Skip to main content

VMware Carbon Black EDR (Deprecated)

This Integration is part of the Carbon Black Enterprise Response Pack.#

Deprecated

Use VMware Carbon Black EDR v2 instead.

Deprecated. Use VMware Carbon Black EDR v2 instead. Query and response with Carbon Black endpoint detection and response.

This integration was integrated and tested with version 6.2.0 of Carbon Black Response

Configure carbonblack-v2 in Cortex#

ParameterRequired
Server URLTrue
API TokenTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incident typeFalse
Fetch Alert Severity Threshold Higher ThanFalse
Maximum Number Of Incidents To FetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cb-alert#


Retrieve alerts from Carbon Black Response.

Base Command#

cb-alert

Input#

Argument NameDescriptionRequired
statusAlert status to filter by. Possible values are: Unresolved, In Progress, Resolved, False Positive.Optional
usernameAlert username to filter by.Optional
feednameAlert feedname to filter by.Optional
hostnameAlert hostname to filter by.Optional
reportAlert report name (watchlist_id) to filter by.Optional
queryQuery string. Accepts the same data as the search box on the Binary Search page. See https://github.com/carbonblack/cbapi/blob/master/client_apis/docs/query_overview.pdf.Optional
rowsReturn this many rows, 10 by default.Optional
startStart at this row, 0 by default.Optional
sortSort rows by this field and order. server_added_timestamp desc by default.Optional
facetReturn facet results. 'false' by default, set to 'true' for facets.Optional

Context Output#

PathTypeDescription
CbResponse.Alerts.CbAlertIDunknownAlert unique id
CbResponse.Alerts.ProcessPathstringAlert Process Path
CbResponse.Alerts.HostnamestringAlert Hostname
CbResponse.Alerts.InterfaceIPstringAlert interface IP
CbResponse.Alerts.CommsIPstringCommunications IP
CbResponse.Alerts.MD5stringAlert process MD5
CbResponse.Alerts.DescriptionunknownAlert description
CbResponse.Alerts.FeedNameunknownAlert feed name
CbResponse.Alerts.SeverityunknownAlert severity
CbResponse.Alerts.TimeunknownAlert created time
CbResponse.Alerts.StatusunknownAlert status. One of: Unresolved, Resolved, False Positive

Command Example#

#### Human Readable Output
### cb-binary
***
Query for binaries based on given parameters
#### Base Command
`cb-binary`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| digital-signature | Whether digital signature is signed or not. Possible values are: Signed, Unsigned. | Optional |
| publisher | Filter binary by publisher. | Optional |
| company-name | Filter binary by company name. | Optional |
| product-name | Filter binary by product name. | Optional |
| filepath | Filter binary by file path. | Optional |
| group | Filter binary by group. | Optional |
| hostname | Filter binary by hostname. | Optional |
| query | Query string. Accepts the same data as the search box on the Binary Search page. See https://github.com/carbonblack/cbapi/blob/master/client_apis/docs/query_overview.pdf. | Optional |
| rows | Return this many rows, 10 by default. | Optional |
| start | Start at this row, 0 by default. | Optional |
| sort | Sort rows by this field and order. server_added_timestamp desc by default. | Optional |
| facet | Return facet results. 'false' by default, set to 'true' for facets. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| File.DigSig.Publisher | unknown | The publisher of the Digital Signature |
| File.InternalName | unknown | The Internal Name |
| File.ServerAddedTimestamp | unknown | The server added timestamp |
| File.Name | unknown | Binary Name |
| File.Extension | unknown | Binary Extension |
| File.Timestamp | unknown | Binary Timestamp |
| File.Hostname | unknown | Binary Hostname |
| File.Description | unknown | The description |
| File.DigSig.Result | unknown | Cb's decision after checking this binary's Digital Signature |
| File.LastSeen | unknown | Last time binary was seen |
| File.Path | unknown | Binary Path |
| File.ProductName | unknown | The Product Name |
| File.OS | unknown | The OS |
| File.MD5 | unknown | Binary MD5 |
| File.Company | string | Name of the company that released a binary |
| File.DigitalSignature.Publisher | string | Publisher of the digital signature for the file. |
| File.Name | string | Full Filename e.g. data.xls. |
| File.Signature.OriginalName | string | File's original name. |
| File.Signature.InternalName | string | File's internal name. |
| File.Signature.FileVersion | string | File version. |
| File.Signature.Description | string | Description of the signature. |
#### Command Example

