Blog Post Archive
CBAPI 2.0.0 Released
Posted on Jul 29, 2024We would like to announce that CbAPI 2.0.0 is now available for installation via Python’s PyPI. Check out what has changed below. What changed - 2.0.0 - Breaking Changes: Due to the deactivation of several APIs, certain functionalities were completely removed from CBAPI Carbon Black Cloud Competely removed. Endpoint Standard (CB Defense) Competely removed. Enterprise EDR (CB ThreatHunter) Competely removed.
Announcing the release of v1.5.6 of Carbon Black Cloud Python SDK
Posted on Jul 26, 2024Version 1.5.6 of the Carbon Black Cloud Python SDK includes a minor bug fix
Announcing the release of v1.5.5 of Carbon Black Cloud Python SDK
Posted on Jul 11, 2024Version 1.5.5 of the Carbon Black Cloud Python SDK includes a minor bug fix
Announcing the release of v1.5.4 of Carbon Black Cloud Python SDK
Posted on Jul 10, 2024Version 1.5.4 of the Carbon Black Cloud Python SDK includes two minor bug fixes.
Announcing the release of v1.5.3 of Carbon Black Cloud Python SDK
Posted on Jun 27, 2024Version 1.5.3 of the Carbon Black Cloud Python SDK includes Audit Export, along with other improvements and bug fixes.
Announcing the Alert Export API Endpoint
Posted on Jun 18, 2024Carbon Black Cloud Alert Export enables up to 25,000 Alert records to be returned in CSV format from the in-console Alerts page and API.
Announcing VMware Carbon Black Cloud App for QRadar v2.3.0
Posted on Jun 5, 2024We’re pleased to announce version 2.3.0 of the VMware Carbon Black Cloud App for QRadar. One of the headline features of this release is the transition from Alerts v6 to the more advanced Alerts v7. There are some breaking changes, so check out the Release Notes and the User Guide before you install the new version of the app. New Features: Transitioned exclusively to API Keys with an Access Level Type “Custom” for authentication, simplifying API Key configuration.
Announcing Carbon Black Cloud App for Splunk SIEM v2.2.0
Posted on May 23, 2024Carbon Black Cloud App for Splunk 2.2.0 includes Asset Inventory Input and has increased the number of Live Query results able to be retrieved
Announcing the release of v1.5.2 of Carbon Black Cloud Python SDK
Posted on May 1, 2024Version 1.5.2 of the Carbon Black Cloud Python SDK includes enhanced Audit Logs and CIS Benchmarking, along with other improvements and bug fixes.
Announcing the Ability to Configure Binary Uploads per Policy
Posted on Apr 24, 2024Carbon Black Cloud now has the ability for Enterprise EDR and XDR customers to control the upload of new binaries to Carbon Black Cloud on a per-policy basis. This feature will be enabled over the coming weeks on a rolling basis.
Announcing the CarbonCLI - PowerShell CLI for Carbon Black Cloud 1.0.0 Release!
Posted on Mar 26, 2024The CarbonCLI - PowerShell CLI for Carbon Black Cloud 1.0.0 has been officially released!
Announcing the Carbon Black Cloud Audit Logs API Release!
Posted on Mar 12, 2024The Audit Log service can be used to monitor your Carbon Black Cloud organization for actions performed by Carbon Black Cloud console users and API keys. Audit logs are recorded for most CREATE, UPDATE and DELETE actions as well as a few READ actions. Audit logs will include a description of the action and indicate the actor who performed the action along with their IP to help determine if the User/API key are from an expected source.
New versions of the Carbon Black Cloud Apps for ServiceNow
Posted on Feb 29, 2024ServiceNow Apps for ITSM, SecOps and Vulnerability Response have been updated to use Alerts v7 API and Alert Forwarder Schema v2, and to support the Vancouver version of ServiceNow
Announcing Auth Event Forwarding for the Carbon Black Cloud Data Forwarder
Posted on Feb 28, 2024As an Enterprise EDR customer, you now have the option to add a new type of Forwarder to send all Authentication Events to a Forwarder destination (AWS S3 or Azure Blob Storage Container) as they are reported by your Windows sensors. The Auth Events forwarder type fully supports Semantic Versioning, and initially releases with a v1.0.0 schema.
