.
Endpoint.MACAddressStringMAC address of the endpoint.
Endpoint.ModelStringThe machine model, if available.
Endpoint.IPAddressStringIP address of the endpoint.
Endpoint.ProcessorStringModel of the processor.
Endpoint.HostnameStringHostname of the endpoint.
Endpoint.OSVersionStringThe full OS name running on the endpoint.
Endpoint.IDStringThe unique ID within the tool retreiving the endpoint.

cbp-computer-get#


Returns information for a computer. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#computer

Base Command#

cbp-computer-get

Input#

Argument NameDescriptionRequired
id(Int) Unique computer ID.Required

Context Output#

PathTypeDescription
Endpoint.ProcessorsNumberThe number of processors.
Endpoint.OSStringThe short OS name running on the endpoint.
Endpoint.MACAddressStringMAC address of the endpoint.
Endpoint.ModelStringThe machine model, if available.
Endpoint.IPAddressStringIP address of the endpoint.
Endpoint.ProcessorStringModel of the processor.
Endpoint.HostnameStringHostname of the endpoint.
Endpoint.OSVersionStringThe full OS name running on the endpoint.
Endpoint.IDStringThe unique ID within the tool retreiving the endpoint.

cbp-fileInstance-search#


Search for file instances. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#fileinstance

Base Command#

cbp-fileInstance-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the "offset" parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute, where xyz is the field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional
computerIdId of computer associated with this fileInstance.Optional
fileNameName of the file on the agent.Optional

Context Output#

PathTypeDescription
CBP.FileInstance.CatalogIDStringThe file ID in the file catalog.
CBP.FileInstance.ComputerIDStringThe computer ID on which the file was found.
CBP.FileInstance.IDStringCBP internal ID of the file instance.
CBP.FileInstance.NameStringName of the file.
CBP.FileInstance.PathStringPath on the found hostname.

cbp-event-search#


Search for events. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#event

Base Command#

cbp-event-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the "offset" parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute, where xyz is field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional
typeEvent type. Can be one of:
0 = Server Management
1 = Session Management
2 = Computer Management
3 = Policy Management
4 = Policy Enforcement
5 = Discovery
6 = General Management
8 = Internal Events. Possible values are: Server Management, Session Management, Computer Management, Policy Management, Policy Enforcement, Discovery, General Management, Internal Events.
Optional
computerIdId of computer associated with this event. You can get this by executing cbp-computer-search command.Optional
ipAddressIP address associated with this event.Optional
fileNameName of the file associated with this event.Optional
severityEvent severity. Can be one of:
2 = Critical
3 = Error
4 = Warning
5 = Notice
6 = Info
7 = Debug. Possible values are: Critical, Error, Warning, Notice, Info, Debug.
Optional
userNameUser name associated with this event.Optional
fileCatalogIdId of fileCatalog entry associated with this fileRule. Can be null if file hasn’t been seen on any endpoints yet. You can get this by executing cbp-fileCatalog-search.Optional

Context Output#

PathTypeDescription
CBP.Event.FilePathStringFile path of the event.
CBP.Event.Param1StringFirst event parameter.
CBP.Event.Param2StringSecond event parameter.
CBP.Event.Param3StringThird event parameter.
CBP.Event.SubTypeNameStringName of the subtype.
CBP.Event.ComputerNameStringName of the computer related to the event.
CBP.Event.FileNameStringName of the file related to the event.
CBP.Event.RuleNameStringName of the rule related to the event.
CBP.Event.ProcessFileCatalogIDStringID of the process file catalog ID.
CBP.Event.StringIDStringID of the event string.
CBP.Event.IPAddressStringIP address of the event.
CBP.Event.PolicyIDStringPolicy ID of the event.
CBP.Event.TimestampDateTimestamp of the event.
CBP.Event.UsernameStringUsername related to the event.
CBP.Event.ComputerIDStringID of the event computer.
CBP.Event.ProcessFileNameStringFile name of the process.
CBP.Event.FileCatalogIDStringID of the file catalog.
CBP.Event.ProcessFileNameStringFile name of the process.
CBP.Event.IndicatorNameStringIndicator name of the event.
CBP.Event.SubTypeNumberID of the subtype.
CBP.Event.TypeNumberType of the event.
CBP.Event.IDNumberID of the event.
CBP.Event.DescriptionStringDescription of the event.
CBP.Event.SeverityStringSeverity of the event.
CBP.Event.CommandLineStringCommand line executed in the event.
CBP.Event.ProcessPathNameStringPath name of the process.

