Carbon Black Response

Version: 3.0.0

Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams.

Connect CB Response with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Carbon Black Response.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Host: Hostname of the CB Response instance.
    • API Token: API Token for your CB Response instance.
  4. After you've entered all the details, click Connect.

Actions for CB Response

Retrieve Binary

Returns the binary for the provided md5 hash.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Hashmd5 hash of binary.Required

Output

A JSON object containing file-id of the binary downloaded to LogicHub instance.

596

Get Watchlists

Returns all watchlists with details.

Input Field

No specific input.

Output

A JSON object with uncorrelated rows, each with a watchlist details per row.

659

Create Watchlist

Create a new watchlist in CB Response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
NameName of the newly created watchlist.Required
Search QueryRaw query that this watchlist should match.Required
Watchlist Index Type'modules' and 'events' for binary and process watchlists, respectively.Required

Output

A JSON object containing multiple results of action.

673

Update/Set Watchlist

Updates a watchlist in CB Response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Watchlist IDWatchlist ID that needs to be updated.Required
NameNew name to update watchlist.Required
Search QueryAn updated raw query that this watchlist should match.Required
Watchlist Index Type'modules' and 'events' for binary and process watchlists, respectively.Required

Output

A JSON object containing multiple results of action.

668

Delete Watchlist

Delete a Watchlist from CB Response.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Watchlist IDWatchlist ID that needs to be updated.Required

Output

A JSON object containing multiple results of action.

658

Get Sensors

Returns all registered sensors with details.

Input Field

No specific input.

Output

A JSON object with uncorrelated rows, each with a sensor details per row.

672

Search Sensors

Returns all sensors matching the search-filter criteria with details.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Search FilterJSON search-query to filter sensors.Required

Output

A JSON object containing each sensor with details satisfying the filtering criteria per row.

667

Release Notes

  • v3.0.0 - Updated architecture to support IO via filesystem

© Devo Technology Inc. All Rights Reserved.