CB Analytics Identifier Unification

Posted on July 27, 2021


The following change will take effect on August 12th, please reach out to support if you have concerns.

In the V6 Alerts API response, customers viewing CB Analytics alerts may notice that legacy_alert_id now equals id. The field legacy_alert_id used to represent an 8-character ID and differed from the standard GUID (ie. 33bca411-77b6-4c6c-a643-ce9e7f82c742) format used across all other alert types in the Carbon Black Cloud. To better unify alerts within our platform, Carbon Black Cloud has aligned on the GUID format as our standard for all types of alerts in the product. After this change, the legacy_alert_id field will be identical to the id field and will be presented in GUID format. The alert_id field for an Event, Enriched Event, and Process will also reference the GUID format such that you’ll be able to search for Events, Enriched Events, and Processes by either the legacy_alert_id or id property. The recommendation is to move away from using the legacy_alert_id field to reference a CB Analytic alert by the id field.

In the console, customers viewing CB Analytics alerts may notice that the Alert ID field in the right-hand rail now also appears in GUID format.



This change should have no effect on user behavior, nor will it affect your ability to search on past alerts that use the shortened legacy_alert_id format. The field legacy_alert_id will be deprecated in a future API revision.

For Carbon Black Cloud SDK users the following code will find the Enriched Events associated with a CB Analytic alert

>>> from cbc_sdk import CBCloudAPI
>>> from cbc_sdk.platform import BaseAlert
>>> from cbc_sdk.endpoint_standard import EnrichedEvent
>>> cb = CBCloudAPI(profile="default")
>>> alert = cb.select(BaseAlert).set_types(["CB_ANALYTICS"]).set_minimum_severity(4).first()
>>> enriched_events = list(cb.select(EnrichedEvent).where(f"alert_id:{alert.id}"))

or

>>> enriched_events = list(cb.select(EnrichedEvent).where(f"alert_id:{alert.legacy_alert_id}"))

You can also use the helper function to get the detailed Enriched Events associated with a CB Analytic alert

>>> from cbc_sdk import CBCloudAPI
>>> from cbc_sdk.platform import CBAnalyticsAlert
>>> cb = CBCloudAPI(profile="default")
>>> alert = cb.select(BaseAlert).set_types(["CB_ANALYTICS"]).set_minimum_severity(4).first()
>>> enriched_events = alert.get_events()