VMware Carbon Black Cloud Enterprise EDR 2.0.0
App Vendor: VMware
App Category: Data Enrichment & Threat Intelligence, Forensics & Malware Analysis
Connector Version: 2.0.0
API Version: v1.0, v2.0, v3.0
About App
The VMware CarbonBlack Cloud Enterprise EDR app in the Orchestrate application allows security teams to integrate with Carbon Black ThreatHunter as Carbon Black Cloud Enterprise EDR, to gain unfiltered visibility for top Security Operations Centers (SOCs) and Incident Response (IR) teams. Carbon Black ThreatHunter is delivered through the Carbon Black Cloud, a next-generation endpoint protection platform that consolidates security in the cloud using a single agent, console and dataset.
The VMware Carbon Black Cloud Enterprise EDR app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Get Details of a Watchlist | This action retrieves details of a watchlist. |
Get Details of a Feed | This action retrieves details of a feed. |
Get Details of a Feed Report | This action retrieves details of a report from a feed. |
Get Information about a Feed | This action retrieves information about a feed. |
Get List of Feed Reports | This action can be used to get a list of feed reports. |
Get a List of Feeds | This action retrieves a list of feeds. |
Get List of All Watchlists | This action retrieves a list of all watchlists. |
Search Feeds | This action searches feeds. |
Update Watchlist | This action updates a watchlist. |
Get IOC Ignore Status | This action retrieves the current ignore status of an IOC in a given report. |
Ignore IOC | This action is used to ignore an IOC. |
Re-activate IOC | This action re-activates an IOC . |
Configuration Parameters
The following configuration parameters are required for the VMware Carbon Black Cloud Enterprise EDR app to communicate with the VMware Carbon Black Cloud Enterprise EDR enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: "https://defense.conferdeploy.net" | Text | Required | |
API ID | Enter the API ID. | Password | Required | Ensure that you have the required access level permissions such as create, read, update, delete, or execute. |
API Secret Key | Enter the API secret key. | Password | Required | Ensure that you have the required access level permissions such as create, read, update, delete, or execute. |
Org Key | Enter the org key. | Text | Required | You can find your Org Key in the Carbon Black Cloud Console under Settings > API Access. |
Action: Get Details of a Watchlist
This action retrieves the details of a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: "r4cmgfihraakgk749mrr6q" | Text | Required |
Example Request
[
{
"watchlist_id": "r4cmgfihraakgk749mrr6q"
}
]Action: Get Details of a Feed
This action retrieves the details of a feed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. Example: "fghijklmnopqrstuvwxyz" | Text | Required |
Example Request
[
{
"feed_id": "fghijklmnopqrstuvwxyz"
}
]Action: Get Details of a Feed Report
This action retrieves details of a report from a feed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. Example: "fghijklmnopqrstuvwxyz" | Text | Required | |
Report ID | Enter the report ID. Example: "uzdbbhfptamjbzgqcwuhew" | Text | Required |
Example Request
[
{
"feed_id": "fghijklmnopqrstuvwxyz",
"report_id": "uzdbbhfptamjbzgqcwuhew"
}
]Action: Get Information about a Feed
This action retrieves information about a feed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. Example: "fghijklmnopqrstuvwxyz" | Text | Required |
Example Request
[
{
"feed_id": "fghijklmnopqrstuvwxyz"
}
]Action: Get List of Feed Reports
This action retrieves a list of feed reports.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Feed ID | Enter the feed ID. Example: "fghijklmnopqrstuvwxyz" | Text | Required |
Example Request
[
{
"feed_id": "fghijklmnopqrstuvwxyz"
}
]
Action: Get a List of Feeds
This action retrieves a list of all feeds.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Public Feeds | Enter true to include public feeds. Example: true | Boolean | Optional | Allowed values:
Default value: false |
Example Request
[
{
"public_feeds": "true"
}
]Action: Get List of All Watchlists
This action retrieves a list of watchlists.
Action Input Parameters
This action does not require any input parameter.
Action: Search Feeds
This action searches feeds.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Search Query | Enter the search query. | Any | Required | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"search_query": "url"
}
]Action: Update Watchlist
This action updates a watchlist.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Watchlist ID | Enter the watchlist ID. Example: "r4cmgfihraakgk749mrr6q" | Text | Required | |
Name | Enter the name of a watchlist. Example: "sample_watchlist" | Text | Optional | |
Description | Enter the watchlist description. Example: "updated watchlist subscribed to a feed" | Text | Optional | |
Enable Tags | Enter true to enable tags for a watchlist. Example: true | Boolean | Optional | Allowed values:
|
Enable Alerts | Enter true to enable alerts for a watchlist. Example: true | Boolean | Optional | Allowed values:
|
Report IDs | Enter the report IDs to attach with a watchlist. Example: $LIST[uzdbbhfptamjbzgqcwuhew, wzdbbhfpxxajugbzgqcwuhew] | List | Optional | |
Classifier | Enter the watchlist classifier in form of key and value pair. Example: {'key': 'feed_id','value': 'fghijklmnopqrstuvwxyz'} | Key Value | Optional |
Example Request
[
{
"watchlist_id": "r4cmgfihraakgk749mrr6q",
"name": "sample_watchlist",
"description": "updated watchlist subscribed to a feed",
"tags_enable": "true",
"alerts_enabled": "true",
"report_ids": ["uzdbbhfptamjbzgqcwuhew", "wzdbbhfpxxajugbzgqcwuhew"],
"classifier": {'key': 'feed_id','value': 'fghijklmnopqrstuvwxyz'}
}
]Action: Get IOC Ignore Status
This action retrieves the ignore status of an IOC.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC ID | Enter the IOC ID. Example: "dbba26e0-d2a2-4de2-9691-a44392dedf38-0" | Text | Required | |
Report ID | Enter the report ID. Example: "uzdbbhfptamjbzgqcwuhew" | Text | Required |
Example Request
[
{
"ioc_id": "dbba26e0-d2a2-4de2-9691-a44392dedf38-0",
"report_id": "uzdbbhfptamjbzgqcwuhew"
}
]Action: Ignore IOC
This action is used to ignore an IOC.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC ID | Enter the IOC ID. Example: "dbba26e0-d2a2-4de2-9691-a44392dedf38-0" | Text | Required | |
Report ID | Enter the report ID. Example: "uzdbbhfptamjbzgqcwuhew" | Text | Required |
Example Request
[
{
"ioc_id": "dbba26e0-d2a2-4de2-9691-a44392dedf38-0",
"report_id": "uzdbbhfptamjbzgqcwuhew"
}
]Action: Re-activate IOC
This action re-activates an IOC.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC ID | Enter the IOC ID. Example: "dbba26e0-d2a2-4de2-9691-a44392dedf38-0" | Text | Required | |
Report ID | Enter the report ID. Example: "uzdbbhfptamjbzgqcwuhew" | Text | Required |
Example Request
[
{
"ioc_id": "dbba26e0-d2a2-4de2-9691-a44392dedf38-0",
"report_id": "uzdbbhfptamjbzgqcwuhew"
}
]