Skip to main content

VMware Carbon Black EDR (Deprecated)

This Integration is part of the Carbon Black Enterprise Response Pack.#

Deprecated

Use VMware Carbon Black EDR v2 instead.

Deprecated. Use VMware Carbon Black EDR v2 instead. Query and response with Carbon Black endpoint detection and response.

This integration was integrated and tested with version 6.2.0 of Carbon Black Response

Configure carbonblack-v2 in Cortex#

ParameterRequired
Server URLTrue
API TokenTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
Fetch incidentsFalse
Incident typeFalse
Fetch Alert Severity Threshold Higher ThanFalse
Maximum Number Of Incidents To FetchFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cb-alert#


Retrieve alerts from Carbon Black Response.

Base Command#

cb-alert

Input#

Argument NameDescriptionRequired
statusAlert status to filter by. Possible values are: Unresolved, In Progress, Resolved, False Positive.Optional
usernameAlert username to filter by.Optional
feednameAlert feedname to filter by.Optional
hostnameAlert hostname to filter by.Optional
reportAlert report name (watchlist_id) to filter by.Optional
queryQuery string. Accepts the same data as the search box on the Binary Search page. See https://github.com/carbonblack/cbapi/blob/master/client_apis/docs/query_overview.pdf.Optional
rowsReturn this many rows, 10 by default.Optional
startStart at this row, 0 by default.Optional
sortSort rows by this field and order. server_added_timestamp desc by default.Optional
facetReturn facet results. 'false' by default, set to 'true' for facets.Optional

Context Output#

PathTypeDescription
CbResponse.Alerts.CbAlertIDunknownAlert unique id
CbResponse.Alerts.ProcessPathstringAlert Process Path
CbResponse.Alerts.HostnamestringAlert Hostname
CbResponse.Alerts.InterfaceIPstringAlert interface IP
CbResponse.Alerts.CommsIPstringCommunications IP
CbResponse.Alerts.MD5stringAlert process MD5
CbResponse.Alerts.DescriptionunknownAlert description
CbResponse.Alerts.FeedNameunknownAlert feed name
CbResponse.Alerts.SeverityunknownAlert severity
CbResponse.Alerts.TimeunknownAlert created time
CbResponse.Alerts.StatusunknownAlert status. One of: Unresolved, Resolved, False Positive

Command Example#

Human Readable Output#

cb-binary#


Query for binaries based on given parameters

Base Command#

cb-binary

Input#

Argument NameDescriptionRequired
digital-signatureWhether digital signature is signed or not. Possible values are: Signed, Unsigned.Optional
publisherFilter binary by publisher.Optional
company-nameFilter binary by company name.Optional
product-nameFilter binary by product name.Optional
filepathFilter binary by file path.Optional
groupFilter binary by group.Optional
hostnameFilter binary by hostname.Optional
queryQuery string. Accepts the same data as the search box on the Binary Search page. See https://github.com/carbonblack/cbapi/blob/master/client_apis/docs/query_overview.pdf.Optional
rowsReturn this many rows, 10 by default.Optional
startStart at this row, 0 by default.Optional
sortSort rows by this field and order. server_added_timestamp desc by default.Optional
facetReturn facet results. 'false' by default, set to 'true' for facets.Optional

Context Output#

PathTypeDescription
File.DigSig.PublisherunknownThe publisher of the Digital Signature
File.InternalNameunknownThe Internal Name
File.ServerAddedTimestampunknownThe server added timestamp
File.NameunknownBinary Name
File.ExtensionunknownBinary Extension
File.TimestampunknownBinary Timestamp
File.HostnameunknownBinary Hostname
File.DescriptionunknownThe description
File.DigSig.ResultunknownCb's decision after checking this binary's Digital Signature
File.LastSeenunknownLast time binary was seen
File.PathunknownBinary Path
File.ProductNameunknownThe Product Name
File.OSunknownThe OS
File.MD5unknownBinary MD5
File.CompanystringName of the company that released a binary
File.DigitalSignature.PublisherstringPublisher of the digital signature for the file.
File.NamestringFull Filename e.g. data.xls.
File.Signature.OriginalNamestringFile's original name.
File.Signature.InternalNamestringFile's internal name.
File.Signature.FileVersionstringFile version.
File.Signature.DescriptionstringDescription of the signature.

