Announcing the release of v1.5.0 of Carbon Black Cloud Python SDK
Posted on October 24, 2023
We’re excited to announce the release of v1.5.0 of the Carbon Black Cloud Python SDK.
The lead feature is the Alerts v7 API; the improvements in the API are now available in the SDK. These include
- Extended alert schema with additional metadata such as process command line and username, parent and child process information, netconn data, additional device fields, MITRE categorization when available, and more
- Ability to mark alerts as “In Progress”
- Ability to mark alerts as True Positive or False Positive
- Most fields are available for search criteria, search exclusions and faceting (filtering).
- Enhanced note management with the ability to add notes to both individual alerts and threats (alerts grouped by threat)
- Observed Alerts have been removed from the Alerts API as these events are not considered actionable threats. They can now be retrieved via the Observations API.
- Most fields on the alert are available in searching
The Rest of the Changelog
Here’s a complete changelog for this release of the SDK which includes some less visible changes:
Alerts Updated to use V7 API
The new Alerts V7 API improves alert management and allow for easier management, consumption, and triage of alerts in the Carbon Black Cloud. Alerts v7 API extends the capabilities with improved methods of retrieving alerts and added functionality to manage alert workflow.Note: This change involves breaking changes to the SDK involving the core Alerts workflow. Please check your existing code carefully before deploying this SDK upgrade.
Breaking Changes - most are related to Alerts
Alerts V7: Certain changes are not compatible with code written to the old v6 API. For details, please see the Alert Migration Guide.
Breaking changes include:
- Default Search Time Period is reduced to two weeks.
- For fields that do not exist in the Alerts V7 API, a FunctionalityDecommissioned exception is raised.
- get_events() method has been removed.
- All facet terms match the field names.
- Workflow has been rebuilt.
- Create Note returns a single Note instance instead of a list.
- Official support for Python 3.7 has been dropped, since that version is now end-of-life. Added explicit testing support for Python version 3.12. N.B.: End users should update their Python version to 3.8.x or greater.
Other Updates and New Features
- Audit log requests have moved from CBCloudAPI into their own function entry point in the platform package. The old function has been deprecated.
- Process search validation has been changed to use the V2 POST API rather than the old V1 GET API.
- CBCloudAPI.get_notifications() and CBCloudAPI.notification_listener() have been marked as deprecated.
- External Devices: Added External Device Export and External Device Approvals Export.
- Added example script to poll for audit logs.
- Authentication, Getting Started, and Guides pages have been updated.
- New Searching guide.
- Porting from CBAPI to CBC SDK Guide has been updated to reflect the latest APIs.
- Live Response Migration Guide has been updated with links.
Where to find the Carbon Black Cloud SDK and information:
- Example scripts for Alerts in the GitHub Repo
- Read the Docs
- More information about the Alerts v7 API