CB Analytics Identifier Unification
Posted on August 11, 2021
The following change will take effect on August 19th, please reach out to support if you have concerns.
In the V6 Alerts API response, customers viewing CB Analytics alerts may notice that legacy_alert_id
now equals id
. The field legacy_alert_id
used to represent an 8-character ID and differed from the standard GUID (ie. 33bca411-77b6-4c6c-a643-ce9e7f82c742
) format used across all other alert types in the Carbon Black Cloud. To better unify alerts within our platform, Carbon Black Cloud has aligned on the GUID format as our standard for all types of alerts in the product. After this change, the legacy_alert_id
field will be identical to the id field and will be presented in GUID format. The alert_id
field for an Event, Enriched Event, and Process will also reference the GUID format such that you’ll be able to search for Events, Enriched Events, and Processes by either the legacy_alert_id
or id
property. The recommendation is to move away from using the legacy_alert_id
field to reference a CB Analytic alert by the id
field.
In the console, customers viewing CB Analytics alerts may notice that the Alert ID field in the right-hand rail now also appears in GUID format.
This change should have no effect on user behavior, nor will it affect your ability to search on past alerts that use the shortened legacy_alert_id
format. The field legacy_alert_id
will be deprecated in a future API revision.
For Carbon Black Cloud SDK users the following code will find the Enriched Events associated with a CB Analytic alert
>>> from cbc_sdk import CBCloudAPI
>>> from cbc_sdk.platform import BaseAlert
>>> from cbc_sdk.endpoint_standard import EnrichedEvent
>>> cb = CBCloudAPI(profile="default")
>>> alert = cb.select(BaseAlert).set_types(["CB_ANALYTICS"]).set_minimum_severity(4).first()
>>> enriched_events = list(cb.select(EnrichedEvent).where(f"alert_id:{alert.id}"))
or
>>> enriched_events = list(cb.select(EnrichedEvent).where(f"alert_id:{alert.legacy_alert_id}"))
You can also use the helper function to get the detailed Enriched Events associated with a CB Analytic alert
>>> from cbc_sdk import CBCloudAPI
>>> from cbc_sdk.platform import CBAnalyticsAlert
>>> cb = CBCloudAPI(profile="default")
>>> alert = cb.select(BaseAlert).set_types(["CB_ANALYTICS"]).set_minimum_severity(4).first()
>>> enriched_events = alert.get_events()