cbp-approvalRequest-search#


Search for approval requests. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#approvalrequest

Base Command#

cbp-approvalRequest-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the "offset" parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field. Example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute, where xyz is field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional

Context Output#

PathTypeDescription
CBP.ApprovalRequest.IDNumberID of the approval request.
CBP.ApprovalRequest.ResolutionCommentsStringComments added by the request resolver.
CBP.ApprovalRequest.ResolutionNumberResolution of the request. Can be one of: 0=Not Resolved, 1=Rejected, 2=Resolved - Approved, 3=Resolved - Rule Change, 4=Resolved - Installer, 5=Resolved - Updater, 6=Resolved - Publisher, 7=Resolved - Other.
CBP.ApprovalRequest.StatusNumberRequest status. Can be one of: 1=New, 2=Open, 3=Closed, 4=Escalated.
CBP.ApprovalRequest.FileCatalogIDNumberID of the fileCatalog entry associated with file for this event.
CBP.ApprovalRequest.ComputerIDNumberID of the computer entry associated with this analysis.
CBP.ApprovalRequest.ComputerNameStringName of the computer associated with this event.
CBP.ApprovalRequest.DateCreatedDateDate/time when the notifier was created (UTC).
CBP.ApprovalRequest.CreatedByStringUser that created this notifier.
CBP.ApprovalRequest.EnforcementLevelNumberEnforcement level of the agent at the time of the request. Can be one of: 20=High (Block Unapproved), 30=Medium (Prompt Unapproved), 40=Low (Monitor Unapproved), 60=None (Visibility), 80=None (Disabled).
CBP.ApprovalRequest.RequestorEmailStringEmail address of the user that created this request.
CBP.ApprovalRequest.PriorityNumberPriority of this request. Can be one of: 0=High, 1=Medium, 2=Low.
CBP.ApprovalRequest.FileNameStringName of the file on the agent.
CBP.ApprovalRequest.PathNameStringPath of the file on the agent.
CBP.ApprovalRequest.ProcessStringProcess that attempted to execute the file on the agent (the full process path).
CBP.ApprovalRequest.PlatformStringPlatform of this approval request.

cbp-fileRule-search#


Search for file rules. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#filerule

Base Command#

cbp-fileRule-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the offset parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute where xyz is field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional
fileCatalogIdId of fileCatalog entry associated with this fileRule. Can be null if file hasn’t been seen on any endpoints yet. You can get this by executing cbp-fileCatalog-search.Optional
nameName of this rule.Optional
fileStateFile state for this rule. Can be one of:
1=Unapproved
2=Approved
3=Banned. Possible values are: Unapproved, Approved, Banned.
Optional
sourceTypeMechanism that created this rule. Can be one of:
1 = Manual
2 = Trusted Directory
3 = Reputation
4 = Imported
5 = External (API)
6 = Event Rule
7 = Application Template
8 = Unified Management. Possible values are: Manual, Trusted Directory, Reputation, Imported, External (API), Event Rule, Application Template, Unified Management.
Optional
hashHash associated with this rule. Note that hash will be available only if rule was created through md5 or sha-1 hash. If rule was created through fileCatalogId or sha-256 hash that exists in the catalog, this field will be empty.Optional
fileNameFile name associated with this rule. Note that file name will be available only if rule was created through file name. If rule was created through fileCatalogId or hash, this field will be empty.Optional