Announcing Carbon Black Cloud App v2.0.0 for Splunk SOAR
Posted on Feb 13, 2024Carbon Black Cloud App v2.0.0 for Splunk SOAR supports Alerts v7 API two new alert types to ingest and a few new/updated actions
Announcing the Event Reporting and Sensor Operation Exclusions Feature
Posted on Jan 31, 2024Event Reporting and Sensor Operation Exclusions increase the ability of VMware Carbon Black Endpoint Standard and VMware Carbon Black Enterprise EDR customers to tune product behavior to resolve operational issues and meet business needs. The Policy Service API has been extended with Bypass Rule Configs for this feature.
Announcing the release of v1.5.1 of Carbon Black Cloud Python SDK
Posted on Jan 30, 2024Version 1.5.1 of the Carbon Black Cloud Python SDK includes Alerts v7 enhancements and Asset Groups, along with other improvements and bug fixes.
Reminders of Recommended Practices for Securing API Access
Posted on Jan 29, 2024API Access to Carbon Black Cloud should be restricted and monitored. Find out about the mechanisms available.
Announcing Carbon Black Cloud App for Splunk 2.0.0
Posted on Jan 26, 2024Carbon Black Cloud App for Splunk 2.0.0 supports Alerts v7 API and Forwarder Schema v2, API Key configuration has been simplified, and most alert types can be enriched with the associated Observations. See the Upgrade Guide for all the necessary changes.
Announcing the Containerized Sensor for Carbon Black Cloud Container Security
Posted on Jan 22, 2024The Containerized Sensor bundles Endpoint Detection and Response (EDR) and Container Scanning security in one easy to deploy package.
Announcing the Azure Destination for the Carbon Black Cloud Data Forwarder
Posted on Jan 17, 2024A new Azure BLOB storage option is available for customers to exfiltrate key Carbon Black Cloud data to external integrations, applications and long-term storage.
Announcing Location Aware Firewall Rules in Carbon Black Cloud
Posted on Jan 9, 2024Use profiles with Host-based firewalls to provide location awareness. When using profiles, Carbon Black Cloud assigns separate security policies for each location or type of network connection.
Announcing VMware Carbon Black Cloud App for QRadar v2.2.1
Posted on Dec 30, 2023We’re pleased to announce version 2.2.1 of the VMware Carbon Black Cloud App for QRadar. This is a patch release fixing a number of issues. Bug Fixes: Fixed an issue where alerts and audit logs were sent with delay in setups with low volume of security events. Fixed application crash due to out-of-memory problem under high load which prevents the app from forwarding alerts Fixed application crash when the console or apphost were down for a long time in setups with high volumes of security events.
Announcing the XDR Events Data Forwarder!
Posted on Dec 12, 2023The Carbon Black Cloud Events Data Forwarder Schema v1.1.0 includes new fields for XDR. Configure an Endpoint Event forwarder to produce data using the new schema version by selecting the v1.1.0 schema on the Add Forwarders page.
Announcing Carbon Black Cloud API Key Improvements
Posted on Dec 11, 2023Custom Access Levels for API Keys can now have Authorized IP Addresses set. There are also improvements to the visibility of API Key Session Renewal time.
Announcing Device Control - Separation of Read, Write, and Execute Controls!
Posted on Dec 11, 2023What is it? Carbon Black Cloud gives visibility and control over USB mass storage devices detected in your environment with the ability to block untrusted devices and approve trusted devices. The pre-existing implementation of Device Control blocks ALL operations on any external device. This enhancement enables users to separate read vs write vs execute permissions for approved devices on Windows endpoints. Users can determine whether a policy block should allow approved USB devices to read-only, read and write, read and execute, or read, write and execute.
Announcing VMware Carbon Black Cloud Live Query Scroll Results
Posted on Dec 5, 2023The new API endpoint for retrieving query results from the Live Query API supports fetching results across runs and paginating beyond the 10k limit.
Announcing the Carbon Black Cloud Asset Groups API Release!
Posted on Nov 27, 2023The Carbon Black Cloud Asset Groups API has been officially released! Create groups of assets and apply policies to the groups so the protections of all similar assets are synchronized.
