Carbon Black Response v2

Version: 2.0.0

Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams. V2 version is developed for Carbon Black Response API's latest version.

Connect CB Response with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Carbon Black Response.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Host: Hostname of the CB Response instance.
    • API Token: API Token for your CB Response instance.
    • Org Key: Org Key for your CB Response instance.
  4. After you've entered all the details, click Connect.

Actions for CB Response

Device Background Scan

Perform Background Scan on device.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Device IdJinja-templated text for Device Id. Example: {{device_id}}Required
ToggleSelect toggle for device (Default is 'ON')Optional

Output

A JSON object returning the status of the request.

{
	"Success": true,
	"Response Code": 204,
	"error": null,
	"has_error": false
}

Device Quarantine (Deprecated)

Perform Quarantine action on device.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Device IdJinja-templated text for Device Id. Example: {{device_id}}Required
ToggleSelect toggle for device (Default is 'ON')Optional

Output

A JSON object returning the status of the request.

{
	"Success": true,
	"Response Code": 204,
	"error": null,
	"has_error": false
}

Device Quarantine V2

Perform Quarantine action on device.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Device IdJinja-templated text for Device Id. Example: {{device_id}}Required
ToggleJinja-templated text for toggle value for device (Default is 'ON')Optional

Output

A JSON object returning the status of the request.

{
	"Success": true,
	"Response Code": 204,
	"error": null,
	"has_error": false
}

Reputation Add File (Deprecated)

Add file to Reputation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Override ListName of the Override List.Required
Reputation DescriptionThe description of Reputation.Required
SHA256 HashA hexadecimal string of length 64 characters representing the SHA-256 hash of the application.Required
FilenameA filename for the hash,Required

Output

A JSON object returning the status of the request.

{
	"created_by": "abc123",
	"source": "APP",
	"source_ref": null,
	"description": "Test",
	"override_list": "BLACK_LIST",
	"has_error": false,
	"id": "123456abcdef",
	"error": null,
	"filename": "test.exe",
	"sha256_hash": "abcdefgh12345677",
	"override_type": "SHA256",
	"create_time": "2022-01-31T06:36:05.196Z"
}

Reputation Add File V2(Deprecated)

Add file to Reputation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Override ListName of the Override List.Required
Reputation DescriptionThe description of Reputation.Optional
Override TypeSelect Override Type for the Reputation. Default is SHA256Optional
Override Type Required FieldRequired field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards).Required
FilenameA filename for the hash. (Additional fields when override_type is SHA256)Optional
Certificate AuthorityCertificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT)Optional
Include Child ProcessesBoolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL)Optional

Output

A JSON object returning the status of the request.

{
	"created_by": "abc123",
	"source": "APP",
	"source_ref": null,
	"description": "Test",
	"override_list": "BLACK_LIST",
	"has_error": false,
	"id": "123456abcdef",
	"error": null,
	"filename": "test.exe",
	"sha256_hash": "abcdefgh12345677",
	"override_type": "SHA256",
	"create_time": "2022-01-31T06:36:05.196Z"
}

Reputation Add File

Add file to Reputation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Override ListJinja-templated text containing the name of the Override List. Currently BLACK_LIST and WHITE_LIST are supported.Required
Reputation DescriptionJinja-templated text containing the description of Reputation.Optional
Override TypeJinja-templated text containing the Override Type for the Reputation.Currently SHA256, CERT and IT_TOOL are supported (Default is SHA256).Optional
Override Type Required FieldJinja-templated text containing the Required field relative to override type.
In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application.
In case the override type is CERT then enter the name of the signer for the application.
In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards).
Required
FilenameJinja-templated text containing the filename for the hash. (Additional fields when override_type is SHA256)Optional
Certificate AuthorityJinja-templated text containing the Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT)Optional
Include Child ProcessesJinja-templated text containing the Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL) (Default value is True)Optional

Output

A JSON object returning the status of the request.

{
	"created_by": "abc123",
	"source": "APP",
	"source_ref": null,
	"description": "Test",
	"override_list": "BLACK_LIST",
	"has_error": false,
	"id": "123456abcdef",
	"error": null,
	"filename": "test.exe",
	"sha256_hash": "abcdefgh12345677",
	"override_type": "SHA256",
	"create_time": "2022-01-31T06:36:05.196Z"
}

Reputation Delete File

Delete file of Reputation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Reputation IdJinja-templated text containing the Id of the Reputation.Required

Output

A JSON object returning the status of the request.

{
	"Response Code": 204,
	"has_error": false,
	"Response Text": "Successfully deleted resource override",
	"error": null,
	"Success": true
}

Search Reputation Overrides

Search Reputation Overrides.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Override ListJinja-templated text containing the override list.Optional
Override TypeJinja-templated text containing the override type.Optional
QueryJinja-templated text containing the query in lucene syntax and/or including value searches.Optional
RowsJinja-templated text for pagination, how many results to return.Optional
StartJinja-templated text for pagination, where to start retrieving results from.Optional
Sort FieldJinja-templated text containing the field to sort on.Optional
Sort OrderJinja-templated text containing the direction to sort by.Optional

Output

A JSON object returning the status of the request.

{
  "result": {
    "num_found": 2,
    "results": [
      {
        "id": "0202216556bb95d0bb43b594f",
        "created_by": "NKVPZ3SN",
        "create_time": "2021-12-06T04:21:39.284Z",
        "override_list": "WHITE_LIST",
        "override_type": "SHA256",
        "description": "Block this hash",
        "source": "APP",
        "source_ref": null,
        "sha256_hash": "5434a2f58ecc07d2f75ea314fc7b8b58d76e39d8d98d1e05a3",
        "filename": null
      },
      {
        "id": "b67ccb1f5220154243e58c2",
        "created_by": "NKVCHPZ3SN",
        "create_time": "2021-12-01T10:30:32.701Z",
        "override_list": "WHITE_LIST",
        "override_type": "SHA256",
        "description": "",
        "source": "APP",
        "source_ref": null,
        "sha256_hash": "e2daf2e1dfd4b78280511f4745dc4e4852ee1a44d280b98b5",
        "filename": null
      }
    ],
    "error": null,
    "has_error": false
  },
  "stdout": "",
  "stderr": "",
  "start_node": ""
}

Search Devices

Search Devices on Carbon Black instance.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
CriteriaJinja-templated text containing the Criteria. A Criteria is an object that represents values that must be in the results in JSON format. Example {"os": ["WINDOWS"]}Optional
ExclusionsJinja-templated text containing the Exclusions. The Exclusions is a map that represents values that must not be in the results in JSON format. Example {"sensorVersion": ["windows:1.0.0"]}Optional
QueryJinja-templated text containing query in lucene syntax and/or including value searches.Optional
RowsJinja-templated value for number of rows to return. (Default is 20)Optional
StartJinja-templated value what row to begin returning results from. (Default is 0)Optional
Sort FieldJinja-templated text containing the field to sort on. Example 'policyName'. (Default is null)Optional
Sort OrderJinja-templated text containing the direction to sort by. Supports 'asc' or 'desc'. (Default is 'asc')Optional

Output

A JSON object returning the status of the request.

{
	"num_found": 977,
	"results": [{
		"activation_code": "CIG28U",
		"activation_code_expiry_time": "2019-05-10T21:12:52.697Z",
		"ad_group_id": 0,
		"appliance_name": null,
		"appliance_uuid": null,
		"auto_scaling_group_name": null,
		"av_ave_version": null,
		"av_engine": null,
		"av_last_scan_time": null,
		"av_master": false,
		"av_pack_version": null,
		"av_product_version": null,
		"av_status": null,
		"av_update_servers": null,
		"av_vdf_version": null,
		"base_device": null,
		"cloud_provider_account_id": null,
		"cloud_provider_resource_id": null,
		"cloud_provider_tags": null,
		"cluster_name": null,
		"current_sensor_policy_name": null,
		"datacenter_name": null,
		"deployment_type": "ENDPOINT",
		"deregistered_time": null,
		"device_meta_data_item_list": [],
		"device_owner_id": 361641,
		"email": "[email protected]",
		"encoded_activation_code": "ENUYH5W3019",
		"esx_host_name": null,
		"esx_host_uuid": null,
		"first_name": null,
		"golden_device": null,
		"golden_device_id": null,
		"host_based_firewall_failure_reason": null,
		"host_based_firewall_status": null,
		"id": 167070478,
		"last_contact_time": null,
		"last_device_policy_changed_time": "2021-01-29T18:50:03.041Z",
		"last_device_policy_requested_time": null,
		"last_external_ip_address": null,
		"last_internal_ip_address": null,
		"last_location": null,
		"last_name": null,
		"last_policy_updated_time": "2022-05-18T09:33:54.526Z",
		"last_reported_time": null,
		"last_reset_time": null,
		"last_shutdown_time": null,
		"linux_kernel_version": null,
		"login_user_name": null,
		"mac_address": null,
		"middle_name": null,
		"name": null,
		"nsx_distributed_firewall_policy": null,
		"nsx_enabled": null,
		"organization_id": 1105,
		"organization_name": "cb-internal-alliances.com",
		"os": "OTHER",
		"os_version": null,
		"passive_mode": false,
		"policy_id": 6525,
		"policy_name": "default",
		"policy_override": true,
		"quarantined": false,
		"registered_time": null,
		"scan_last_action_time": null,
		"scan_last_complete_time": null,
		"scan_status": null,
		"sensor_kit_type": "OTHER",
		"sensor_out_of_date": false,
		"sensor_pending_update": false,
		"sensor_states": null,
		"sensor_version": null,
		"status": "PENDING",
		"target_priority": "MEDIUM",
		"uninstall_code": null,
		"vcenter_host_url": null,
		"vcenter_name": null,
		"vcenter_uuid": null,
		"vdi_base_device": null,
		"virtual_machine": false,
		"virtual_private_cloud_id": null,
		"virtualization_provider": null,
		"vm_ip": null,
		"vm_name": null,
		"vm_uuid": null,
		"vulnerability_score": 0,
		"vulnerability_severity": null,
		"windows_platform": null
	}],
	"error": null,
	"has_error": false
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.5.1 - Added new action Search Devices.
  • v1.4.0 - Added new action Device Quarantine V2 and deprecated the Device Quarantine.
  • v1.3.0 - Added new action Search Reputation Overrides.
  • v1.2.6 - Deprecated the Reputation Add File V2 action and added Reputation Add File action as the inputs are changed to jinja template.
  • v1.2.2 - Updated connection procedure.
  • v1.2.0 - Added Reputation delete file action.
  • v1.1.1 - Added Reputation add file v2 action and deprecated old version.
  • v1.0.3 - Added three actions to Carbon Black v6 api.

© Devo Technology Inc. All Rights Reserved.