Human Readable Output#

cb-block-hash#


Blocking hash

Base Command#

cb-block-hash

Input#

Argument NameDescriptionRequired
md5hashthe blacklisted hash.Required
texttext description of block list.Required
lastBanTimethe last time the hash was blocked or prevented from being executed.Optional
banCounttotal number of blocks on this block list.Optional
lastBanHostlast hostname to block this hash.Optional

Context Output#

PathTypeDescription
File.LastActionunknownLast action taken on this file

Command Example#

#### Human Readable Output
### cb-get-hash-blacklist
***
Returns a list of hashes on block list, with each list entry describing one hash on block list.
#### Base Command
`cb-get-hash-blacklist`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| filter | OPTIONAL filters blacklist by fields. Example: filter="md5hash == put_your_hash_here". | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| CbResponse.BlockedHashes.MD5 | unknown | Blocked MD5 |
| CbResponse.BlockedHashes.Enabled | unknown | Is Enabled |
| CbResponse.BlockedHashes.Description | unknown | Blocked Description |
| CbResponse.BlockedHashes.Timestamp | unknown | Blocked Timestamp |
| CbResponse.BlockedHashes.BlockCount | unknown | Blocked Count |
| CbResponse.BlockedHashes.Username | unknown | Blocked hash username |
| CbResponse.BlockedHashes.LastBlock.Time | unknown | Last block time |
| CbResponse.BlockedHashes.LastBlock.Hostname | unknown | Last block hostname |
| CbResponse.BlockedHashes.LastBlock.CbSensorID | unknown | Last block sensor ID |
#### Command Example

Human Readable Output#

cb-get-process#


Gets basic process information for segment (segment_id) of process (process_id)

Base Command#

cb-get-process

Input#

Argument NameDescriptionRequired
pidthe internal CB process id; this is the id field in search results.Required
segidthe process segment id, the segment_id field in search results.Required
get_relatedIf set to true, will get process siblings, parent and children. Possible values are: false, true. Default is false.Optional

Context Output#

PathTypeDescription
Process.Siblings.MD5unknownThe sibling Process MD5
Process.CbSegmentIDunknownCb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.Parent.MD5unknownThe parent Process MD5
Process.Children.CommandLineunknownThe children Process CommandLine
Process.HostnameunknownProcess Hostname
Process.Parent.CbSegmentIDunknownThe parent Cb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.CbIDunknownCb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.Siblings.CbSegmentIDunknownThe sibling Cb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.Children.NameunknownThe children Process Name
Process.Parent.NameunknownThe parent Process Name
Process.Siblings.HostnameunknownThe sibling Process Hostname
Process.Parent.PathunknownThe parent Process Path
Process.Children.HostnameunknownThe children Process Hostname
Process.PIDunknownProcess PID
Process.Children.CbSegmentIDunknownThe children Cb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.Children.CbIDunknownThe children Cb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.PathunknownProcess Path
Process.Parent.PIDunknownThe parent Process PID
Process.Children.PathunknownThe children Process Path
Process.NameunknownProcess Name
Process.Children.PIDunknownThe children Process PID
Process.Parent.CbIDunknownThe parent Cb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.CommandLineunknownProcess CommandLine
Process.Siblings.CommandLineunknownThe sibling Process CommandLine
Process.Siblings.NameunknownThe sibling Process Name
Process.Parent.CommandLineunknownThe parent Process CommandLine
Process.Parent.HostnameunknownThe parent Process Hostname
Process.MD5unknownProcess MD5
Process.Children.MD5unknownThe children Process MD5
Process.Siblings.CbIDunknownThe sibling Cb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.Siblings.PathunknownThe sibling Process Path
Process.Siblings.PIDunknownThe sibling Process PID
Process.StartTimedateStart time of the process.

