Vmware CarbonBlack Cloud Enterprise EDR 1.0.0
App Vendor: VMware
App Category: Endpoint Detection and Response
App Version in Orchestrate: V1.0.1
API version: V1, V2, V3
Default Port: 443
About App
The Vmware CarbonBlack Cloud Enterprise EDR app in the Orchestrate application allows security teams to integrate with Carbon Black ThreatHunter as Carbon Black Cloud Enterprise EDR, to gain unfiltered visibility for top Security Operations Centers (SOCs) and Incident Response (IR) teams. Carbon Black ThreatHunter is delivered through the Carbon Black Cloud, a next-generation endpoint protection platform that consolidates security in the cloud using a single agent, console and dataset.
The VMware CarbonBlack Cloud Enterprise EDR app in the Orchestrate application can perform the below listed actions:
Action Name | Description |
|---|---|
Get details of a Watchlist | This action can be used to get details of a Watchlist. |
Get details of a Feed | This action can be used to get details of a Feed. |
Get details of a Feed Report | This action can be used to get details of a report from a Feed. |
Get information about a Feed | This action can be used to get information about a Feed. |
Get a list of Feed Reports | This action can be used to get a list of Feed Reports. |
Get a list of Feeds | This action can be used to get a list of all Feeds. |
Get a list of all Watchlists | This action can be used to get the list of all Watchlists. |
Search Feeds | This action can be used to search Feeds. |
Prerequisites
All the actions configured in the VMware CarbonBlack Cloud Enterprise EDR app relate to private APIs. VMware CarbonBlack Cloud Enterprise EDR Enterprise subscription is required to access the private APIs.
Configuration Parameters
The following configuration parameters are required for the VMware CarbonBlack Cloud Enterprise EDR app to communicate with VMware CarbonBlack Cloud Enterprise EDR enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Cloud Domain | Enter the cloud domain. For example, "defense.tld" | Text | Required | |
API ID | Enter API ID. | Password | Required | Required Access Level type: RBAC permission required |
API Secret Key | Enter API Secret Key. | Password | Required | Required Access Level type: RBAC permission required |
Org Key | Enter the Org Key. For example, “7DESJ9GN“ | Text | Required |
Action: Get details of a Watchlist
This action can be used to get details of a watchlist.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the Watchlist ID. For example, “jEi9DvRgRRC2D3CPXtuOlg” | Text | Required |
Example Request
[
{
"watchlist_id": "jEi9DvRgRRC2D3CPXtuOlg"
}
]Action: Get details of a Feed
This action can be used to get details of a feed.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. For example, “TtEd0qO0R2uEipWr8gYNTw” | Text | Required |
Example Request
[
{
"feed_id": "TtEd0qO0R2uEipWr8gYNTw"
}
]Action: Get details of a Feed Report
This action can be used to get details of a report from a feed.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. For example, “TtEd0qO0R2uEipWr8gYNTw” | Text | Required | |
Report ID | Enter the report ID. For example, “tc-104232995” | Text | Required |
Example Request
[
{
"feed_id": "TtEd0qO0R2uEipWr8gYNTw",
"report_id": "tc-104232995"
}
]Action: Get information about a Feed
This action can be used to get information about a feed.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. For example, “TtEd0qO0R2uEipWr8gYNTw” | Text | Required |
Example Request
[
{
"feed_id": "TtEd0qO0R2uEipWr8gYNTw"
}
]Action: Get a list of Feed Reports
This action can be used to get a list of feed reports.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. For example, “TtEd0qO0R2uEipWr8gYNTw” | Text | Required |
Example Request
[
{
"feed_id": "TtEd0qO0R2uEipWr8gYNTw"
}
]Action: Get a list of Feeds
This action can be used to get a list of all feeds.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Public Feeds | Select if you want to include public Feeds. | Boolean | Optional | Allowed values:
By default, the value is set as “False” |
Example Request
[
{
“public_feeds”: “False“
}
]Action: Get a list of all Watchlists
This action can be used to get a list of all Watchlists.
Input Parameters
No input parameters are required for this action.
Action: Search Feeds
This action can be used to search feeds.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Search Query | Enter a search query. For example, “url” | Any | Required | |
Additional Parameters | Enter additional parameters in the form of key value pairs to filter Feeds. | Key Value | Optional | Allowed key value pairs are:
|
Example Request
[
{
"extra_params": {},
"search_query": "url"
}
]