VMware Carbon Black Cloud 2.0.0
App Vendor: VMware
App Category: Forensics & Malware Analysis
Connector Version: 2.2.0
API Version: 1.0.1
About App
This app provides integration with VMware Carbon Black Cloud (formerly the predictive security cloud), a cloud-native endpoint protection platform (EPP) that provides what you need to secure your endpoints using a single, lightweight agent and an easy-to-use console.
The VMware Carbon Black Cloud app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Get Details of an Alert | This action retrieves the details of an alert from VMware Carbon Black Cloud. |
Get Details of Device | This action retrieves the details of the device from VMware Carbon Black Cloud. |
Get List of Facet Alert | This action retrieves a list of facets from alerts from VMware Carbon Black Cloud. |
Perform Action in Device | This action performs the action in the device from VMware Carbon Black Cloud. |
Search Alerts | This action search for alerts in VMware Carbon Black Cloud |
Search Devices | This action searches the devices in VMware Carbon Black Cloud |
Configure Reputation Override | This action configures a new reputation override for an SHA-256, cert, or IT tool. |
Search Reputation Override | This action searches reputation overrides based on override type and override list. |
Bulk Delete Reputation Override | This action is used to bulk delete reputation overrides by reputation ID. |
Generic Action | This is a generic action used to make requests to any VMware Carbon Black Cloud endpoint. |
Configuration Parameters
The following configuration parameters are required for the VMware Carbon Black Cloud app to communicate with the VMware Carbon Black Cloud enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: "https://defense.conferdeploy.net/" | Text | Required | |
API ID | Enter the API ID. "zaCELXXXXXXXXXXXXXtlx" | Text | Required | Required access level types:
|
API Secret Key | Enter the API secret key. | Password | Required | Required access level types:
|
Org Key | Enter the org key. | Text | Required | |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with VMware Carbon Black Cloud. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, verification is enabled. |
Important
Ensure you have the required role-based access control (RBAC) permissions to perform the actions. For more information on required RBAC permissions for each action, see VMware Carbon Black Cloud API Documentation.
Action: Configure Reputation Override
This action configures a new reputation override for an SHA-256, cert, or IT tool.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Override List | Enter the override list. Example: "BLACK_LIST" | Text | Required | BLACK_LIST value is valid only for SHA256. Allowed values:
|
Override Type | Enter the override type. Example: "SHA256" | Text | Required | Allowed values:
|
Description | Enter the description for an override. Example: "An override for a sha256 hash" | Text | Optional | |
SHA256 Hash | If the override type is SHA256, then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. Example: "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a" | Text | Optional | |
Signed By | If the override type is CERT, then enter the name of the signer of the application. Example: "dummy" | Text | Optional | |
Path | If the override type is IT_TOOL, then enter the path where the IT Tools exist. Example: "c:\program files\custom_application" | Text | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"override_type":"SHA256",
"override_list":"BLACK_LIST",
"description":"An override for a sha256 hash",
"signed_by":"dummy",
"path":"\\program files\\custom application"
}
]Action: Get Alert by IDs
This action retrieves the details of an alert from VMware Carbon Black Cloud.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to retrieve alert details. Example: "225219783948647d55b11e9962bf3b07592c207" | Text | Required | This parameter can be retrieved using the Search Alerts action. |
Example Request
[
{
"alert_id": "225219783948647d55b11e9962bf3b07592c207"
}
]Action: Get Details of Device
This action retrieves details of the device from VMware Carbon Black Cloud.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID to retrieve the details of the device. Example: "5523528" | Text | Required | This parameter can be retrieved using the Search Devices action. |
Example Request
[
{
"device_id": "5523528"
}
]Action: Get List of Facet Alerts
This action retrieves a list of facets from the alert from VMware Carbon Black Cloud.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search Query | Enter the search query. Example: "552328" | Text | Optional | |
Extra Params | Enter the extra params to filter the results. | Key Value | Optional | Allowed values:
|
Rows | Enter the number of rows to retrieve the response. Example: 100 | Integer | Optional | Default value: 20 |
Alert Fields | Enter the list of alert fields required to facet. Example: $LIST[application_name] | List | Required |
Example Request
[
{
"fields": [
"application_name"
]
}
]Action: Perform Action in Device
This action performs an action in the device from VMware Carbon Black Cloud.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the list of device IDs. Example: $LIST[5523528, 4432574] | List | Required | |
Action Type | Enter the action to perform on selected devices. "bypass" | Text | Required | Allowed Values:
|
Extra Params | Enter the extra parameters. | Key Value | Required | |
Policy ID | Enter the policy ID. Example: "1233" | Text | Optional | This parameter is required when the action type is set to update_policy. |
Sensor version | Enter the sensor version. Example: {'rhel': '2.4.0.3'} | Key Value | Optional | This parameter is required when the action type is set to update_sensor_version. |
Toggle | Enter toggle to enable or disable action. Example: "OFF" | Text | Optional | This parameter is required when an action type is set to quarantine, bypass, or background_scan.Allowed values:
|
Example Request
[
{
"device_id": ["5523528", "4432574"],
"action_type":"BACKGROUND_SCAN",
"policy_id":"88514",
"sensor_version":{
"RHEL":"2.4.0.3"
},
"toggle":"OFF"
}
]Action: Search Alerts
This action searches for alerts in VMware Carbon Black Cloud.