Context Output#

PathTypeDescription
CBP.FileRule.CatalogIDStringThe file catalog ID for the rule.
CBP.FileRule.DescriptionStringDescription of the rule.
CBP.FileRule.FileStateStringThe file state for the rule.
CBP.FileRule.HashStringHash for the rule.
CBP.FileRule.IDStringID of the rule.
CBP.FileRule.NameStringName of the rule.
CBP.FileRule.PolicyIDsStringPolicies of which this rule is a part.
CBP.FileRule.ReportOnlyStringWhether this rule is "reporting only, or also "enforcing".

cbp-fileRule-get#


Gets the file rule. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#filerule

Base Command#

cbp-fileRule-get

Input#

Argument NameDescriptionRequired
id(Int) Unique ID of the file rule.Required

Context Output#

PathTypeDescription
CBP.FileRule.CatalogIDStringThe file catalog ID for the rule.
CBP.FileRule.DescriptionStringDescription of the rule.
CBP.FileRule.FileStateStringThe file state for the rule.
CBP.FileRule.HashStringHash for the rule.
CBP.FileRule.IDStringID of the rule.
CBP.FileRule.NameStringName of the rule.
CBP.FileRule.PolicyIDsStringPolicies of which this rule is a part.
CBP.FileRule.ReportOnlyStringWhether this rule is "reporting only, or also "enforcing".

cbp-fileRule-delete#


Deletes the file rule. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#filerule

Base Command#

cbp-fileRule-delete

Input#

Argument NameDescriptionRequired
id(Int) Unique id of this fileRule.Required

Context Output#

There is no context output for this command.

cbp-policy-search#


Search for policies. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#policy

Base Command#

cbp-policy-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the "offset" parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute where xyz is field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional
enforcementLevelTarget enforcement level. Can be one of:
20=High (Block Unapproved)
30=Medium (Prompt Unapproved)
40=Low (Monitor Unapproved)
60=None (Visibility)
80=None (Disabled). Possible values are: High (Block Unapproved), Medium (Prompt Unapproved), Low (Monitor Unapproved), None (Visibility), None (Disabled).
Optional
disconnectedEnforcementLevelTarget enforcement level for disconnected computers. Can be one of:
20=High (Block Unapproved)
30=Medium (Prompt Unapproved)
40=Low (Monitor Unapproved)
60=None (Visibility)
80=None (Disabled). Possible values are: High (Block Unapproved), Medium (Prompt Unapproved), Low (Monitor Unapproved), None (Visibility), None (Disabled).
Optional

Context Output#

PathTypeDescription
CBP.Policy.ReadOnlyBooleanWhether the policy "read-only".
CBP.Policy.EnforcementLevelStringThe level of enforcement of the policy.
CBP.Policy.ReputationEnabledBooleanWhether the reputation for the policy is enabled.
CBP.Policy.AtEnforcementComputersNumberNumber of enforced computers.
CBP.Policy.AutomaticBooleanWhether the policy is automatic.
CBP.Policy.NameStringName of the policy.
CBP.Policy.FileTrackingEnabledBooleanWhether file tracking enabled for the policy.
CBP.Policy.ConnectedComputersNumberNumber of connected computers associated with the policy.
CBP.Policy.PackageNameStringPackage name of the policy.
CBP.Policy.AllowAgentUpgradesBooleanWhether the policy allows agent upgrades.
CBP.Policy.TotalComputersNumberNumber of computers associated with the policy.
CBP.Policy.LoadAgentInSafeModeBooleanWhether the agent should load in safe mode.
CBP.Policy.AutomaticApprovalsOnTransitionStringApprove on transition.
CBP.Policy.IDStringCBP internal ID of the policy.
CBP.Policy.DescriptionStringDescription of the policy.
CBP.Policy.DisconnectedEnforcementLevelStringThe level of enforcement of the policy when disconnected.

cbp-serverConfig-search#


Search in server configurations. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#serverconfig.

Base Command#

cbp-serverConfig-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the "offset" parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute where xyz is field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional

Context Output#

PathTypeDescription
CBP.ServerConfig.IDStringCBP internal ID of the server configuration.
CBP.ServerConfig.NameStringName of the server configuration.
CBP.ServerConfig.ValueStringValue of the server configuration.

cbp-publisher-search#


Search for publishers. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#publisher.

Base Command#

cbp-publisher-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the "offset" parameter is ignored. If set to "0", all results will be returned, and the "offset" parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute where xyz is field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC). .Optional
nameSubject name of leaf certificate for this publisher.Optional
publisherReputationReputation of this publisher. Can be one of:
0=Not trusted (Unknown)
1=Low
2=Medium
3=High. Possible values are: Not trusted (Unknown), Low, Medium, High.
Optional
publisherStateState for this publisher. Can be one of:
1=Unapproved
2=Approved
3=Banned
4=Approved By Policy
5=Banned By Policy. Possible values are: Unapproved, Approved, Banned, Approved By Policy, Banned By Policy.
Optional

Context Output#

PathTypeDescription
CBP.Publisher.DescriptionStringDescription of the publisher.
CBP.Publisher.IDStringCBP internal ID of the publisher.
CBP.Publisher.NameStringName of the publisher.
CBP.Publisher.ReputationStringReputation of the publisher.
CBP.Publisher.SignedCertificatesCountNumberNumber of certificates from the publisher.
CBP.Publisher.SignedFilesCountNumberNumber of signed files from publisher.
CBP.Publisher.StateStringThe state of the publisher.

cbp-fileAnalysis-get#


Returns the object instance of this class.

Base Command#

cbp-fileAnalysis-get

Input#

Argument NameDescriptionRequired
id(Int) Unique fileAnalysis ID.Required

Context Output#

PathTypeDescription
CBP.FileAnalysis.PriorityNumberFile analysis priority. Valid range is [-2, 2], where 2 is highest priority. Default priority is "0".
CBP.FileAnalysis.PathNameStringPath of the file on the endpoint.
CBP.FileAnalysis.ComputerIdStringID of the computer entry associated with this analysis.
CBP.FileAnalysis.DateModifiedDateDate/time when the fileAnalysis request was last modified (UTC).
CBP.FileAnalysis.IDStringUnique fileAnalysis ID.
CBP.FileAnalysis.FileCatalogIdStringID of the fileCatalog entry associated with this analysis.
CBP.FileAnalysis.DateCreatedDateDate/time when the fileAnalysis request was created (UTC).
CBP.FileAnalysis.CreatedByStringUser that requested the analysis.
File.FileCatalogIdStringID ofthe fileCatalog entry associated with this analysis.
CBP.FileAnalysis.FileNameStringName of the file on the endpoint.
File.MaliciousStringVendor and description of the malicious file.
File.PathNameUnknownPath of the file on the endpoint.
File.NameStringFull file name, for example: "data.xls".
File.SHA1StringSHA1 hash of the file.
File.SHA256StringSHA256 hash of the file.
File.MD5StringMD5 hash of the file.
DBotScore.IndicatorstringThe indicator.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe DBot score vendor.
DBotScore.ScorenumberThe DBot score

cbp-fileAnalysis-createOrUpdate#


Creates or updates a file analysis request.

Base Command#

cbp-fileAnalysis-createOrUpdate

Input#

Argument NameDescriptionRequired
fileCatalogId(Int) ID of the fileCatalog entry for which analysis is requested. This value can be fetched via cbp-fileCatalog-search command.Required
connectorId(Int) ID of the target connector for the analysis. This value can be fetched via cbp-connector-search command.Required
computerId(Int) ID of the computer from which to upload the file. If "0", the system will identify the best computer from which to get the file. This value can be fetched via cbp-computer-search command. Default is 0.Optional
priority(Int) The analysis priority (valid range: -2, 2), where "2" is highest priority. Default priority is "0". Possible values are: -2, -1, 0, 1, 2. Default is 0.Optional
analysisStatus(Int) Status of the analysis. The status of an analysis that is in progress can be changed to "5" (Cancelled).Optional
analysisTarget(String) Target of the analysis. It has to be one of possible analysisTarget options defined for the given connector object, or empty for connectors without defined analysisTargets.Optional
idIf specified, will try to update the file analysis with this ID.Optional

Context Output#

PathTypeDescription
CBP.FileAnalysis.PriorityNumberFile analysis priority in range (valid range: -2, 2), where "2" is highest priority. Default priority is "0".
CBP.FileAnalysis.PathNameStringPath of the file where the file exists on the endpoint.
CBP.FileAnalysis.ComputerIDStringID of the computer entry associated with this analysis.
CBP.FileAnalysis.DateModifiedDateDate/time when the fileAnalysis request was last modified (UTC).
CBP.FileAnalysis.FileCatalogIdStringID of the fileCatalog entry associated with this analysis.
CBP.FileAnalysis.DateCreatedDateDate/time when the fileAnalysis request was created (UTC).
CBP.FileAnalysis.IDStringUnique fileAnalysis ID.
CBP.FileAnalysis.CreatedByStringUser that requested the analysis.

cbp-fileAnalysis-search#


Returns objects that match the specified criteria.

Base Command#

cbp-fileAnalysis-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more informatoin, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the offset parameter is ignored. If set to "0", all results will be returned, and the offset parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute: &sort=xyz [ASC|DESC], where xyz is the field name from the result set. There can be only one sorting field. Default sort order is ascending (ASC). .Optional
fileCatalogIdId of fileCatalog entry associated with this analysis. You can get this by executing cbp-fileCatalog-search.Optional
connectorIdId of connector associated with this analysis. You can get this by executing cbp-connector-search.Optional
fileNameName of the file where file exists on the endpoint
.
Optional
analysisStatusStatus of analysis. Can be one of:
0 = scheduled
1 = submitted (file is sent for analysis)
2 = processed (file is processed but results are not available yet)
3 = analyzed (file is processed and results are available)
4 = error
5 = cancelled. Possible values are: scheduled, submitted (file is sent for analysis), processed (file is processed but results are not available yet), analyzed (file is processed and results are available), error, cancelled.
Optional
analysisResultResult of the analysis. Can be one of:
0 = Not yet available
1 = File is clean
2 = File is a potential threat
3 = File is malicious. Possible values are: Not yet available, File is clean, File is a potential threat, File is malicious.
Optional

Context Output#

PathTypeDescription
CBP.FileAnalysis.PriorityNumberFile analysis priority in range (valid range: -2, 2), where "2" is highest priority. Default priority is "0".
CBP.FileAnalysis.PathNameStringPath of the file where the file exists on the endpoint.
CBP.FileAnalysis.ComputerIDStringID of the computer entry associated with this analysis.
CBP.FileAnalysis.DateModifiedDateDate/time when the fileAnalysis request was last modified (UTC).
CBP.FileAnalysis.FileCatalogIdStringID of the fileCatalog entry associated with this analysis.
CBP.FileAnalysis.DateCreatedDateDate/time when the fileAnalysis request was created (UTC).
CBP.FileAnalysis.IDStringUnique fileAnalysis ID.
CBP.FileAnalysis.CreatedByStringUser that requested this analysis.

cbp-fileUpload-get#


Returns the object instance of this class.

Base Command#

cbp-fileUpload-get

Input#

Argument NameDescriptionRequired
id(Int) Unique ID of this fileUpload.Required

Context Output#

PathTypeDescription
CBP.FileUpload.PriorityNumberFile analysis priority in range (valid range: -2, 2), where "2" is highest priority. Default priority is "0".
CBP.FileUpload.FileNameStringName of the file where the file exists on the endpoint.
CBP.FileUpload.UploadPathStringLocal upload path for the file on the server (can be a shared network path). Note that the file is compressed in a ZIP archive.
CBP.FileUpload.ComputerIdStringID of the computer entry associated with this analysis.
CBP.FileUpload.DateModifiedDateDate/time when the fileAnalysis request was last modified (UTC).
CBP.FileUpload.IDStringUnique fileAnalysis ID.
CBP.FileUpload.FileCatalogIdStringID of the fileCatalog entry associated with this analysis.
CBP.FileUpload.DateCreatedDateDate/time when the fileAnalysis request was created (UTC).
CBP.FileUpload.PathNameStringPath of the file where there file exists on the endpoint.
CBP.FileUpload.UploadStatusNumberStatus of the upload (valid range: 0-6).
CBP.FileUpload.UploadedFileSizeStringSize of the uploaded file. The file size will be 0 unless the uploadStatus is "3" (Completed).
CBP.FileUpload.CreatedByStringUser that requested the analysis.

cbp-fileUpload-download#


Returns the bject instance of this class.

