CLOUD CONNECTOR
VMware Carbon Black Endpoint Detection and Response
VMware Carbon Black EDR (formerly CarbonBlack Response) is an incident response and threat hunting solution designed for security operations center (SOC) teams with offline environments or on-premises requirements.
Securonix integrates with the Carbon Black Response API v6.3+, to get additional threat information, enable automated/semi-automated response to threat events, and add additional context to threat events.
| CarbonBlack Response API 6.3+ API Request | Required Input Parameters | Relevant Response Items (Generally JSON) | Related Threats/Use Cases | Details |
|---|---|---|---|---|
| PROCESS | ||||
| Process Search | Process query string | List of matching processes, Tagged process IDs (with events under investigation), Process Object details, processing time | Additional Event Context, Malware | Process Search. Supports several optional parameters |
| Process Summary | Process ID, Segment ID | Process Details, Process Summary Object, processing time | Additional Event Context, Malware | Gets basic process information for a particular segment of a process |
| Process Segment Details | Process ID | Complete process segment information, processing time | Additional Event Context, Malware | Provides a listing of the process along with all segments |
| Process Event Details | Process ID, Segment ID | Process Summary Object (containing items such as the command line of the process, hostname, process name eg. svchost.exe, OS etc.) | Additional Event Context, Malware | Gets the events for the process and segment ID specified |
| Process Preview | Process ID, Segment ID | Process Preview Object (containing items such as the path, hostname, process name eg. svchost.exe, OS etc.) | Additional Event Context, Malware | Generates a process preview |
| Collective Defence Cloud Query | Process ID, Segment ID | Information on Indicators Of Compromise - IOCs (IP addresses, domains or file hashes) | Additional Event Context, Threat Intelligence, Malware | Queries the CB Response Collective Defense Cloud for more information on potential IOCs matched by the selected process |
| Binary Data | Binary query string | Results, Terms, Highlights, Binary Object (containing MD5 hash, filesize, file type, product version and name, file version, company name, original filename, digital signature details, Signature status) | Additional Event Context, Threat Intelligence, Malware | Binary search |
| Download Binary | Binary MD5 hash | Zipfile containing binary bytes and text file | Malware | Binary Download |
| Retrieve Binary Icon | Binary MD5 hash | Icon File | Additional Event Context, Threat Intelligence, Malware | Binary Icon retrieval |
| Retrieve Binary Metadata | Binary MD5 hash |
Metadata object containing MD5 hash, filesize, file type, product version and name, file version, company name, original filename, digital signature details, Signature status, VirusTotal results, Software Reputation Service Score, Threat Indicators Service Score |
Additional Event Context, Threat Intelligence, Malware |
Returns the metadata for the binary with the provided md5 |
| ALERTS | ||||
| Search Alerts | Alert query string | user name, alert type, sensor criticality, reported score, watchlist ID, feed name, created time and date, IOC Type and confidence, alert severity, process path, description, OS | Additional Event Context, Threat Intelligence, Malware | Alert Search |
| Update/Resolve Alerts | Alert ID, Status | Alert Description | Additional Event Context, Threat Intelligence, Malware, Insider Threat, Account Compromise | Alert update and resolutionAlert Search |
| ADMINISTRATIVE | ||||
| Server License | POST (CB License) | License validity, sensor count, license renewal information | Additional Event Context | License Status and Application |
| CB Enterprise Protection Integration | None | Server URL, SSL Certificate Verification, Watchlist export to Platform Server, Authentication Token | Insider Threat, Account Compromise | "Get and set the configuration details of the Carbon Black Enterprise Protection server |
| These details are used for CB Enterprise Response Server integration with the CB Enterprise Protection Server." | ||||
| BANNING | ||||
|
Ban Binary by Hash |
MD5 Hash | Username (owner of blacklist), text (blacklist description), blacklisted MD5 hash, blacklist block count, last block sensor ID/time/hostname | Insider Threat, Account Compromise | Blacklist a specified MD5 hash |
| WATCHLIST & FEEDS | ||||
| Watchlist Operations | Watchlist ID | Watchlist ID, Name, Last Hit, Last Hit Count, Type of Watchlist | Insider Threat, Account Compromise | Watchlist enumeration, creation, modification, and deletion |
| Feed Operations | Feed ID | Feed URL, Provider URL, Summary, Internal feed ID, Proxy use | Insider Threat, Account Compromise | Feed enumeration, creation, modification, and deletion |
| THREAT REPORTS | ||||
| Search Threat Reports | Threat Query | Threat Report Search Results | Additional Event Context, Malware | Each Feed contains zero or more Threat Reports. The Search Threat Report API route allows searches on the content of these threat reports |
| Bulk Modify Threat Reports | Query or Threat ID List | Success (HTTP 200) | Insider Threat, Account Compromise | Allows modification of multiple threat reports. The only property that can be modified in a threat report is the is_ignored property. By setting is_ignored to True for a threat report, any further hits on IOCs contained within that report will no longer trigger an Alert |
| SENSORS/ENDPOINTS | ||||
| Retrieve/Modify Sensor Details | Sensor ID (Default - all sensors) | Sensor Build ID, Sensor ID,System Volume (Endpoint) information, OS, Physical Memory, DNS Name, Machine SID, Last checkin time, event log flush time, sensor registration time, sensor health | Insider Threat, Account Compromise | Sensor/Remote Client details |
| Download Sensor Installer | Specific Endpoint (Windows/OS X/Linux) | Zip archive containing sensor installer | Malware | Download the installation file for the sensor |
| Get Sensor Statistics | None | Sensor count, Active sensor count, Event log backlog, Binary file backlog | None | Get global sensor statistics |
| INGRESS WATCHLIST | ||||
| Ingress Watchlist | Exclusion ID |
Filter Identifier, Create/Modify Timestamp, Create/Modify User ID, Version, Priority, Hit Rate, Name, Description, OSs to apply to, filters to use |
Insider Threat, Account Compromise | Get, update, create, or delete exclusions |
| CB RESPONSE CLOUD IP WHITELISTING | ||||
| Whitelisting API Routes | IP address | Add/Delete/List all whitelisted IP addresses | Insider Threat, Account Compromise | Add/Delete/List all whitelisted IP addresses |
| TIME PARTITIONING | ||||
| Time Partitioning | None | List of Time Partitions - Name and status, location, size, document counts, schema | Insider Threat, Account Compromise | This method will return list of partitions as JSON. Each partition will have name and status, as well as info block stating: location, size, document counts, schema, etc. Note: Cold partitions will not list numDocs, maxDocs and deletedDocs |