Skip to main content

Cyware Orchestrate

VMware Carbon Black Response 2.0.0

App Vendor: VMware

App Category: Analytics & SIEM

Connector Version: 2.0.0

API Version: 1.0.0

About App

VMware Carbon Black Response app enables security teams to integrate with the VMware Carbon Black Response enterprise version, allowing them to view and edit alerts, feeds, and reports.

This app is configured with Orchestrate application to perform the following actions:

Action

Description

Binary Search

This action performs a search to retrieve the binary data using a query.

Get Watchlist Data

This action retrieves watchlist data using the watchlist ID.

Get All Watchlists

This action retrieves all the watchlisted data.

Bulk Update Alerts

This action performs a bulk update for a list of alert IDs.

Update Alert

This action updates an alert using the alert ID.

Search Alerts

This action performs a search to retrieve alerts using a query.

Get Binary Metadata

This action retrieves the binary metadata using the hash value.

Get Banned Hashes

This action retrieves all the banned hashes from Carbon Black.

Ban MD5 Hash

This action bans an MD5 hash using the hash value and other ban details.

Get Feed By ID

This action retrieves the feed details using the feed ID.

Get Feeds

This action retrieves all the feed details.

Search Threat Reports

This action performs a search to retrieve the threat reports in Carbon Black.

Get Process Preview

This action retrieves the process preview data using the segment ID and process ID.

Get Event Details

This action retrieves event details using the segment ID and process ID.

Get Segment Details

This action retrieves the segment details using the process ID.

Get Process Summary

This action retrieves the process summary details using the segment ID and process ID.

Process Search

This action performs a search to retrieve all the processes on Carbon Black On-Prem application using a query.

List Sensors

This action retrieves a list of sensors.

Get Sensor Details

This action retrieves the details of a sensor.

Get Global Sensor Statistics

This action retrieves the global sensor statistics.

Update Sensor Details

This action updates the details of a sensor.

Configuration Parameters

The following configuration parameters are required for the Vmware Carbon Black app to communicate with the Vmware Carbon Black enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL

Enter the Carbon Black base URL to authenticate with.

Example:

"https://<cb_defense_api_host>/integrationServices"

Text

Required

API Key

Enter the Carbon Black API key.

Example:

"XXXX972a2167c93df3372de34c2fb18bae5d319a"

Password

Required

Verify

Choose whether to verify SSL certificate or not.

Text

Required

Allowed values:

  • Yes

  • No

Action: Get Watchlist Data

This action retrieves the watchlist data using the watchlist ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Watchlist ID

Enter the watchlist ID to fetch the watchlist data.

Example:

414

Integer

Required

You can retrieve the watchlist ID using the Get All Watchlists action.

Example Request

[
    {
        "watchlist_id": "414"
    }
]
Action: Get All Watchlists

This action retrieves all the watchlists owned by the caller.

Action Input Parameters

This action does not require any input parameters.

Action: Bulk Update Alerts

This action performs a bulk update for a list of alert IDs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query

Enter the query as key-value pairs to perform a bulk update on alerts.

Example:

"cb.urlver=1&cb.fq.status=unresolved&sort=alert_severity%20desc&rows=10"

Text

Optional

Alert IDs

Enter the list of alert IDs.

Example:

["id1", "id2"]

List

Optional

Requested Status

Enter the requested status.

Example:

"Resolved"

Text

Optional

Allowed values:

  • Resolved

  • Unresolved

  • In Progress

  • False Positive

Set Ignored

Set the status to ignore the alerts or not.

Boolean

Optional

Allowed values:

  • True

  • False

Assigned To

Enter the analyst to assign to.

"cbadmin"

Text

Optional

Example Request

[
    {
        "assigned_to": "cbadmin",
        "set_ignored": false,
        "alert_id_list": [
            "e17ad49b-1ee2-4b47-bd03-52be64ac0a78"
        ],
        "requested_status": "Resolved"
    }
]
Action: Update Alert

This action updates an alert using the alert ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert ID

Enter the alert ID to update.

Example:

"221612a9-897a-47a3-9e44-7833e5d11a53"

Text

Required

Status

Enter the status of the alert to update.

Example:

"Resolved"

Text

Required

Allowed values:

  • Resolved

  • Unresolved

  • In Progress

  • False Positive

Example Request

[
    {
        "status": "Resolved",
        "alert_id": "221612a9-897a-47a3-9e44-7833e5d11a53"
    }
]
Action: Search Alerts

This action can be used to search alerts in carbon black.

Parameter

Description

Field Type

Required/Optional

Comments

Query

Enter the query as key value pairs to search.

Text

Required

See Advanced Searches for the supported query strings.

Rows

Enter the number of rows to return in the results.

Example:

10

Integer

Optional

Default value:

10

Start

Enter the row number to start the search from.

Integer

Optional

Default value:

0

Note: You can also pass other optional parameters such as Sort and Facet to search for alerts.

Example Request

[
    "start": 0,
    "rows": 10, 
    {
        "query": "status:*",
    }
]
Action: Get Binary Metadata

This action retrieves the binary metadata using the hash value.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Hash Value

Enter the hash value to retrieve the binary metadata.

Example:

"586E1B7CAF47A43F5BE28968DD4A7329"

Integer

Required

Example Request

[
    {
        "hash_value": "586E1B7CAF47A43F5BE28968DD4A7329"
    }
]
Action: Get Banned Hashes

This action retrieves all the banned hashes from Carbon Black.

Action Input Parameters

This action does not require any input parameters.

Action: Ban MD5 Hash

This action bans an MD5 hash using the hash value and other ban details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Hash Value

Enter the hash value to ban.

Example:

"3e8742cc224c0d291d5a18471adba02e"

Text

Required

Description

Enter the description of the hash.

Example:

"Test Description"

Text

Required

Last Ban Time

Enter the last ban time.

Example:

1529332687006

Text

Required

Enter the Ban Count

Enter the ban count.

Example:

0

Integer

Required

Last Ban Host

Enter the last ban host.

Example:

111

Text

Required

Example Request

[
    {
        "ban_count": "0",
        "hash_value": "3e8742cc224c0d291d5a18471adba02e",
        "description": "Evil Image 3",
        "last_ban_host": "111",
        "last_ban_time": "1529332687006"
    }
]
Action: Get Feed By ID

This action retrieves the feed details using the feed ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Feed ID

Enter the feed ID to fetch the feed details.

Example:

80190

Integer

Required

You can retrieve the feed ID using Get Feeds action.

Example Request

[
    {
        "feed_id": "80910"
    }
]
Action: Get Feeds

This action retrieves all the feed details.

Action Input Parameters

This action does not require any input parameters.

Action: Search Threat Reports

This action performs a search to retrieve the threat reports in Carbon Black.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Query

Enter the query in key-value pairs to search reports.

Example:

"create_time:*"

Text

Required

See Advanced Searches for the supported query strings.

Rows

Enter the number of rows to return in the results.

Example:

10

Integer

Optional

Default value:

10

Start

Enter the row number to start the search from.

Integer

Optional

Default value:

0

Note: You can also pass other optional parameters such as Sort and Facet to search for threat reports.

Example Request

[
    "start": 0,
    "rows": 10,
    {
        "query": "create_time:*"
    }
]
Action: Get Process Summary

This action retrieves the process summary details using the segment ID and process ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Segment ID

Enter the segment ID to retrieve the process summary.

Example:

00000001-0000-0725-01d7-851d56b35250

Integer

Required

You can retrieve the segment ID using the Get Segment Details action.

Process ID

Enter the process ID to retrieve the process summary.

Example:

1627885204885

Integer

Required

You can retrieve the process ID using the Process Search action.

Example Request

[
    {
        "process_id": "00000001-0000-0725-01d7-851d56b35250",
        "segment_id": "1627885204885"
    }
]
Action: Get Event Details

This action retrieves event details using the segment ID and process ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Segment ID

Enter the segment ID to retrieve the event data.

Example:

"1627885204885"

Integer

Required

You can retrieve the segment ID using the Get Segment Details action.

Process ID

Enter the process ID to retrieve the event data.

Example:

"00000001-0000-0725-01d7-851d56b35250"

Integer

Required

You can retrieve the process ID using the Process Search action.

Example Request

[
    {
        "process_id": "00000001-0000-0725-01d7-851d56b35250",
        "segment_id": "1627885204885"
    }
]
Action: Get Segment Details

This action retrieves the segment details using the process ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Process ID

Enter the process ID to retrieve the segment details.

Example:

"00000001-0000-0725-01d7-851d56b35250"

Integer

Required

You can retrieve the process ID using the Process Search action.

Example Request

[
    {
        "process_id": "00000001-0000-0725-01d7-851d56b35250"
    }
]
Action: Get Process Summary

This action retrieves the process summary details using the segment ID and process ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Segment ID

Enter the segment ID to retrieve the process summary.

Example:

00000001-0000-0725-01d7-851d56b35250

Integer

Required

You can retrieve the segment ID using the Get Segment Details action.

Process ID

Enter the process ID to retrieve the process summary.

Example:

1627885204885

Integer

Required

You can retrieve the process ID using the Process Search action.

Example Request

[
    {
        "process_id": "00000001-0000-0725-01d7-851d56b35250",
        "segment_id": "1627885204885"
    }
]
List Sensors

This action retrieves a list of sensors.

Action Input Parameters

This action does not require any input parameters.

Get Sensor Details

This action retrieves the details of a sensor.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Sensor ID

Enter a sensor ID to retrieve the details of a sensor.

Example:

12

Integer

Required

Example Request

[
   {
      "sensor_id": 12
   }
]
Get Global Sensor Statistics

This action retrieves the global sensor statistics.

Action Input Parameters

This action does not require any input parameters.

Update Sensor Details

This action updates the details of a sensor.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Sensor ID

Enter a sensor ID to update the details of a sensor.

Example:

12

Integer

Required

Payload

Enter the payload (information that you need to update with) in JSON format.

Example:

$JSON[{"group_id":123}]

Any

Required

Allowed keys:

  • network_isolation_enabled

  • restart_queued

  • uninstall, liveresponse_init

  • group_id

  • notes

  • event_log_flush_time

Example Request

[
   {
      "sensor_id": 12,
      "payload":{
         "group_id": 123
      }
   }
]