How to Take Advantage of the New Observations API
Posted on July 24, 2023
Replacing the Enriched Events API, the new Observations API lets you search through all Observations, which are noteworthy activity reported by your organization’s sensors, to find one or more specific Observations that match the search criteria. You can:
- See tactics, techniques and procedures (TTPs) and the MITRE CVEs associated with potentially malicious activity
- Get visibility into the cyber kill chain stage at which attacks were stopped
- Identify the family and name of malware observed and stopped on your organization’s endpoints
- Utilize new data types included with XDR
- Richer search, easy aggregation, and faster filtering to isolate type and distribution of classes of detections, such as Intrusion Detection System
- Deeper unpacking of network traffic to catch malicious activity masquerading as “benign” protocols
- For developers, the Observations API adds aggregation tooling to quickly evaluate the blast radius of suspicious activity without having to first ingest all Observations into your own data lake or SIEM
- Endpoint Standard or Enterprise EDR product
- All API calls require an API key with appropriate permissions, see Authentication for details
How to Migrate
Read the Observations API Migration Guide to migrate your integrations and automation to take advantage of the new API and be ready to extend when new features are added.
The Enriched Events Search API will be deactivated on July 31, 2024. (Updated September 2023.)
- Observations API Migration Guide
- New Enriched Events Experience
- Investigate Search Fields
- Carbon Black Cloud Python SDK
- Observations API Reference
- Carbon Black Cloud User Guide - Investigate - Observations
Have questions or feedback?
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
- Report bugs and change requests to Carbon Black Support.
- We want to hear from you! Share your great ideas with us here.
- Stay up to date with the latest news by subscribing to the Developer Network Newsletter.