Command Example#

Human Readable Output#

cb-block-hash#


Blocking hash

Base Command#

cb-block-hash

Input#

Argument NameDescriptionRequired
md5hashthe blacklisted hash.Required
texttext description of block list.Required
lastBanTimethe last time the hash was blocked or prevented from being executed.Optional
banCounttotal number of blocks on this block list.Optional
lastBanHostlast hostname to block this hash.Optional

Context Output#

PathTypeDescription
File.LastActionunknownLast action taken on this file

Command Example#

Human Readable Output#

cb-get-hash-blacklist#


Returns a list of hashes on block list, with each list entry describing one hash on block list.

Base Command#

cb-get-hash-blacklist

Input#

Argument NameDescriptionRequired
filterOPTIONAL filters blacklist by fields. Example: filter="md5hash == put_your_hash_here".Optional

Context Output#

PathTypeDescription
CbResponse.BlockedHashes.MD5unknownBlocked MD5
CbResponse.BlockedHashes.EnabledunknownIs Enabled
CbResponse.BlockedHashes.DescriptionunknownBlocked Description
CbResponse.BlockedHashes.TimestampunknownBlocked Timestamp
CbResponse.BlockedHashes.BlockCountunknownBlocked Count
CbResponse.BlockedHashes.UsernameunknownBlocked hash username
CbResponse.BlockedHashes.LastBlock.TimeunknownLast block time
CbResponse.BlockedHashes.LastBlock.HostnameunknownLast block hostname
CbResponse.BlockedHashes.LastBlock.CbSensorIDunknownLast block sensor ID

Command Example#

Human Readable Output#

cb-get-process#


Gets basic process information for segment (segment_id) of process (process_id)

Base Command#

cb-get-process

Input#

Argument NameDescriptionRequired
pidthe internal CB process id; this is the id field in search results.Required
segidthe process segment id, the segment_id field in search results.Required
get_relatedIf set to true, will get process siblings, parent and children. Possible values are: false, true. Default is false.Optional

Context Output#

PathTypeDescription
Process.Siblings.MD5unknownThe sibling Process MD5
Process.CbSegmentIDunknownCb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.Parent.MD5unknownThe parent Process MD5
Process.Children.CommandLineunknownThe children Process CommandLine
Process.HostnameunknownProcess Hostname
Process.Parent.CbSegmentIDunknownThe parent Cb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.CbIDunknownCb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.Siblings.CbSegmentIDunknownThe sibling Cb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.Children.NameunknownThe children Process Name
Process.Parent.NameunknownThe parent Process Name
Process.Siblings.HostnameunknownThe sibling Process Hostname
Process.Parent.PathunknownThe parent Process Path
Process.Children.HostnameunknownThe children Process Hostname
Process.PIDunknownProcess PID
Process.Children.CbSegmentIDunknownThe children Cb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.Children.CbIDunknownThe children Cb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.PathunknownProcess Path
Process.Parent.PIDunknownThe parent Process PID
Process.Children.PathunknownThe children Process Path
Process.NameunknownProcess Name
Process.Children.PIDunknownThe children Process PID
Process.Parent.CbIDunknownThe parent Cb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.CommandLineunknownProcess CommandLine
Process.Siblings.CommandLineunknownThe sibling Process CommandLine
Process.Siblings.NameunknownThe sibling Process Name
Process.Parent.CommandLineunknownThe parent Process CommandLine
Process.Parent.HostnameunknownThe parent Process Hostname
Process.MD5unknownProcess MD5
Process.Children.MD5unknownThe children Process MD5
Process.Siblings.CbIDunknownThe sibling Cb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.Siblings.PathunknownThe sibling Process Path
Process.Siblings.PIDunknownThe sibling Process PID
Process.StartTimedateStart time of the process.

