Vmware Carbon Black (On Prem)
App Vendor: Vmware
Connector Category: Analytics and SIEM
App Version in Orchestrate: 1.0.0
API Version: 1.0.0
About App
VMware Carbon Black is a solution designed for security teams with offline environments or on-premises requirements. It supports your organization's need to secure, respond to and remediate incidents in offline, air-gapped and disconnected environments. Carbon Black continuously records and stores comprehensive endpoint activity data which enables security analysts to hunt threats in real time and visualize the complete attack kill chain.
The Vmware Carbon Black (On Prem) app allows security teams to integrate with the Carbon Black enterprise version to manage alerts, feeds, and reports.
This app is configured with the Orchestrate application to perform the following actions:
Action | Description |
|---|---|
Binary Search | This action performs a search to retrieve the binary data using a query. |
Get Watchlist Data | This action retrieves watchlist data using the watchlist ID. |
Get All Watchlists | This action retrieves all the watchlisted data. |
Bulk Update Alerts | This action performs a bulk update for a list of alert IDs. |
Update Alert | This action updates an alert using the alert ID. |
Search Alerts | This action performs a search to retrieve alerts using a query. |
Get Binary Metadata | This action retrieves the binary metadata using the hash value. |
Get Banned Hashes | This action retrieves all the banned hashes from Carbon Black. |
Ban MD5 Hash | This action bans an MD5 hash using the hash value and other ban details. |
Get Feed By ID | This action retrieves the feed details using the feed ID. |
Get Feeds | This action retrieves all the feed details. |
Search Threat Reports | This action performs a search to retrieve the threat reports in Carbon Black. |
Get Process Preview | This action retrieves the process preview data using the segment ID and process ID. |
Get Event Details | This action retrieves event details using the segment ID and process ID. |
Get Segment Details | This action retrieves the segment details using the process ID. |
Get Process Summary | This action retrieves the process summary details using the segment ID and process ID. |
Process Search | This action performs a search to retrieve all the processes on Carbon Black On-Prem application using a query. |
Configuration Parameters
The following configuration parameters are required for the Vmware Carbon Black app to communicate with the Vmware Carbon Black enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the Carbon Black base URL to authenticate with. Example: "https://<cb_defense_api_host>/integrationServices" | Text | Required | |
API Key | Enter the Carbon Black API key. Example: "XXXX972a2167c93df3372de34c2fb18bae5d319a" | Password | Required | |
Verify | Choose whether to verify SSL certificate or not. | Text | Required | Allowed values:
|
Action: Binary Search
This action performs a search to retrieve the binary data using a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to search reports. Example: "digsig_result:Expired" | Text | Required | See Advanced Searches for the supported query strings. |
Rows | Enter the number of rows to return in the results. Example: 10 | Integer | Optional | Default value: 10 |
Start | Enter the row number to start the search from. Example: 5 | Integer | Optional | Default value: 0 |
Note: You can also pass other optional parameters such as Sort, Facet, and Facet Field for the binary search operation.
Example Request
[
{
"query": "server_added_timestamp:*"
}
"rows": 10
]Action: Get Watchlist Data
This action retrieves the watchlist data using the watchlist ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID to fetch the watchlist data. Example: 414 | Integer | Required | You can retrieve the watchlist ID using the Get All Watchlists action. |
Example Request
[
{
"watchlist_id": "414"
}
]Action: Get All Watchlists
This action retrieves all the watchlists owned by the caller.
Action Input Parameters
This action does not require any input parameters.
Action: Bulk Update Alerts
This action performs a bulk update for a list of alert IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query as key-value pairs to perform a bulk update on alerts. Example: "cb.urlver=1&cb.fq.status=unresolved&sort=alert_severity%20desc&rows=10" | Text | Optional | |
Alert IDs | Enter the list of alert IDs. Example: ["id1", "id2"] | List | Optional | |
Requested Status | Enter the requested status. Example: "Resolved" | Text | Optional | Allowed values:
|
Set Ignored | Set the status to ignore the alerts or not. | Boolean | Optional | Allowed values:
|
Assigned To | Enter the analyst to assign to. "cbadmin" | Text | Optional |
Example Request
[
{
"assigned_to": "cbadmin",
"set_ignored": false,
"alert_id_list": [
"e17ad49b-1ee2-4b47-bd03-52be64ac0a78"
],
"requested_status": "Resolved"
}
]Action: Update Alert
This action updates an alert using the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to update. Example: "221612a9-897a-47a3-9e44-7833e5d11a53" | Text | Required | |
Status | Enter the status of the alert to update. Example: "Resolved" | Text | Required | Allowed values:
|
Example Request
[
{
"status": "Resolved",
"alert_id": "221612a9-897a-47a3-9e44-7833e5d11a53"
}
]Action: Search Alerts
This action can be used to search alerts in carbon black.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query as key value pairs to search. | Text | Required | See Advanced Searches for the supported query strings. |
Rows | Enter the number of rows to return in the results. Example: 10 | Integer | Optional | Default value: 10 |
Start | Enter the row number to start the search from. | Integer | Optional | Default value: 0 |
Note: You can also pass other optional parameters such as Sort and Facet to search for alerts.