Announcing the Carbon Black Cloud Syslog Connector 2.0.0 Release!
Posted on Oct 30, 2023The Carbon Black Cloud Syslog Connector Version 2.0.0 has been officially released! The Syslog Connector lets administrators forward alerts and audit logs from their Carbon Black Cloud instance to local, on-premise systems
Announcing the release of v1.5.0 of Carbon Black Cloud Python SDK
Posted on Oct 24, 2023Version 1.5.0 of the Carbon Black Cloud Python SDK includes ALerts v7 functionality along with other improvements and bug fixes.
Announcing the Public Cloud Account Management API for Carbon Black Cloud Workload
Posted on Oct 23, 2023Simplifies the management of AWS Accounts with bulk account management and CI-CD Agent Installation Packages
Announcing the Setup API for Carbon Black Cloud Container Security
Posted on Oct 23, 2023The Setup API enables scripted installation of Carbon Black tools for Container Security.
Announcing VMware Carbon Black Cloud App v1.1.1 for Splunk SOAR
Posted on Sep 21, 2023VMware Carbon Black Cloud platform with Splunk SOAR version 1.1.1 is a patch release that fixes a security vulnerability in one of the app dependencies
Announcing New and Improved APIs for Carbon Black Cloud
Posted on Sep 18, 2023We have recently released several new APIs and Schemas for the Carbon Black Cloud, which requires deprecation and eventual deactivation of the existing APIs and Schemas. We want to ensure you are taking full advantage of the exciting new features! We have developed migration guides and other resources for each of the new APIs and Schemas to make the transition as smooth as possible and allow you to quickly get up and running with the new features.
Core Prevention Exclusions Release
Posted on Sep 14, 2023Carbon Black Cloud Core Prevention Exclusions: Allow essential business processes to run, even in the event of a false positive block.
Announcing Container Fields in Process Search APIs
Posted on Aug 17, 2023As part of the release of Cloud Native Detection and Response, container fields are now included in Process Search APIs. Customers can query for Kubernetes and container-based events to investigate Cloud-Native environments easily, create a watchlist, and trigger Kubernetes and containers threats alerts.
Announcing the Carbon Black Cloud Splunk App v1.1.10
Posted on Aug 17, 2023Version 1.1.10 of the VMware Carbon Black Cloud App for Splunk has been released. It includes the ability to ingest Auth Events, updates an action to get Observations and fixes some issues
Announcing the CIS Benchmark APIs
Posted on Aug 14, 2023CIS benchmarks are configuration guidelines published by the Center for Internet Security. These APIs enable configuration and retrieval of Benchmark Sets and Rules in Carbon Black Cloud, and retrieval of the results from scans performed using these Rules.
Announcing the Postman Workspace
Posted on Aug 14, 2023The Carbon Black Postman Workspace makes it easier to fork the collection and get started with APIs. Try it out here.
ServiceNow Apps for Carbon Black Cloud updated with support for ServiceNow Utah version
Posted on Aug 8, 2023ServiceNow Apps for ITSM, SecOps and Vulnerability Response have been updated to support the Utah version of ServiceNow.
QRadar App v2.2.0 OOM issue
Posted on Aug 1, 2023How to change the memory setting to address the known issue that under high load (high ammount of alerts or audit logs per minute), the Carbon Black Cloud QRadar App may stop forwarding messages to QRadar due to hitting a memory limitation which leads to app restarts.
Announcing the Container Security APIs
Posted on Jul 31, 2023Use the Image Scanning APIs to get information about when scans were performed, their source and risk summary as well as identify vulnerabilities in your environment. Use the Management APIs to manage hardening policies that combine predefined and user-defined policy rules that describe the target configuration of Kubernetes resources.
How to Take Advantage of the New Observations API
Posted on Jul 24, 2023The Enriched Events API has been replaced by the new Observations API.
Announcing VMware Carbon Black Cloud Script Deobfuscation API
Posted on Jul 17, 2023Script-based attacks are commonly used to gain entry into systems and to move laterally to inflict damage. The latest Script Deobfuscation API allows users to deobfuscate obfuscated PowerShell scripts. Deobfuscation increases an analyst’s efficiency when analyzing malicious scripts.
Announcing the v2 Alert Data Forwarder Schema
Posted on Jul 12, 2023Carbon Black Cloud’s latest-generation Alerts data is now available to ingest directly into your Data Forwarder-enabled integrations. Making the full power of Carbon Black Cloud’s updated Alert data available to system integrators, the v2.0.0 Data Forwarder for Alerts provides a continuous stream of rich Carbon Black Cloud Alerts to be integrated into your SIEM, security lake and other custom applications.
Semantic Versioning Support in Carbon Black Cloud Data Forwarder
Posted on Jul 10, 2023Carbon Black Cloud Data Forwarder will always strive to offer parity with the latest and greatest data from the associated Carbon Black Cloud API. Carbon Black Cloud’s data continues to evolve as we add support for new kinds of findings and periodically re-align the data models across the platform; new fields and field values are added and semantics about how those fields are generated can vary.
How to migrate to Alerts v7 APIs
Posted on Jul 9, 2023Learn how to move from the Alerts v6 API to the new Alerts v7 API to have access to a lot of new information and streamlined workflow.
Announcing Audit Log API can now authenticate with Custom type API Key
Posted on Jun 30, 2023To use the same Custom API key as for other calls, grant the key the permission org.audits and use it to call the Audit Log Endpoint.
Announcing the release of v1.4.3 of Carbon Black Cloud Python SDK
Posted on Jun 26, 2023Version 1.4.3 of the Carbon Black Cloud Python SDK includes Host-Based Firewall and Data Collection Rule Configurations along with other improvements and bug fixes.
Announcing VMware Carbon Black Cloud Alerts v7 API
Posted on Jun 13, 2023The new Alerts V7 API will improve alert management and allow for easier management, consumption, and triage of alerts in the Carbon Black Cloud. Alerts v7 API extends the capabilities with improved methods of retrieving alerts and added functionality to manage alert workflow.
Audit Log Retention Changes
Posted on May 31, 2023The VMware Cloud Services Guide that governs the terms of VMware Carbon Black Cloud states that customer audit log data will be retained for 12 months, after which the logs will be removed. Historically, we have not enforced this policy, and customers have been able to access audit logs beyond the specified 12-month window. Moving forward, we will begin to enforce this policy and remove older audit logs. Customers will be able to access audit logs from the previous 12 months; however, beyond that, access is not guaranteed.
Announcing VMware Carbon Black Cloud App v1.1.0 for Splunk SOAR
Posted on May 5, 2023We are proud to announce VMware Carbon Black Cloud platform with Splunk SOAR version 1.1.0. This release adds new contextual actions that can be used in custom user-defined playbooks and a new CBC Assets playbook which helps users automate the orchestration and remediation of alerts in Carbon Black Cloud from based on endpoint device details. New features 7 new actions: dismiss future alerts get asset info get cleared eventlogs get rdp info get scheduled tasks list logged users list persistence locations A new CBC Assets playbook to help users automate the orchestration and remediation of alerts in Carbon Black Cloud from within Splunk SOAR based on endpoint device details.
Announcing VMware Carbon Black Cloud App for QRadar v2.2.0
Posted on May 3, 2023We’re pleased to announce version 2.2.0 of the VMware Carbon Black Cloud App for QRadar. This release includes new features, a redesign of the configuration experience with improved feedback, bugs fixes and compatibility with QRadar 7.5. New Features: Refresh of the user interface for configuration of the app New design and validations. When selecting Settings > Configuration requests are triggered to check the validity. If there is something wrong with the credentials, the Device API or Alerts API at the current moment, validation errors will be shown.
Announcing the POST Process Search Validation API
Posted on Apr 11, 2023A POST Process Search Validation endpoint has been released to address limitations in the length of the previous GET URL
Announcing the Carbon Black Cloud Splunk App v1.1.9
Posted on Apr 10, 2023Version 1.1.9 of the VMware Carbon Black Cloud App for Splunk has been released and addresses some issues
Announcing the release of Carbon Policy Replicator GUI Tool
Posted on Apr 9, 2023What’s New? We’re excited to announce the release of v1.0.0 of the Carbon Policy Replicator Tool. This Python-based GUI tool allows you to replicate policies and their rules to an unlimited number of other organizations across different Environments. Under the hood, this tool uses the Carbon Black Cloud Python SDK for things like Authentication and Credentials Handling, Retrieving Data from Carbon Black Cloud and Handling Errors and Exceptions. This is one example of how the SDK can be used to build powerful tools and integrations to streamline your workflows.
Announcing asynchronous Export Events search on Jobs Service
Posted on Apr 5, 2023The Jobs Service API has been extended with the Event Export endpoint. Use this API to start an asynchronous search for Processes and Process Events Observations Auth Events Enriched Events The Job Service API supports long running searches with the results being available for download in a zipped csv file. Please reach out to us with feedback.
Postman Updates - Observations, Auth Events, Export Events
Posted on Apr 4, 2023The Carbon Black Postman Collection has been updated to include recently released Carbon Black Cloud features. Observations Auth Events Network Threat Metadata Service Export Events using the Job Service API
Announcing the release of v1.4.2 of Carbon Black Cloud Python SDK
Posted on Mar 22, 2023What’s New? We’re excited to announce the release of v1.4.2 of the Carbon Black Cloud Python SDK. There are several new features in this release: Policy Rule Configurations Core Prevention Rule Configurations Observations Auth Events The Complete Changelog Here’s a complete changelog for this release of the SDK which includes some less visible changes: New Features: Policy Rule Configurations - allows users to make adjustments to Carbon Black-defined rules.
New and updated VMware Carbon Black Cloud Apps for ServiceNow
Posted on Mar 20, 2023The new Carbon Black Cloud App for ServiceNow Vulnerability Response v1.0.0 is now available and provides integration of vulnerability data from Carbon Black Cloud to create tickets in ServiceNow. Updated versions of the ServiceNow SecOps App v2.0.0 and ITSM App v2.0.0 are available with new data ingest options and more actions available. All apps also include integration with the ServiceNow Configuration Management Database (CMDB) to support inventory use cases. Release Highlights New ServiceNow Vulnerability Response App CMDB Integration across all three apps (ITSM, SecOps, VR) for inventory use cases Additional SOAR actions in the ITSM and SecOps Apps Data Forwarder Alert ingestion Support Support for ServiceNow Versions San Diego and Tokyo App for Vulnerability Response (VR) v1.
Announcing VMware Carbon Black Extended Detection and Response (XDR)
Posted on Mar 15, 2023VMware Carbon Black Extended Detection and Response (XDR) greatly enhances lateral security by leveraging telemetry. Security teams can leverage VMware Carbon Black XDR to quickly identify threats across their environment and make better-informed decisions in applying prevention policies. You can visualize and analyze relevant network data. For example: Signatures of network connections (JA3 and JA3S thumbprints) Network intrusion detection Security wrapper details (TLS data) Signer of certificate (encryption - TLS data) HTTP details Requirements XDR is an add-on to Carbon Black Enterprise EDR Auth Events is included with Carbon Black Enterprise EDR Both require the Carbon Black Cloud Windows Sensor 3.
Release Carbon Black Cloud QRadar App 2.1.1 due to incorrect validation failure
Posted on Mar 8, 2023What was changed and why? We are releasing minor version of the Carbon Black Cloud QRadar App due to a change in the way API type key is validated in the app and the upgrade of a few packages which previous versions have reported vulnerabilities. This change is necessary because there is a deprecation notice of the API that checks the validity of the API type key. Carbon Black Cloud QRadar App v2.
Postman Updates - Core Prevention and Host-Based Policies and more
Posted on Feb 6, 2023The Carbon Black Postman Collection has been updated to include recently released Carbon Black Cloud features. Hide / dismiss vulnerabilities Policy extensions for Core Prevention and Host-Based Firewall Live Query corrections and improvements to examples Align with Device Search Criteria Align with Process and Enriched Event Search Recommendations If there are any concerns about this change, please reach out to us.
Host-Based Firewall Release
Posted on Jan 25, 2023The latest policy release has added an important functional component to the Carbon Black Cloud. Host-Based Firewall increases analyst visibility over their organization’s network traffic and adds the ability to control what network traffic they want to allow.