Command Example#

Human Readable Output#

cb-get-processes#


Query processes based on given parameters

Base Command#

cb-get-processes

Input#

Argument NameDescriptionRequired
nameFilter processes by name.Optional
groupFilter processes by group.Optional
hostnameFilter processes by hostname.Optional
parent-process-nameFilter processes by parent process name.Optional
process-pathFilter processes by process path (Example: "c:\windows\resources\spoolsv.exe").Optional
md5Filter processes by md5 hash.Optional
queryQuery string. Accepts the same data as the search box on the Binary Search page. See https://github.com/carbonblack/cbapi/blob/master/client_apis/docs/query_overview.pdf.Optional
rowsReturn this many rows, 10 by default.Optional
startStart at this row, 0 by default.Optional
sortSort rows by this field and order. server_added_timestamp desc by default.Optional
facetReturn facet results. 'false' by default, set to 'true' for facets.Optional

Context Output#

PathTypeDescription
File.NameunknownFile Name
File.MD5unknownFile MD5
File.PathunknownFile Path
Endpoint.HostnameunknownEndpoint Hostname
Process.CommandLineunknownProcess Commandline
Process.PIDunknownProcess PID
Process.CbIDunknownCb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.CbSegmentIdunknownCb "segment" where this process instance is stored. Required to fetch further info on a process.
Process.Parent.PIDunknownProcess Parent PID
Process.Parent.NameunknownProcess Parent Name
Process.StartTimedateStart time of the process.

Command Example#

Human Readable Output#

cb-list-sensors#


List the CarbonBlack sensors

Base Command#

cb-list-sensors

Input#

Argument NameDescriptionRequired
limitThe maximum amount of sensors to be returned.Optional

Context Output#

PathTypeDescription
CbResponse.Sensors.StatusunknownSensor Status
CbResponse.Sensors.LastUpdateunknownSensor Last Updated
CbResponse.Sensors.UptimeunknownThe Sensor uptime
CbResponse.Sensors.SupportsCbLiveunknownSensor Support CB Live
CbResponse.Sensors.NotesunknownSensor Notes
CbResponse.Sensors.HostnameunknownHostname
CbResponse.Sensors.CbSensorIDunknownSensor ID
CbResponse.Sensors.IsolatedunknownSensor Isolated
CbResponse.Sensors.IPAddressesunknownSensor IP Addresses
CbResponse.Sensors.OSunknownSensor OS
Endpoint.HostnameunknownSensor Hostname
Endpoint.OSunknownSensor OS
Endpoint.IPAddressesunknownSensor IP Addresses

Command Example#

Human Readable Output#

cb-process-events#


Retrieve all process events for a given process segmented by segment ID

Base Command#

cb-process-events

Input#

Argument NameDescriptionRequired
pidthe internal CB process id; this is the id field in search results.Required
segidthe process segment id; this is the segment_id field in search results.Required

Context Output#

PathTypeDescription
Process.CrossProc.OtherProcessMD5unknownOther process MD5
Process.MD5unknownProcess MD5
Process.Modules.MD5unknownModule MD5
Process.CommandLineunknownProcess CommandLine
Process.Registry.RegistryPathunknownRegistry path
Process.PathunknownProcess Path
Process.CbIDunknownCb unique ID for this process instance - required (together with CbSegmentID) to fetch further info on a process.
Process.Parent.NameunknownThe parent Process Name
Process.HostnameunknownProcess Hostname
Process.Binaries.DigSig.PublisherunknownThe publisher of the Digital Signature
Process.CrossProc.ActionunknownCross process action
Process.CrossProc.OtherProcessCbIDunknownOther process CbID
Process.CbSegmentIDunknownCb 'segment' where this process instance is stored. Required to fetch further info on a process.
Process.NameunknownProcess Name
Process.CrossProc.TimeunknownTime of action
Process.PIDunknownProcess PID
Process.Modules.FilepathunknownModule path
Process.Binaries.DigSig.ResultunknownCb's decision after checking this binary's Digital Signature
Process.Parent.PIDunknownThe parent Process PID
Process.Binaries.MD5unknownBinary MD5
Process.CrossProc.OtherProcessBinaryunknownOther process binary
Process.Registry.TimeunknownRegistry time
Process.Modules.TimeunknownModule time

