Carbon Black Response

Version: 2.0.0

Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams.

Connect CB Response with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Carbon Black Response.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Host: Hostname of the CB Response instance.
    • API Token: API Token for your CB Response instance.
  4. After you've entered all the details, click Connect.

Actions for CB Response

Retrieve Binary

Returns the binary for the provided md5 hash.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Hash

md5 hash of binary.

Required

Output

A JSON object containing file-id of the binary downloaded to LogicHub instance.

596596

Get Watchlists

Returns all watchlists with details.

Input Field

No specific input.

Output

A JSON object with uncorrelated rows, each with a watchlist details per row.

659659

Create Watchlist

Create a new watchlist in CB Response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Name

Name of the newly created watchlist.

Required

Search Query

Raw query that this watchlist should match.

Required

Watchlist Index Type

'modules' and 'events' for binary and process watchlists, respectively.

Required

Output

A JSON object containing multiple results of action.

673673

Update/Set Watchlist

Updates a watchlist in CB Response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Watchlist ID

Watchlist ID that needs to be updated.

Required

Name

New name to update watchlist.

Required

Search Query

An updated raw query that this watchlist should match.

Required

Watchlist Index Type

'modules' and 'events' for binary and process watchlists, respectively.

Required

Output

A JSON object containing multiple results of action.

668668

Delete Watchlist

Delete a Watchlist from CB Response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Watchlist ID

Watchlist ID that needs to be updated.

Required

Output

A JSON object containing multiple results of action.

658658

Get Sensors

Returns all registered sensors with details.

Input Field

No specific input.

Output

A JSON object with uncorrelated rows, each with a sensor details per row.

672672

Search Sensors

Returns all sensors matching the search-filter criteria with details.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Search Filter

JSON search-query to filter sensors.

Required

Output

A JSON object containing each sensor with details satisfying the filtering criteria per row.

667667

Did this page help you?
© 2017-2021 LogicHub®. All Rights Reserved.