Command Example#

#### Human Readable Output
### cb-get-processes
***
Query processes based on given parameters
#### Base Command
`cb-get-processes`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| name | Filter processes by name. | Optional |
| group | Filter processes by group. | Optional |
| hostname | Filter processes by hostname. | Optional |
| parent-process-name | Filter processes by parent process name. | Optional |
| process-path | Filter processes by process path (Example: "c:\windows\resources\spoolsv.exe"). | Optional |
| md5 | Filter processes by md5 hash. | Optional |
| query | Query string. Accepts the same data as the search box on the Binary Search page. See https://github.com/carbonblack/cbapi/blob/master/client_apis/docs/query_overview.pdf. | Optional |
| rows | Return this many rows, 10 by default. | Optional |
| start | Start at this row, 0 by default. | Optional |
| sort | Sort rows by this field and order. server_added_timestamp desc by default. | Optional |
| facet | Return facet results. 'false' by default, set to 'true' for facets. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| File.Name | unknown | File Name |
| File.MD5 | unknown | File MD5 |
| File.Path | unknown | File Path |
| Endpoint.Hostname | unknown | Endpoint Hostname |
| Process.CommandLine | unknown | Process Commandline |
| Process.PID | unknown | Process PID |
| Process.CbID | unknown | Cb unique ID for this process instance - required \(together with CbSegmentID\) to fetch further info on a process. |
| Process.CbSegmentId | unknown | Cb "segment" where this process instance is stored. Required to fetch further info on a process. |
| Process.Parent.PID | unknown | Process Parent PID |
| Process.Parent.Name | unknown | Process Parent Name |
| Process.StartTime | date | Start time of the process. |
#### Command Example

Human Readable Output#

cb-list-sensors#


List the CarbonBlack sensors

Base Command#

cb-list-sensors

Input#

Argument NameDescriptionRequired
limitThe maximum amount of sensors to be returned.Optional

Context Output#

PathTypeDescription
CbResponse.Sensors.StatusunknownSensor Status
CbResponse.Sensors.LastUpdateunknownSensor Last Updated
CbResponse.Sensors.UptimeunknownThe Sensor uptime
CbResponse.Sensors.SupportsCbLiveunknownSensor Support CB Live
CbResponse.Sensors.NotesunknownSensor Notes
CbResponse.Sensors.HostnameunknownHostname
CbResponse.Sensors.CbSensorIDunknownSensor ID
CbResponse.Sensors.IsolatedunknownSensor Isolated
CbResponse.Sensors.IPAddressesunknownSensor IP Addresses
CbResponse.Sensors.OSunknownSensor OS
Endpoint.HostnameunknownSensor Hostname
Endpoint.OSunknownSensor OS
Endpoint.IPAddressesunknownSensor IP Addresses

Command Example#

#### Human Readable Output
### cb-process-events
***
Retrieve all process events for a given process segmented by segment ID
#### Base Command
`cb-process-events`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| pid | the internal CB process id; this is the id field in search results. | Required |
| segid | the process segment id; this is the segment_id field in search results. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Process.CrossProc.OtherProcessMD5 | unknown | Other process MD5 |
| Process.MD5 | unknown | Process MD5 |
| Process.Modules.MD5 | unknown | Module MD5 |
| Process.CommandLine | unknown | Process CommandLine |
| Process.Registry.RegistryPath | unknown | Registry path |
| Process.Path | unknown | Process Path |
| Process.CbID | unknown | Cb unique ID for this process instance - required \(together with CbSegmentID\) to fetch further info on a process. |
| Process.Parent.Name | unknown | The parent Process Name |
| Process.Hostname | unknown | Process Hostname |
| Process.Binaries.DigSig.Publisher | unknown | The publisher of the Digital Signature |
| Process.CrossProc.Action | unknown | Cross process action |
| Process.CrossProc.OtherProcessCbID | unknown | Other process CbID |
| Process.CbSegmentID | unknown | Cb 'segment' where this process instance is stored. Required to fetch further info on a process. |
| Process.Name | unknown | Process Name |
| Process.CrossProc.Time | unknown | Time of action |
| Process.PID | unknown | Process PID |
| Process.Modules.Filepath | unknown | Module path |
| Process.Binaries.DigSig.Result | unknown | Cb's decision after checking this binary's Digital Signature |
| Process.Parent.PID | unknown | The parent Process PID |
| Process.Binaries.MD5 | unknown | Binary MD5 |
| Process.CrossProc.OtherProcessBinary | unknown | Other process binary |
| Process.Registry.Time | unknown | Registry time |
| Process.Modules.Time | unknown | Module time |
#### Command Example