Action Input Parameters
<div></div><div></div>Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search query | Enter the search query. Example: "example.hostname.corp" | Text | Optional | |
Extra params | Enter extra parameters to filter results. | Key Value | Optional | Allowed values:
|
Rows | Enter the number of rows to get in response. Example: 100 | Integer | Optional | Default value: 20 |
Example Request
[
{
"search_query":"example.hostname.corp",
"rows":100
}
]
Action: Search Devices
This action searches the devices in VMware Carbon Black Cloud.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search Query | Enter the search query. Example: "deregistered" | Text | Optional | |
Extra Params | Enter the extra parameters to filter results. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"search_query":"deregistered"
}
]Action: Bulk Delete Reputation Override
This action is used to bulk delete reputation overrides by reputation ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Reputation ID | Enter a list of reputation override IDs. Example: $LIST[e9410b754ea011ebbfd0db2585a41b07] | List | Required |
Example Request
[
{
"reputation_id": ["e9410b754ea011ebbfd0db2585a41b"]
}
]
Action: Configure Reputation Override
This action configures a new reputation override for an SHA-256, cert, or IT tool.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Override List | Enter the override list. Example: "BLACK_LIST" | Text | Required | BLACK_LIST value is valid only for SHA256. Allowed values:
|
Override Type | Enter the override type. Example: "SHA256" | Text | Required | Allowed values:
|
Description | Enter the description for an override. Example: "An override for a sha256 hash" | Text | Optional | |
SHA256 Hash | If the override type is SHA256, then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. Example: "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a" | Text | Optional | |
Signed By | If the override type is CERT, then enter the name of the signer of the application. Example: "dummy" | Text | Optional | |
Path | If the override type is IT_TOOL, then enter the path where the IT Tools exist. Example: "c:\program files\custom_application" | Text | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"override_type":"SHA256",
"override_list":"BLACK_LIST",
"description":"An override for a sha256 hash",
"signed_by":"dummy",
"path":"\\program files\\custom application"
}
]Action: Search Reputation Override
This action searches reputation overrides based on override type and override list.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Query | Enter the query to search. | Text | Optional | |
Override List | Enter the override list. Example: "BLACK_LIST" | Text | Optional | Allowed values:
|
Override Type | Enter the override type. Example: "SHA256" | Text | Optional | Allowed values:
|
Rows | Enter the number of rows to be retrieved. Example: 20 | Integer | Optional | Default value:20 |
Sort Order | Enter the sorting order. Example: "asc" | Text | Optional | Allowed values:
|
Sort Field | Enter the field to sort. Example: "override_type" | Text | Optional | Allowed values:
|
Start | Enter an offset value. Example: 0 | Integer | Optional | Default value: 0 |
Example Request
[
{
"override_type":"SHA256",
"override_list":"BLACK_LIST",
"rows":20,
"sort_order":"asc",
"sort_field":"override_type",
"start":0
}
]Action: Generic Action
This is a generic action used to make requests to any VMware Carbon Black Cloud endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Methods | Enter the HTTP method to make the request. | Text | Required | Allowed values: GET, PUT, POST, and DELETE |
Endpoint | Enter the endpoint to make the request to. Example: /api/investigate/v2/orgs/123ABC/processes/search_suggestions | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional |