Carbon Black Response
Version: 3.0.0
Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams.
Connect CB Response with LogicHub
- Navigate to Automations > Integrations.
- Search for Carbon Black Response.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Host: Hostname of the CB Response instance.
- API Token: API Token for your CB Response instance.
- After you've entered all the details, click Connect.
Actions for CB Response
Retrieve Binary
Returns the binary for the provided md5 hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Hash | md5 hash of binary. | Required |
Output
A JSON object containing file-id of the binary downloaded to LogicHub instance.
Get Watchlists
Returns all watchlists with details.
Input Field
No specific input.
Output
A JSON object with uncorrelated rows, each with a watchlist details per row.
Create Watchlist
Create a new watchlist in CB Response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Name of the newly created watchlist. | Required |
| Search Query | Raw query that this watchlist should match. | Required |
| Watchlist Index Type | 'modules' and 'events' for binary and process watchlists, respectively. | Required |
Output
A JSON object containing multiple results of action.
Update/Set Watchlist
Updates a watchlist in CB Response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Watchlist ID | Watchlist ID that needs to be updated. | Required |
| Name | New name to update watchlist. | Required |
| Search Query | An updated raw query that this watchlist should match. | Required |
| Watchlist Index Type | 'modules' and 'events' for binary and process watchlists, respectively. | Required |
Output
A JSON object containing multiple results of action.
Delete Watchlist
Delete a Watchlist from CB Response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Watchlist ID | Watchlist ID that needs to be updated. | Required |
Output
A JSON object containing multiple results of action.
Get Sensors
Returns all registered sensors with details.
Input Field
No specific input.
Output
A JSON object with uncorrelated rows, each with a sensor details per row.
Search Sensors
Returns all sensors matching the search-filter criteria with details.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Search Filter | JSON search-query to filter sensors. | Required |
Output
A JSON object containing each sensor with details satisfying the filtering criteria per row.
Release Notes
v3.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago