Carbon Black Response v2
Version: 2.0.0
Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams. V2 version is developed for Carbon Black Response API's latest version.
Connect CB Response with LogicHub
- Navigate to Automations > Integrations.
- Search for Carbon Black Response.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Host: Hostname of the CB Response instance.
- API Token: API Token for your CB Response instance.
- Org Key: Org Key for your CB Response instance.
- After you've entered all the details, click Connect.
Actions for CB Response
Device Background Scan
Perform Background Scan on device.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Device Id | Jinja-templated text for Device Id. Example: {{device_id}} | Required |
| Toggle | Select toggle for device (Default is 'ON') | Optional |
Output
A JSON object returning the status of the request.
{
"Success": true,
"Response Code": 204,
"error": null,
"has_error": false
}
Device Quarantine (Deprecated)
Perform Quarantine action on device.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Device Id | Jinja-templated text for Device Id. Example: {{device_id}} | Required |
| Toggle | Select toggle for device (Default is 'ON') | Optional |
Output
A JSON object returning the status of the request.
{
"Success": true,
"Response Code": 204,
"error": null,
"has_error": false
}
Device Quarantine V2
Perform Quarantine action on device.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Device Id | Jinja-templated text for Device Id. Example: {{device_id}} | Required |
| Toggle | Jinja-templated text for toggle value for device (Default is 'ON') | Optional |
Output
A JSON object returning the status of the request.
{
"Success": true,
"Response Code": 204,
"error": null,
"has_error": false
}
Reputation Add File (Deprecated)
Add file to Reputation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Override List | Name of the Override List. | Required |
| Reputation Description | The description of Reputation. | Required |
| SHA256 Hash | A hexadecimal string of length 64 characters representing the SHA-256 hash of the application. | Required |
| Filename | A filename for the hash, | Required |
Output
A JSON object returning the status of the request.
{
"created_by": "abc123",
"source": "APP",
"source_ref": null,
"description": "Test",
"override_list": "BLACK_LIST",
"has_error": false,
"id": "123456abcdef",
"error": null,
"filename": "test.exe",
"sha256_hash": "abcdefgh12345677",
"override_type": "SHA256",
"create_time": "2022-01-31T06:36:05.196Z"
}
Reputation Add File V2(Deprecated)
Add file to Reputation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Override List | Name of the Override List. | Required |
| Reputation Description | The description of Reputation. | Optional |
| Override Type | Select Override Type for the Reputation. Default is SHA256 | Optional |
| Override Type Required Field | Required field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards). | Required |
| Filename | A filename for the hash. (Additional fields when override_type is SHA256) | Optional |
| Certificate Authority | Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT) | Optional |
| Include Child Processes | Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL) | Optional |
Output
A JSON object returning the status of the request.
{
"created_by": "abc123",
"source": "APP",
"source_ref": null,
"description": "Test",
"override_list": "BLACK_LIST",
"has_error": false,
"id": "123456abcdef",
"error": null,
"filename": "test.exe",
"sha256_hash": "abcdefgh12345677",
"override_type": "SHA256",
"create_time": "2022-01-31T06:36:05.196Z"
}
Reputation Add File
Add file to Reputation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Override List | Jinja-templated text containing the name of the Override List. Currently BLACK_LIST and WHITE_LIST are supported. | Required |
| Reputation Description | Jinja-templated text containing the description of Reputation. | Optional |
| Override Type | Jinja-templated text containing the Override Type for the Reputation.Currently SHA256, CERT and IT_TOOL are supported (Default is SHA256). | Optional |
| Override Type Required Field | Jinja-templated text containing the Required field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards). | Required |
| Filename | Jinja-templated text containing the filename for the hash. (Additional fields when override_type is SHA256) | Optional |
| Certificate Authority | Jinja-templated text containing the Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT) | Optional |
| Include Child Processes | Jinja-templated text containing the Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL) (Default value is True) | Optional |
Output
A JSON object returning the status of the request.
{
"created_by": "abc123",
"source": "APP",
"source_ref": null,
"description": "Test",
"override_list": "BLACK_LIST",
"has_error": false,
"id": "123456abcdef",
"error": null,
"filename": "test.exe",
"sha256_hash": "abcdefgh12345677",
"override_type": "SHA256",
"create_time": "2022-01-31T06:36:05.196Z"
}
Reputation Delete File
Delete file of Reputation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Reputation Id | Jinja-templated text containing the Id of the Reputation. | Required |
Output
A JSON object returning the status of the request.
{
"Response Code": 204,
"has_error": false,
"Response Text": "Successfully deleted resource override",
"error": null,
"Success": true
}
Search Reputation Overrides
Search Reputation Overrides.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Override List | Jinja-templated text containing the override list. | Optional |
| Override Type | Jinja-templated text containing the override type. | Optional |
| Query | Jinja-templated text containing the query in lucene syntax and/or including value searches. | Optional |
| Rows | Jinja-templated text for pagination, how many results to return. | Optional |
| Start | Jinja-templated text for pagination, where to start retrieving results from. | Optional |
| Sort Field | Jinja-templated text containing the field to sort on. | Optional |
| Sort Order | Jinja-templated text containing the direction to sort by. | Optional |
Output
A JSON object returning the status of the request.
