VMware Carbon Black Cloud Audit and Remediation
App Vendor: VMware
App Category: Endpoint Detection and Response
App Version in Orchestrate: 1.0.0
API version: 1.0.0
Default Port: 443
About App
The VMware Carbon Black Cloud Audit and Remediation app in the Orchestrate application allows security teams to integrate with VMware Carbon Black Cloud Audit and Remediation enterprise application to provide teams faster, easier access to audit and changes the system state of endpoints across your organization by performing real-time querying and remediation of endpoints.
The VMware Carbon Black Cloud Audit and Remediation app in the Orchestrate application can perform the below listed actions:
Action Name | Description |
|---|---|
Delete Query Run | This action can be used to delete a live query run. |
Get Device Summary from Query Results | This action can be used to get a summary of a device from a query result. |
Get Summary of a Query Result | This action can be used to get a summary of a query result. |
Get a List of Query Recommendations | This action can be used to get a list of query recommendations. |
Get Live Query Details | This action can be used to get the details of a live query. |
Get Live Query Results | This action can be used to get the results of a live query. |
Run Live Query | This action can be used to run a live query. |
Stop Running Live Query | This action can be used to cancel/stop a running live query. |
Prerequisites
All the actions configured in the VMware Carbon Black Cloud Audit and Remediation app relate to private APIs. VMware Carbon Black Cloud Audit and Remediation Enterprise subscription is required to access the private APIs.
Configuration parameters
The following configuration parameters are required for the VMware Carbon Black Cloud Audit and Remediation app to communicate with VMware Carbon Black Cloud Audit and Remediation enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Cloud Domain | Enter the cloud domain. For example, "defense.tld" | Text | Required | |
API ID | Enter the API ID for authorization | Password | Required | Role-Based Access Control (RBAC) are specific permission levels assigned to custom API keys to ease access to APIs. Minimum RBAC permissions required:
|
API Secret Key | Enter the API Secret Key for authorization | Password | Required | Role-Based Access Control (RBAC) are specific permission levels assigned to custom API keys to ease access to APIs. Minimum RBAC permissions required:
|
Org Key | Enter the Org Key. For example, “7DESJ9GN “ | Text | Required |
Action: Delete Query Run
This action can be used to delete a query run.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. For example, “s5m05algyv9xewlnsazw0jveydockayx” | Text | Required | By default, query takes the ID of all devices. |
Example Request
[
{
"query_id": "s5m05algyv9xewlnsazw0jveydockayx"
}
]Action: Get Device Summary from Query Results
This action can be used to get a device's summary from a live query result.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. For example, s5m05algyv9xewlnsazw0jveydockayx | Text | Required | By default, the query takes the ID of all devices. |
Query Search | Enter a query search as a key:value pair. For example, rows: 10, start: 0 | Key:Value | Required | By default, the value of “start” is set to 0. |
Example Request
[
{
"query_id": "s5m05algyv9xewlnsazw0jveydockayx",
"query_search": {
"rows": "10",
"start": "0"
}
}
]Action: Get Summary of a Query Result
This action can be used to get a summary of a query result.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. For example, “s5m05algyv9xewlnsazw0jveydockayx” | Text | Required | By default, the query takes the ID of all devices. |
Query Search | Enter a query search as a key:value pair. For example, "rows": "10", ”start": "0" | Key:Value | Required | By default, the value of “start” is set to 0. |
Example Request
[
{
"query_id": "s5m05algyv9xewlnsazw0jveydockayx",
"query_search": {
"rows": "10",
"start": "0"
}
}
]Action: Get a List of Query Recommendations
This action can be used to get a list of live query recommendations.
Input Parameters
No Input Parameters are required for this action.
Action: Get Live Query Details
This action can be used to get the details of a live query.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. For example, “s5m05algyv9xewlnsazw0jveydockayx” | Text | Required | By default, query takes the ID of all devices. |
Example Request
[
{
"query_id": "s5m05algyv9xewlnsazw0jveydockayx"
}
]Action: Get Live Query Results
This action can be used to get the results of a live query.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. For example, “s5m05algyv9xewlnsazw0jveydockayx” | Text | Required | By default, query takes the ID of all devices. |
Search parameters | Enter search parameters as a key value pair. | Key:Value | Required | For example:
|
Example Request
[
{
"query_id": "s5m05algyv9xewlnsazw0jveydockayx",
"search_params": {
"rows": "10",
"start": "0"
}
}
]Action: Run Live Query
This action can be used to run a live query.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query Name | Enter the query name. For example, “Find Patches” | Text | Required | By default, the SQL statement is defined under field “sql” |
SQL Query | Enter the SQL query. For example, "SELECT *FROM patches;" | Any | Required | |
OS Type | Enter OS type as a list. | Any | Required | Allowed values:
By default, all operating systems are taken as input. |
Notify on Finish | Optional action to either allow or disallow a notification to be sent on the finish. | Boolean | Optional | Allowed values:
By default, the value is “False”. |
Additional Parameters | Enter additional parameters as a key:value pair. | Key:Value | Optional |
Example Request
[
{
"os_type": [
"WINDOWS"
],
"sql_query": "SELECT *FROM patches;",
"query_name": "Find Patches",
"extra_params": {},
"notify_on_finish": false
}
]Action: Stop Running Live Query
This action can be used to cancel/stop a running live query.
Note: Once a query run has been stopped, it cannot be run again.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. For example, “s5m05algyv9xewlnsazw0jveydockayx” | Text | Required |
Example Request
[
{
"query_id": "s5m05algyv9xewlnsazw0jveydockayx"
}
]