Base Command#

cbp-fileUpload-download

Input#

Argument NameDescriptionRequired
id(Int) Unique ID of the fileUpload.Required

Context Output#

There is no context output for this command.

cbp-fileUpload-createOrUpdate#


Creates or updates a file upload request.

Base Command#

cbp-fileUpload-createOrUpdate

Input#

Argument NameDescriptionRequired
fileCatalogId(Int) ID of the fileCatalog entry for file to upload. This value can be fetched via cbp-fileCatalog-search command.Required
computerId(Int) ID of the computer entry associated with this analysis. This value can be fetched via cbp-computer-search command. Default is 0.Optional
priorityFile analysis priority in range (valid range: -2, 2), where "2" is highest priority. Default priority is "0". Possible values are: -2, -1, 0, 1, 2.Optional
uploadStatus(Int)Status of upload. The status of "upload in progress" can be changed to "5" (Cancelled). Any upload can be changed to "6" (Deleted).Optional
idID of the file upload to update. If omitted, will create a new file upload.Optional

Context Output#

PathTypeDescription
CBP.FileUpload.PriorityNumberFile analysis priority in range (valid range: -2, 2), where "2" is highest priority. Default priority is "0".
CBP.FileUpload.CreatedByUserIdStringID of the user that requested the analysis.
CBP.FileUpload.UploadPathStringLocal upload path for this file on the server (can be a shared network path). Note that the file is compressed in a ZIP archive.
CBP.FileUpload.FileNameStringName of the file where the file exists on the endpoint.
CBP.FileUpload.PathNameStringPath of the file where the file exists on the endpoint.
CBP.FileUpload.UploadStatusNumberStatus of the upload (valid range: 0-6).
CBP.FileUpload.ComputerIDStringID of the computer entry associated with this analysis.
CBP.FileUpload.DateModifiedDateDate/time when the fileAnalysis request was last modified (UTC).
CBP.FileUpload.FileCatalogIdStringID of the fileCatalog entry associated with this analysis.
CBP.FileUpload.DateCreatedDateDate/time when the fileAnalysis request was created (UTC).
CBP.FileUpload.IDStringUnique fileAnalysis ID.
CBP.FileUpload.UploadedFileSizeNumberSize of uploaded file. The file size will be 0 unless the uploadStatus is "3" (Completed).

cbp-fileUpload-search#


Returns objects that match the specified criteria.

Base Command#

cbp-fileUpload-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the offset parameter is ignored. If set to "0", all results will be returned, and the offset parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute: &sort=xyz [ASC|DESC], where xyz is the field name from the result set. There can be only one sorting field. Default sort order is ascending (ASC).Optional
computerIdId of computer entry associated with this analysis. This can be fetched via cbp-computer-search.Optional
fileCatalogIdId of fileCatalog entry associated with this upload. This can be fetched via cbp-fileCatalog-search.Optional
fileNameName of the file where file exists on the endpoint.Optional
uploadStatusStatus of upload. Can be one of:
0 = Queued
1 = Initiated
2 = Uploading
3 = Completed
4 = Error
5 = Cancelled
6 = Deleted. Possible values are: Queued, Initiated, Uploading, Completed, Error, Cancelled, Deleted.
Optional