Human Readable Output#

cb-quarantine-device#


Isolate the endpoint from the network

Base Command#

cb-quarantine-device

Input#

Argument NameDescriptionRequired
sensorthe sensor ID to quarantine.Required

Context Output#

PathTypeDescription
Endpoint.LastActionunknownEndpoint Actions

Command Example#

#### Human Readable Output
### cb-sensor-info
***
Display information about the given sensor
#### Base Command
`cb-sensor-info`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| sensor | the sensor id. | Optional |
| ip | returns the sensor registration(s) with specified IP address. | Optional |
| hostname | returns the sensor registration(s) with matching hostname. | Optional |
| groupid | returns the sensor registration(s) in the specified sensor group id. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| CbResponse.Sensors.Status | unknown | Sensor Status |
| CbResponse.Sensors.LastUpdate | unknown | Sensor Last Updated |
| CbResponse.Sensors.Uptime | unknown | The Sensor uptime |
| CbResponse.Sensors.SupportsCbLive | unknown | Sensor Support CB Live |
| CbResponse.Sensors.Notes | unknown | Sensor Notes |
| CbResponse.Sensors.Hostname | unknown | Sensor Hostname |
| CbResponse.Sensors.CbSensorID | unknown | Sensor ID |
| CbResponse.Sensors.Isolated | unknown | Sensor Isolated |
| CbResponse.Sensors.IPAddresses | unknown | Sensor IP Addresses |
| CbResponse.Sensors.OS | unknown | Sensor OS |
#### Command Example

Human Readable Output#

cb-unblock-hash#


Unblocking hash

Base Command#

cb-unblock-hash

Input#

Argument NameDescriptionRequired
md5hashthe hash on the block list.Required
texttext description of block list.Required

Context Output#

PathTypeDescription
File.LastActionunknownLast action taken on this file

Command Example#

#### Human Readable Output
### cb-unquarantine-device
***
Unquarantine the endpoint
#### Base Command
`cb-unquarantine-device`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| sensor | the sensor ID to quarantine. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Endpoint.LastAction | unknown | Endpoint Actions |
#### Command Example

Human Readable Output#

cb-version#


Display the CarbonBlack version

Base Command#

cb-version

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

#### Human Readable Output
### cb-watchlist-del
***
Delete a watchlist in Carbon black Response.
#### Base Command
`cb-watchlist-del`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| watchlist-id | Watchlist ID. | Required |
#### Context Output
There is no context output for this command.
#### Command Example

Human Readable Output#

cb-watchlist-get#


Retrieve info for a watchlist in Carbon black Response.

Base Command#

cb-watchlist-get

Input#

Argument NameDescriptionRequired
watchlist-idWatchlist ID.Optional

Context Output#

PathTypeDescription
CbResponse.Watchlists.LastHitunknownWatchlist last hit
CbResponse.Watchlists.TotalHitsunknownWatchlist Total hits
CbResponse.Watchlists.SearchQueryunknownCb search query used for the watchlist.
CbResponse.Watchlists.NameunknownWatchlist Name
CbResponse.Watchlists.EnabledunknownWatchlist is enabled
CbResponse.Watchlists.LastHitCountunknownWatchlist last hit count
CbResponse.Watchlists.DateAddedunknownWatchlist Date added
CbResponse.Watchlists.SearchTimestampunknownWatchlist last hit count
CbResponse.Watchlists.CbWatchlistIDunknownWatchlist ID