Example Request
[
"start": 0,
"rows": 10,
{
"query": "status:*",
}
]Action: Get Binary Metadata
This action retrieves the binary metadata using the hash value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Value | Enter the hash value to retrieve the binary metadata. Example: "586E1B7CAF47A43F5BE28968DD4A7329" | Integer | Required |
Example Request
[
{
"hash_value": "586E1B7CAF47A43F5BE28968DD4A7329"
}
]Action: Get Banned Hashes
This action retrieves all the banned hashes from Carbon Black.
Action Input Parameters
This action does not require any input parameters.
Action: Ban MD5 Hash
This action bans an MD5 hash using the hash value and other ban details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Value | Enter the hash value to ban. Example: "3e8742cc224c0d291d5a18471adba02e" | Text | Required | |
Description | Enter the description of the hash. Example: "Test Description" | Text | Required | |
Last Ban Time | Enter the last ban time. Example: 1529332687006 | Text | Required | |
Enter the Ban Count | Enter the ban count. Example: 0 | Integer | Required | |
Last Ban Host | Enter the last ban host. Example: 111 | Text | Required |
Example Request
[
{
"ban_count": "0",
"hash_value": "3e8742cc224c0d291d5a18471adba02e",
"description": "Evil Image 3",
"last_ban_host": "111",
"last_ban_time": "1529332687006"
}
]Action: Get Feed By ID
This action retrieves the feed details using the feed ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID to fetch the feed details. Example: 80190 | Integer | Required | You can retrieve the feed ID using Get Feeds action. |
Example Request
[
{
"feed_id": "80910"
}
]Action: Get Feeds
This action retrieves all the feed details.
Action Input Parameters
This action does not require any input parameters.
Action: Search Threat Reports
This action performs a search to retrieve the threat reports in Carbon Black.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query in key-value pairs to search reports. Example: "create_time:*" | Text | Required | See Advanced Searches for the supported query strings. |
Rows | Enter the number of rows to return in the results. Example: 10 | Integer | Optional | Default value: 10 |
Start | Enter the row number to start the search from. | Integer | Optional | Default value: 0 |
Note: You can also pass other optional parameters such as Sort and Facet to search for threat reports.
Example Request
[
"start": 0,
"rows": 10,
{
"query": "create_time:*"
}
]Action: Get Process Preview
This action retrieves the process preview data using the segment ID and process ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Segment ID | Enter the segment ID to retrieve the process preview data. Example: "1627885204885" | Integer | Required | You can retrieve the segment ID using the Get Segment Details action. |
Process ID | Enter the process ID to retrieve the process preview data. Example: "00000001-0000-0725-01d7-851d56b35250" | Integer | Required | You can retrieve the process ID using the Process Search action. |
Note: You can also pass other optional query parameters to filter items.
Example Request
[
{
"process_id": "00000001-0000-0725-01d7-851d56b35250",
"segment_id": "1627885204885"
}
]Action: Get Event Details
This action retrieves event details using the segment ID and process ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Segment ID | Enter the segment ID to retrieve the event data. Example: "1627885204885" | Integer | Required | You can retrieve the segment ID using the Get Segment Details action. |
Process ID | Enter the process ID to retrieve the event data. Example: "00000001-0000-0725-01d7-851d56b35250" | Integer | Required | You can retrieve the process ID using the Process Search action. |
Example Request
[
{
"process_id": "00000001-0000-0725-01d7-851d56b35250",
"segment_id": "1627885204885"
}
]Action: Get Segment Details
This action retrieves the segment details using the process ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Process ID | Enter the process ID to retrieve the segment details. Example: "00000001-0000-0725-01d7-851d56b35250" | Integer | Required | You can retrieve the process ID using the Process Search action. |
Example Request
[
{
"process_id": "00000001-0000-0725-01d7-851d56b35250"
}
]Action: Get Process Summary
This action retrieves the process summary details using the segment ID and process ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Segment ID | Enter the segment ID to retrieve the process summary. Example: 00000001-0000-0725-01d7-851d56b35250 | Integer | Required | You can retrieve the segment ID using the Get Segment Details action. |
Process ID | Enter the process ID to retrieve the process summary. Example: 1627885204885 | Integer | Required | You can retrieve the process ID using the Process Search action. |
Example Request
[
{
"process_id": "00000001-0000-0725-01d7-851d56b35250",
"segment_id": "1627885204885"
}
]Action: Process Search
This action performs a search to retrieve all the processes on Carbon Black On-Prem application using a query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query in key-value pairs to perform a process search. Example: "start:*" | Integer | Required | See Advanced Searches for the supported query strings. |
Rows | Enter the number of rows to return in the results. Example: 10 | Integer | Optional | Default value: 10 |
Start | Enter the row number to start the search from. Example: 0 | Integer | Optional | Default value: 0 |
Note: You can also pass other optional parameters such as Sort, Facet, Facet Field, Comprehensive Search, Facet Fuzzy, and Group to search for processes.
Example Request
[
"start": 0,
"rows": 10,
{
"query": "start:*"
}
]