Command Example#

Human Readable Output#

cb-quarantine-device#


Isolate the endpoint from the network

Base Command#

cb-quarantine-device

Input#

Argument NameDescriptionRequired
sensorthe sensor ID to quarantine.Required

Context Output#

PathTypeDescription
Endpoint.LastActionunknownEndpoint Actions

Command Example#

Human Readable Output#

cb-sensor-info#


Display information about the given sensor

Base Command#

cb-sensor-info

Input#

Argument NameDescriptionRequired
sensorthe sensor id.Optional
ipreturns the sensor registration(s) with specified IP address.Optional
hostnamereturns the sensor registration(s) with matching hostname.Optional
groupidreturns the sensor registration(s) in the specified sensor group id.Optional

Context Output#

PathTypeDescription
CbResponse.Sensors.StatusunknownSensor Status
CbResponse.Sensors.LastUpdateunknownSensor Last Updated
CbResponse.Sensors.UptimeunknownThe Sensor uptime
CbResponse.Sensors.SupportsCbLiveunknownSensor Support CB Live
CbResponse.Sensors.NotesunknownSensor Notes
CbResponse.Sensors.HostnameunknownSensor Hostname
CbResponse.Sensors.CbSensorIDunknownSensor ID
CbResponse.Sensors.IsolatedunknownSensor Isolated
CbResponse.Sensors.IPAddressesunknownSensor IP Addresses
CbResponse.Sensors.OSunknownSensor OS

Command Example#

Human Readable Output#

cb-unblock-hash#


Unblocking hash

Base Command#

cb-unblock-hash

Input#

Argument NameDescriptionRequired
md5hashthe hash on the block list.Required
texttext description of block list.Required

Context Output#

PathTypeDescription
File.LastActionunknownLast action taken on this file

Command Example#

Human Readable Output#

cb-unquarantine-device#


Unquarantine the endpoint

Base Command#

cb-unquarantine-device

Input#

Argument NameDescriptionRequired
sensorthe sensor ID to quarantine.Required

Context Output#

PathTypeDescription
Endpoint.LastActionunknownEndpoint Actions

Command Example#

Human Readable Output#

cb-version#


Display the CarbonBlack version

Base Command#

cb-version

Input#

Argument NameDescriptionRequired

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

cb-watchlist-del#


Delete a watchlist in Carbon black Response.

Base Command#

cb-watchlist-del

Input#

Argument NameDescriptionRequired
watchlist-idWatchlist ID.Required

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

cb-watchlist-get#


Retrieve info for a watchlist in Carbon black Response.

Base Command#

cb-watchlist-get

Input#

Argument NameDescriptionRequired
watchlist-idWatchlist ID.Optional

Context Output#

PathTypeDescription
CbResponse.Watchlists.LastHitunknownWatchlist last hit
CbResponse.Watchlists.TotalHitsunknownWatchlist Total hits
CbResponse.Watchlists.SearchQueryunknownCb search query used for the watchlist.
CbResponse.Watchlists.NameunknownWatchlist Name
CbResponse.Watchlists.EnabledunknownWatchlist is enabled
CbResponse.Watchlists.LastHitCountunknownWatchlist last hit count
CbResponse.Watchlists.DateAddedunknownWatchlist Date added
CbResponse.Watchlists.SearchTimestampunknownWatchlist last hit count
CbResponse.Watchlists.CbWatchlistIDunknownWatchlist ID

Command Example#

Human Readable Output#

cb-watchlist-new#


Create a new watchlist in Carbon black Response.