{
"result": {
"num_found": 2,
"results": [
{
"id": "0202216556bb95d0bb43b594f",
"created_by": "NKVPZ3SN",
"create_time": "2021-12-06T04:21:39.284Z",
"override_list": "WHITE_LIST",
"override_type": "SHA256",
"description": "Block this hash",
"source": "APP",
"source_ref": null,
"sha256_hash": "5434a2f58ecc07d2f75ea314fc7b8b58d76e39d8d98d1e05a3",
"filename": null
},
{
"id": "b67ccb1f5220154243e58c2",
"created_by": "NKVCHPZ3SN",
"create_time": "2021-12-01T10:30:32.701Z",
"override_list": "WHITE_LIST",
"override_type": "SHA256",
"description": "",
"source": "APP",
"source_ref": null,
"sha256_hash": "e2daf2e1dfd4b78280511f4745dc4e4852ee1a44d280b98b5",
"filename": null
}
],
"error": null,
"has_error": false
},
"stdout": "",
"stderr": "",
"start_node": ""
}
Search Devices
Search Devices on Carbon Black instance.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Criteria | Jinja-templated text containing the Criteria. A Criteria is an object that represents values that must be in the results in JSON format. Example {"os": ["WINDOWS"]} | Optional |
| Exclusions | Jinja-templated text containing the Exclusions. The Exclusions is a map that represents values that must not be in the results in JSON format. Example {"sensorVersion": ["windows:1.0.0"]} | Optional |
| Query | Jinja-templated text containing query in lucene syntax and/or including value searches. | Optional |
| Rows | Jinja-templated value for number of rows to return. (Default is 20) | Optional |
| Start | Jinja-templated value what row to begin returning results from. (Default is 0) | Optional |
| Sort Field | Jinja-templated text containing the field to sort on. Example 'policyName'. (Default is null) | Optional |
| Sort Order | Jinja-templated text containing the direction to sort by. Supports 'asc' or 'desc'. (Default is 'asc') | Optional |
Output
A JSON object returning the status of the request.
{
"num_found": 977,
"results": [{
"activation_code": "CIG28U",
"activation_code_expiry_time": "2019-05-10T21:12:52.697Z",
"ad_group_id": 0,
"appliance_name": null,
"appliance_uuid": null,
"auto_scaling_group_name": null,
"av_ave_version": null,
"av_engine": null,
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": null,
"av_product_version": null,
"av_status": null,
"av_update_servers": null,
"av_vdf_version": null,
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_resource_id": null,
"cloud_provider_tags": null,
"cluster_name": null,
"current_sensor_policy_name": null,
"datacenter_name": null,
"deployment_type": "ENDPOINT",
"deregistered_time": null,
"device_meta_data_item_list": [],
"device_owner_id": 361641,
"email": "[email protected]",
"encoded_activation_code": "ENUYH5W3019",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"host_based_firewall_failure_reason": null,
"host_based_firewall_status": null,
"id": 167070478,
"last_contact_time": null,
"last_device_policy_changed_time": "2021-01-29T18:50:03.041Z",
"last_device_policy_requested_time": null,
"last_external_ip_address": null,
"last_internal_ip_address": null,
"last_location": null,
"last_name": null,
"last_policy_updated_time": "2022-05-18T09:33:54.526Z",
"last_reported_time": null,
"last_reset_time": null,
"last_shutdown_time": null,
"linux_kernel_version": null,
"login_user_name": null,
"mac_address": null,
"middle_name": null,
"name": null,
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": 1105,
"organization_name": "cb-internal-alliances.com",
"os": "OTHER",
"os_version": null,
"passive_mode": false,
"policy_id": 6525,
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": null,
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_kit_type": "OTHER",
"sensor_out_of_date": false,
"sensor_pending_update": false,
"sensor_states": null,
"sensor_version": null,
"status": "PENDING",
"target_priority": "MEDIUM",
"uninstall_code": null,
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"virtual_machine": false,
"virtual_private_cloud_id": null,
"virtualization_provider": null,
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 0,
"vulnerability_severity": null,
"windows_platform": null
}],
"error": null,
"has_error": false
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.5.1- Added new actionSearch Devices.v1.4.0- Added new actionDevice Quarantine V2and deprecated theDevice Quarantine.v1.3.0- Added new actionSearch Reputation Overrides.v1.2.6- Deprecated theReputation Add File V2action and addedReputation Add Fileaction as the inputs are changed to jinja template.v1.2.2- Updated connection procedure.v1.2.0- Added Reputation delete file action.v1.1.1- Added Reputation add file v2 action and deprecated old version.v1.0.3- Added three actions to Carbon Black v6 api.
Updated about 1 year ago