How to Take Advantage of the New Observations API

Back to Blogs

Posted on July 24, 2023

Overview

Replacing the Enriched Events API, the new Observations API lets you search through all Observations, which are noteworthy activity reported by your organization’s sensors, to find one or more specific Observations that match the search criteria. You can:

See tactics, techniques and procedures (TTPs) and the MITRE CVEs associated with potentially malicious activity
Get visibility into the cyber kill chain stage at which attacks were stopped
Identify the family and name of malware observed and stopped on your organization’s endpoints
Utilize new data types included with XDR
Richer search, easy aggregation, and faster filtering to isolate type and distribution of classes of detections, such as Intrusion Detection System
Deeper unpacking of network traffic to catch malicious activity masquerading as “benign” protocols
For developers, the Observations API adds aggregation tooling to quickly evaluate the blast radius of suspicious activity without having to first ingest all Observations into your own data lake or SIEM

Requirements

Endpoint Standard or Enterprise EDR product
All API calls require an API key with appropriate permissions, see Authentication for details

How to Migrate

Read the Observations API Migration Guide to migrate your integrations and automation to take advantage of the new API and be ready to extend when new features are added.

Deactivation timeline

The Enriched Events Search API will be deactivated on July 31, 2024. (Updated September 2023.)

Resources

Have questions or feedback?

Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
Report bugs and change requests to Carbon Black Support.

Stay up to date with the latest news by subscribing to the Developer Network Newsletter.