VMware Carbon Black Cloud Endpoint Standard Live Response
App Vendor: VMware
App Category: Endpoint Detection and Response
App Version in Orchestrate: V1.0.1
API version: V3
Default Port: 443
About App
The VMware Carbon Black Cloud Endpoint Standard Live Response app in the Orchestrate application allows security teams to integrate with VMware Carbon Black Cloud Endpoint Standard Live Response enterprise application to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.
The VMware Carbon Black Cloud Endpoint Standard Live Response app in the Orchestrate application can perform the below listed actions:
Action Name | Description |
|---|---|
Start Session for Device | This action can be used to start a Session for a Device. |
Reset Session for Device | This action can be used to reset (when timeout) a Session for a Device. |
Issue command to a Device | This action can be used to issue a command to a Device. |
Get status of session from Device | This action can be used to get the status of a Session from a Device. |
Get status of command issued to a Device | This action can be used to get the status of a command issued to a Device. |
Get Metadata of a file | This action can be used to get Metadata of a file. |
Get file content | This action can be used to get file content. |
Close Session In a Device | This action can be used to close the Session in a Device. |
Cancel a command issued to a Device | This action can be used to cancel a command issued to a Device. |
Prerequisites
All the actions configured in the VMware Carbon Black Cloud Endpoint Standard Live Response app relate to private APIs. VMware Carbon Black Cloud Endpoint Standard Live Response Enterprise subscription is required to access the private APIs.
Configuration parameters
The following configuration parameters are required for the VMware Carbon Black Cloud Endpoint Standard Live Response app to communicate with VMware Carbon Black Cloud Endpoint Standard Live Response enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Cloud Domain | Enter the Cloud Domain. For example, "defense.tld" | Text | Required | |
API Key | Input API Key. | Password | Required | Required Access Level type is “Live Response Access” |
Secret Key | Input Secret Key. | Password | Required | Required Access Level type is “Live Response Access” |
Action: Start Session for a Device
This action can be used to start a session for a Device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the Device ID. For example, “3419258” | Text | Required |
Example Request
[
{
"device_id": "3419258"
}
]Action: Reset session for a Device
This action can be used to reset the timed out session for a device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required |
Example Request
[
{
"session_id": "1105:3419258"
}
]Action: Issue command to Device
This action can be used to issue a command to a Device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required | |
Command Name | Enter the name of the command. For example, “get file” | Text | Required | |
Additional Parameters | Enter additional parameters in the form of key value pairs. For example, object = C:\Users\Administrator\Downloads\sample_file.txt | Key Value | Optional |
Example Request
[
{
"retry": true,
"session_id": "1105:3419258",
"command_name": "get file",
"extra_params":
{
“Object”: “C:\Users\Administrator\Downloads\sample_file.txt”
}
}
]Action: Get Status of Session from Device
This action can be used to get the status of a Session from a Device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required |
Example Request
[
{
"session_id": "1105:3419258"
}
]Action: Get status Of Command Issued To Device
This action can be used to get the status of a command issued to a Device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required | |
Command ID | Enter the command ID. For example, “1” | Text | Required |
Example Request
[
{
"command_id": 1,
"session_id": "1105:3419258"
}
]Action:Get Metadata of a file
This action can be used to get Metadata of a file.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required | |
File ID | Enter the file ID. For example, “075a85b0-c24d-4bb2-a065-205d3af74ffa” | Text | Required |
Example Request
[
{
"file_id": "075a85b0-c24d-4bb2-a065-205d3af74ffa",
"session_id": "1105:3419258"
}
]Action: Get file content
This action can be used to get file content.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required | |
FileID | Enter the file ID. For example, “075a85b0-c24d-4bb2-a065-205d3af74ffa” | Text | Required |
Example Request
[
{
"file_id": "075a85b0-c24d-4bb2-a065-205d3af74ffa",
"filename": "sample.txt",
"session_id": "1105:3419258"
}
]Action: Close Session in Device
This action can be used to close the Session in a Device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required |
Example Request
[
{
"session_id": "1105:3419258"
}
]Action: Cancel a command issued to a Device
This action can be used to cancel a command issued to a device.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Session ID | Enter the Session ID. For example, “1105:3419258” | Text | Required | |
Command ID | Enter the command ID. For example, “1” | Text | Required |
Example Request
[
{
"session_id": "1105:3419258",
“command_id”: “1”
}
]