CLOUD CONNECTOR

VMware Carbon Black Endpoint Detection and Response

VMware Carbon Black EDR (formerly CarbonBlack Response) is an incident response and threat hunting solution designed for security operations center (SOC) teams with offline environments or on-premises requirements. 

Securonix integrates with the Carbon Black Response API v6.3+, to get additional threat information, enable automated/semi-automated response to threat events, and add additional context to threat events.

CarbonBlack Response API 6.3+ API Request Required Input Parameters Relevant Response Items (Generally JSON) Related Threats/Use Cases Details
PROCESS
Process Search Process query string List of matching processes, Tagged process IDs (with events under investigation), Process Object details, processing time Additional Event Context, Malware Process Search. Supports several optional parameters
Process Summary Process ID, Segment ID Process Details, Process Summary Object, processing time Additional Event Context, Malware Gets basic process information for a particular segment of a process
Process Segment Details Process ID Complete process segment information, processing time Additional Event Context, Malware Provides a listing of the process along with all segments
Process Event Details Process ID, Segment ID Process Summary Object (containing items such as the command line of the process, hostname, process name eg. svchost.exe, OS etc.) Additional Event Context, Malware Gets the events for the process and segment ID specified
Process Preview Process ID, Segment ID Process Preview Object (containing items such as the path, hostname, process name eg. svchost.exe, OS etc.) Additional Event Context, Malware Generates a process preview
Collective Defence Cloud Query Process ID, Segment ID Information on Indicators Of Compromise - IOCs (IP addresses, domains or file hashes) Additional Event Context, Threat Intelligence, Malware Queries the CB Response Collective Defense Cloud for more information on potential IOCs matched by the selected process
Binary Data Binary query string Results, Terms, Highlights, Binary Object (containing MD5 hash, filesize, file type, product version and name, file version, company name, original filename, digital signature details, Signature status) Additional Event Context, Threat Intelligence, Malware Binary search
Download Binary Binary MD5 hash Zipfile containing binary bytes and text file Malware Binary Download
Retrieve Binary Icon Binary MD5 hash Icon File Additional Event Context, Threat Intelligence, Malware Binary Icon retrieval
Retrieve Binary Metadata Binary MD5 hash
Metadata object containing MD5 hash, filesize, file type, product version and name, file version, company name, original filename, digital signature details, Signature status, VirusTotal results, Software Reputation Service Score, Threat Indicators Service Score

Additional Event Context, Threat Intelligence, Malware
Returns the metadata for the binary with the provided md5
ALERTS
Search Alerts Alert query string user name, alert type, sensor criticality, reported score, watchlist ID, feed name, created time and date, IOC Type and confidence, alert severity, process path, description, OS Additional Event Context, Threat Intelligence, Malware Alert Search
Update/Resolve Alerts Alert ID, Status Alert Description Additional Event Context, Threat Intelligence, Malware, Insider Threat, Account Compromise Alert update and resolutionAlert Search
ADMINISTRATIVE
Server License POST (CB License) License validity, sensor count, license renewal information Additional Event Context License Status and Application
CB Enterprise Protection Integration None Server URL, SSL Certificate Verification, Watchlist export to Platform Server, Authentication Token Insider Threat, Account Compromise "Get and set the configuration details of the Carbon Black Enterprise Protection server
These details are used for CB Enterprise Response Server integration with the CB Enterprise Protection Server."
BANNING

Ban Binary by Hash
MD5 Hash Username (owner of blacklist), text (blacklist description), blacklisted MD5 hash, blacklist block count, last block sensor ID/time/hostname Insider Threat, Account Compromise Blacklist a specified MD5 hash
WATCHLIST & FEEDS
Watchlist Operations Watchlist ID Watchlist ID, Name, Last Hit, Last Hit Count, Type of Watchlist Insider Threat, Account Compromise Watchlist enumeration, creation, modification, and deletion
Feed Operations Feed ID Feed URL, Provider URL, Summary, Internal feed ID, Proxy use Insider Threat, Account Compromise Feed enumeration, creation, modification, and deletion
THREAT REPORTS
Search Threat Reports Threat Query Threat Report Search Results Additional Event Context, Malware Each Feed contains zero or more Threat Reports. The Search Threat Report API route allows searches on the content of these threat reports
Bulk Modify Threat Reports Query or Threat ID List Success (HTTP 200) Insider Threat, Account Compromise Allows modification of multiple threat reports. The only property that can be modified in a threat report is the is_ignored property. By setting is_ignored to True for a threat report, any further hits on IOCs contained within that report will no longer trigger an Alert
SENSORS/ENDPOINTS
Retrieve/Modify Sensor Details Sensor ID (Default - all sensors) Sensor Build ID, Sensor ID,System Volume (Endpoint) information, OS, Physical Memory, DNS Name, Machine SID, Last checkin time, event log flush time, sensor registration time, sensor health Insider Threat, Account Compromise Sensor/Remote Client details
Download Sensor Installer Specific Endpoint (Windows/OS X/Linux) Zip archive containing sensor installer Malware Download the installation file for the sensor
Get Sensor Statistics None Sensor count, Active sensor count, Event log backlog, Binary file backlog None Get global sensor statistics
INGRESS WATCHLIST
Ingress Watchlist Exclusion ID
Filter Identifier, Create/Modify Timestamp, Create/Modify User ID, Version, Priority, Hit Rate, Name, Description, OSs to apply to, filters to use
Insider Threat, Account Compromise Get, update, create, or delete exclusions
CB RESPONSE CLOUD IP WHITELISTING
Whitelisting API Routes IP address Add/Delete/List all whitelisted IP addresses Insider Threat, Account Compromise Add/Delete/List all whitelisted IP addresses
TIME PARTITIONING
Time Partitioning None List of Time Partitions - Name and status, location, size, document counts, schema Insider Threat, Account Compromise This method will return list of partitions as JSON. Each partition will have name and status, as well as info block stating: location, size, document counts, schema, etc. Note: Cold partitions will not list numDocs, maxDocs and deletedDocs