Command Example#

#### Human Readable Output
### cb-watchlist-new
***
Create a new watchlist in Carbon black Response.
#### Base Command
`cb-watchlist-new`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| search-query | the raw Carbon Black query that this watchlist matches. | Required |
| name | name of this watchlist. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| CbResponse.Watchlists.LastHit | unknown | Watchlist last hit |
| CbResponse.Watchlists.TotalHits | unknown | Watchlist Total hits |
| CbResponse.Watchlists.SearchQuery | unknown | Cb search query used for the watchlist. |
| CbResponse.Watchlists.Name | unknown | Watchlist Name |
| CbResponse.Watchlists.Enabled | unknown | Watchlist is enabled |
| CbResponse.Watchlists.LastHitCount | unknown | Watchlist last hit count |
| CbResponse.Watchlists.DateAdded | unknown | Watchlist Date added |
| CbResponse.Watchlists.SearchTimestamp | unknown | Watchlist last hit count |
| CbResponse.Watchlists.CbWatchlistID | unknown | Watchlist ID |
#### Command Example

Human Readable Output#

cb-watchlist-set#


Modify a watchlist in Carbon black Response.

Base Command#

cb-watchlist-set

Input#

Argument NameDescriptionRequired
watchlist-idWatchlist ID.Required
search-querythe raw Carbon Black query that this watchlist matches.Optional
namename of this watchlist.Optional
indexTypethe type of watchlist. Valid values are 'modules' and 'events' for binary and process watchlists, respectively.Optional

Context Output#

There is no context output for this command.

Command Example#

#### Human Readable Output
### cb-alert-update
***
Alert update and resolution
#### Base Command
`cb-alert-update`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| uniqueId | Alert unique identifier. | Required |
| status | Updated alert's status: Resolved,Unresolved,In Progress or False Positive. Possible values are: Resolved, Unresolved, In Progress, False Positive. | Required |
| setIgnored | Whether to stop showing this type of alert. Possible values are: true, false. | Optional |
#### Context Output
There is no context output for this command.
#### Command Example

Human Readable Output#

cb-watchlist#


Retrieve watchlist in Carbon black Response.

Base Command#

cb-watchlist

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
CbResponse.Watchlists.LastHitunknownWatchlist last hit
CbResponse.Watchlists.TotalHitsunknownWatchlist Total hits
CbResponse.Watchlists.SearchQueryunknownCb search query used for the watchlist.
CbResponse.Watchlists.NameunknownWatchlist Name
CbResponse.Watchlists.EnabledunknownWatchlist is enabled
CbResponse.Watchlists.LastHitCountunknownWatchlist last hit count
CbResponse.Watchlists.DateAddedunknownWatchlist Date added
CbResponse.Watchlists.SearchTimestampunknownWatchlist last hit count
CbResponse.Watchlists.CbWatchlistIDunknownWatchlist ID

Command Example#

#### Human Readable Output
### cb-binary-download
***
Retrieve a binary from CarbonBlack based on hash. Returns a .zip file containing the requested file and it's metadata.
#### Base Command
`cb-binary-download`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| md5 | MD5 hash of the file. | Required |
| summary | Whether to include the summary. Possible values are: yes, no. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| File.DigSig.Publisher | unknown | The publisher of the digital signature. |
| File.InternalName | unknown | The internal name. |
| File.ServerAddedTimestamp | unknown | The timestamp when the server was added. |
| File.Name | unknown | The binary name. |
| File.Extension | unknown | The binary extension. |
| File.Timestamp | unknown | The binary timestamp. |
| File.Hostname | unknown | The binary hostname. |
| File.Description | unknown | The binary description. |
| File.DigSig.Result | unknown | The Carbon Black decision after checking this binary's digital signature. |
| File.LastSeen | unknown | LThe lst time the binary was seen. |
| File.Path | unknown | The binary path. |
| File.ProductName | unknown | The product name. |
| File.OS | unknown | The OS. |
| File.MD5 | unknown | The MD5 hash of the binary. |
| File.Company | unknown | Name of the company that released a binary. |
| File.DigitalSignature.Publisher | unknown | Publisher of the digital signature for the file. |
| File.Name | unknown | Full filename, for example data.xls. |
| File.Signature.OriginalName | unknown | The file's original name. |
| File.Signature.InternalName | unknown | The file's internal name. |
| File.Signature.FileVersion | unknown | The file version. |
| File.Signature.Description | unknown | The description of the signature. |
#### Command Example

Human Readable Output#