Context Output#

PathTypeDescription
CBP.FileUpload.PriorityNumberFile analysis priority in range (valid range: -2, 2), where "2" is highest priority. Default priority is "0".
CBP.FileUpload.CreatedByUserIdStringID of the user that requested the analysis.
CBP.FileUpload.UploadPathStringLocal upload path for this file on the server (can be a shared network path). Note that the file is compressed in a ZIP archive.
CBP.FileUpload.FileNameStringName of the file where the file exists on the endpoint.
CBP.FileUpload.PathNameStringPath of the file where the file exists on the endpoint.
CBP.FileUpload.UploadStatusNumberStatus of upload (valid range: 0-6).
CBP.FileUpload.ComputerIDStringID of the computer entry associated with this analysis.
CBP.FileUpload.DateModifiedDateDate/time when the fileAnalysis request was last modified (UTC).
CBP.FileUpload.FileCatalogIdStringID of the fileCatalog entry associated with this analysis.
CBP.FileUpload.DateCreatedDateDate/time when the fileAnalysis request was created (UTC).
CBP.FileUpload.IDStringUnique fileAnalysis ID.
CBP.FileUpload.UploadedFileSizeNumberSize of the uploaded file. The file size will be 0 unless the uploadStatus is "3" (Completed).

cbp-connector-get#


Returns the object instance of this class.

Base Command#

cbp-connector-get

Input#

Argument NameDescriptionRequired
id(Int) Unique connector ID.Required

Context Output#

PathTypeDescription
CBP.Connector.AnalysisEnabledBoolean"True" if the analysis component of this connector is enabled. "False" if the analysis component of this connector is disabled.
CBP.Connector.AnalysisNameStringName for the analysis component of the connector (can be same as the name field).
CBP.Connector.AnalysisTargetsStringArray of possible analysis targets. Analysis targets are required when creating a new fileAnalysis. They usualy represent different OS and configurations and are available only for some internal connectors.
CBP.Connector.CanAnalyzeBoolean"True" if this connector can analyze files. "False" if this connector cannot analyze files.
CBP.Connector.ConnectorVersionStringVersion of this connector.
CBP.Connector.EnabledBoolean"True" if the connector is enabled. "False" if the connector is disabled.
CBP.Connector.IDStringUnique fileAnalysis ID.

cbp-connector-search#


Returns objects that match the specified criteria.

Base Command#

cbp-connector-search

Input#

Argument NameDescriptionRequired
queryA condition contains three parts: name, operator and value. Name is any valid field in the object that is being queried. Operator (: LIKE, ! NOT LIKE, < Less than, > Greater than, + logical AND, - logical OR, | separating values) is any of valid operators (see below). All operators consist of a single character. Value is compared with operator and depends on field type. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#searching.Optional
limit(Int) Maximum number of results to retrieve. If not specified, the first 1000 results will be returned. If set to "-1", only the result count will be returned, without actual results, and the offset parameter is ignored. If set to "0", all results will be returned, and the offset parameter is ignored. Note that some result sets might be very large, resulting in query timeout. Therefore, unless you know that query will not return more than 1000 results, it is recommended to retrieve data in chunks using offset and limit.Optional
offset(Int) Offset in the data set.Optional
groupGrouping is optional and can be defined with a single attribute: &group=xyz. There can be only one grouping field, for example: group=osShortName.Optional
sortSorting is optional and can be defined with a single attribute where xyz is the field name from the result set: &sort=xyz [ASC|DESC]. There can be only one sorting field. Default sort order is ascending (ASC).Optional

Context Output#

PathTypeDescription
CBP.Connector.AnalysisEnabledBoolean"True" if the analysis component of this connector is enabled. "False" if the analysis component of this connector is disabled.
CBP.Connector.AnalysisNameStringName for the analysis component of the connector (can be same as the name field).
CBP.Connector.AnalysisTargetsStringArray of possible analysis targets. Analysis targets are required when creating a new fileAnalysis. They usualy represent different OS and configurations and are available only for some internal connectors.
CBP.Connector.CanAnalyzeBoolean"True" if this connector can analyze files. "False" if this connector cannot analyze files.
CBP.Connector.ConnectorVersionStringVersion of this connector.
CBP.Connector.EnabledBoolean"True" if the connector is enabled. "False" if the connector is disabled.
CBP.Connector.IDStringUnique fileAnalysis ID.

cbp-approvalRequest-resolve#


Resolves a file approval request.