Base Command#

cb-watchlist-new

Input#

Argument NameDescriptionRequired
search-querythe raw Carbon Black query that this watchlist matches.Required
namename of this watchlist.Required

Context Output#

PathTypeDescription
CbResponse.Watchlists.LastHitunknownWatchlist last hit
CbResponse.Watchlists.TotalHitsunknownWatchlist Total hits
CbResponse.Watchlists.SearchQueryunknownCb search query used for the watchlist.
CbResponse.Watchlists.NameunknownWatchlist Name
CbResponse.Watchlists.EnabledunknownWatchlist is enabled
CbResponse.Watchlists.LastHitCountunknownWatchlist last hit count
CbResponse.Watchlists.DateAddedunknownWatchlist Date added
CbResponse.Watchlists.SearchTimestampunknownWatchlist last hit count
CbResponse.Watchlists.CbWatchlistIDunknownWatchlist ID

Command Example#

Human Readable Output#

cb-watchlist-set#


Modify a watchlist in Carbon black Response.

Base Command#

cb-watchlist-set

Input#

Argument NameDescriptionRequired
watchlist-idWatchlist ID.Required
search-querythe raw Carbon Black query that this watchlist matches.Optional
namename of this watchlist.Optional
indexTypethe type of watchlist. Valid values are 'modules' and 'events' for binary and process watchlists, respectively.Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

cb-alert-update#


Alert update and resolution

Base Command#

cb-alert-update

Input#

Argument NameDescriptionRequired
uniqueIdAlert unique identifier.Required
statusUpdated alert's status: Resolved,Unresolved,In Progress or False Positive. Possible values are: Resolved, Unresolved, In Progress, False Positive.Required
setIgnoredWhether to stop showing this type of alert. Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#

cb-watchlist#


Retrieve watchlist in Carbon black Response.

Base Command#

cb-watchlist

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
CbResponse.Watchlists.LastHitunknownWatchlist last hit
CbResponse.Watchlists.TotalHitsunknownWatchlist Total hits
CbResponse.Watchlists.SearchQueryunknownCb search query used for the watchlist.
CbResponse.Watchlists.NameunknownWatchlist Name
CbResponse.Watchlists.EnabledunknownWatchlist is enabled
CbResponse.Watchlists.LastHitCountunknownWatchlist last hit count
CbResponse.Watchlists.DateAddedunknownWatchlist Date added
CbResponse.Watchlists.SearchTimestampunknownWatchlist last hit count
CbResponse.Watchlists.CbWatchlistIDunknownWatchlist ID

Command Example#

Human Readable Output#

cb-binary-download#


Retrieve a binary from CarbonBlack based on hash. Returns a .zip file containing the requested file and it's metadata.

Base Command#

cb-binary-download

Input#

Argument NameDescriptionRequired
md5MD5 hash of the file.Required
summaryWhether to include the summary. Possible values are: yes, no.Optional

Context Output#

PathTypeDescription
File.DigSig.PublisherunknownThe publisher of the digital signature.
File.InternalNameunknownThe internal name.
File.ServerAddedTimestampunknownThe timestamp when the server was added.
File.NameunknownThe binary name.
File.ExtensionunknownThe binary extension.
File.TimestampunknownThe binary timestamp.
File.HostnameunknownThe binary hostname.
File.DescriptionunknownThe binary description.
File.DigSig.ResultunknownThe Carbon Black decision after checking this binary's digital signature.
File.LastSeenunknownLThe lst time the binary was seen.
File.PathunknownThe binary path.
File.ProductNameunknownThe product name.
File.OSunknownThe OS.
File.MD5unknownThe MD5 hash of the binary.
File.CompanyunknownName of the company that released a binary.
File.DigitalSignature.PublisherunknownPublisher of the digital signature for the file.
File.NameunknownFull filename, for example data.xls.
File.Signature.OriginalNameunknownThe file's original name.
File.Signature.InternalNameunknownThe file's internal name.
File.Signature.FileVersionunknownThe file version.
File.Signature.DescriptionunknownThe description of the signature.

Command Example#

Human Readable Output#