Base Command#

cbp-approvalRequest-resolve

Input#

Argument NameDescriptionRequired
idID of the approval request to update.Required
resolutionResolution of the request. Resolution can be changed for open requests or
closed requests only. It can be one of:
0=Not Resolved
1=Rejected
2=Resolved - Approved
3=Resolved - Rule Change4=Resolved - Installer
5=Resolved - Updater
6=Resolved - Publisher
7=Resolved - Other. Possible values are: Rejected, Resolved - Approved, Resolved - Rule Change4=Resolved - Installer, Resolved - Updater, Resolved - Publisher, Resolved - Other.
Required
requestorEmailEmail address of the user that created this request.Optional
resolutionCommentsComments added by the user that resolved the request.Optional
statusRequest status. Can be one of: 1=New, 2=Open, 3=Closed, 4=Escalated. Prohibited transitions are from any status back to 0 or 1. Possible values are: New, Open, Closed, Escalated.Optional

Context Output#

PathTypeDescription
CBP.ApprovalRequest.IDNumberID of the approval request.
CBP.ApprovalRequest.ResolutionCommentsStringComments added by the user that resolved the request.
CBP.ApprovalRequest.ResolutionNumberResolution of request. Can be one of: 0=Not Resolved, 1=Rejected, 2=Resolved - Approved, 3=Resolved - Rule Change, 4=Resolved - Installer, 5=Resolved - Updater, 6=Resolved - Publisher, 7=Resolved - Other
CBP.ApprovalRequest.StatusNumberRequest status. Can be one of: 1=New, 2=Open, 3=Closed, 4=Escalated

cbp-fileRule-createOrUpdate#


Creates or updates a file rule. For more information, see the Carbon Black documentation: https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#filerule

Base Command#

cbp-fileRule-createOrUpdate

Input#

Argument NameDescriptionRequired
hash(String) Hash associated with this rule. This parameter is not required if the fileCatalogId is supplied.Optional
fileState(Int) File state for this rule. Can be one of: 1=Unapproved 2=Approved 3=Banned. Possible values are: 1, 2, 3.Required
id(Int) Unique ID of this fileRule.Optional
fileCatalogId(Int) ID of the fileCatalog entry associated with this fileRule. Can be "0" if creating or modifying the rule based on the hash or file name. This value can be fetched via cbp-fileCatalog-search command.Optional
name(String) Name of this rule.Optional
description(String) Description of this rule.Optional
reportOnly(Boolean) Set to "true" to create a report-only ban. Note: fileState has to be set to "1" (unapproved) before this flag can be set. Possible values are: true, false.Optional
reputationApprovalsEnabled(Boolean) "True" if reputation approvals are enabled for this file. "False" if reputation approvals are disabled for this file. Possible values are: true, false.Optional
forceInstaller(Boolean) "True" if this file is forced to act as installer, even if the product detected it as ‘not installer’. Possible values are: true, false.Optional
forceNotInstaller(Boolean) "True" if this file is forced to act as ‘not installer’, even if the product detected it as installer. Possible values are: true, false.Optional
policyIds(String) List of IDs of policies to which this rule applies. Set to "0" if this is a global rule.Optional
platformFlags(Int) Set of platform flags where this file rule will be valid. combination of: 1 = Windows 2 = Mac 4 = Linux.Optional
headersHeaders to present of the returned table.Optional

Context Output#

PathTypeDescription
CBP.FileRule.CatalogIDStringThe file catalog ID for the rule.
CBP.FileRule.DescriptionStringThe rule description.
CBP.FileRule.FileStateStringThe file state for the rule.
CBP.FileRule.HashStringThe hash for the rule.
CBP.FileRule.IDStringThe rule ID.
CBP.FileRule.NameStringThe rule name.
CBP.FileRule.PolicyIDsStringThe policies this rule belongs to.
CBP.FileRule.ReportOnlyStringIs this rule "reporting only" or is it also "enforcing".