Announcing VMware Carbon Black Cloud App v1.0.0 for Splunk SOAR
Posted on Jan 18, 2023Carbon Black Cloud Integration with Splunk SOAR We are proud to announce the first release of a unified integration connecting the VMware Carbon Black Cloud platform with Splunk SOAR. Through this application, customers can integrate Carbon Black Cloud actions and data into Splunk SOAR workflows using a single application. Additionally, customers can integrate their endpoint protection platform functionality either directly from the Carbon Black Cloud, or from Splunk SIEM (using the Splunk App for Splunk SOAR), and eliminate the need for outdated or custom-built integrations.
Process and Enriched Event Searches - new recommended calls for job status
Posted on Jan 16, 2023When checking the status of the following calls, the Job ID endpoint is no longer supported. Instead, use the query ?start=0&rows=0 with the appropriate results request and the jobs status is available in the result by comparing contacted to completed. The job will be complete when contacted == completed in the response. However during high usage a searcher may fail leaving a difference of 1. To prevent an infinite loop, ensure you add a timeout of 3 minutes as a job’s maximum active time is limited to 3 minutes.
Core Prevention Release
Posted on Jan 11, 2023The latest policy release has added an important functional component to the Carbon Black Cloud. Core Prevention simplifies policy management and provides increased control over your Endpoints and Workloads.
Devices search criteria - updated to snake_case
Posted on Nov 18, 2022The Device API documentation has been updated with all fields in snake_case. Previously there were inconsistencies in field names where the request specified camelCase and the response used snake_case. Check the Device v6 API page for full API information on searching and sorting. Affected fields for search criteria: ad_group_id auto_scaling_group_name base_device cloud_provider_account_id cloud_provider_resource_id cloud_provider_tags deployment_type golden_device_id golden_device_status host_based_firewall_status host_based_firewall_reason infrastructure_provider last_contact_time os_version policy_id sensor_version signature_status sub_deployment_type target_priority vcenter_uuid virtual_private_cloud_id virtualization_provider vm_uuid vcenter_host_url Affected fields for sorting
Announcing the release of v1.4.1 of Carbon Black Cloud Python SDK
Posted on Oct 21, 2022What’s New? We’re excited to announce the release of v1.4.1 of the Carbon Black Cloud Python SDK. There are several new features in this release: Live Query Differential Analysis support Upgraded support for Workloads Search, including AWS workloads support The Complete Changelog Here’s a complete changelog for this release of the SDK which includes some less visible changes: New Features: AWS workloads now supported in VM Workloads Search.
Carbon Black EDR Event Forwarder 3.8.4 Released
Posted on Oct 21, 2022Event Forwarder 3.8.4 is now generally available for all on-prem VMware Carbon Black EDR customers as a containerized distribution and as a standard RPM distribution. Containerized Event Forwarder 3.8.4 is compatible with containerized Carbon Black EDR Server (7.7.0+). This is a maintenance release that delivers the following: Features The service employs a more efficient compression engine. Bug Fixes / Other Changes A fix for an issue that affects previous 3.
CBAPI 1.7.9 Released
Posted on Sep 29, 2022We are proud to announce that CbAPI 1.7.9 is now available for installation via Python’s PyPI. Check out what has changed below. We also want to thank all the collaborators on CBAPI that made this release possible. If you have any improvements or new ideas, feel free to make an issue or create a pull request at our CBAPI GitHub repo. What changed - 1.7.8 and 1.7.9 EDR (CB Response) Adjust Live Response Worker creation for EDR sensors to optimize for sensor specific jobs
New Carbon Black Cloud Rate Limits
Posted on Sep 27, 2022We strive to ensure maximum uptime, availability and fidelity of our APIs within and across customer organization boundaries. However, the outsized API request volume from a small number of callers could degrade API performance for other organizations in the same Carbon Black Cloud environment. To prevent service outages from reoccurring, rate limits are being introduced. The limits may change or be rolled out to additional APIs and Carbon Black Cloud environments as needed.
Announcing the AWS GovCloud (US) Point of Presence for Carbon Black Cloud
Posted on Sep 19, 2022Carbon Black Cloud has achieved Federal Risk and Authorization Management Program (FedRAMP) High Authorization and is available for customers in the AWS GovCloud (US) environment. These cloud services are designed to empower US government agencies and customers supporting the US government to migrate, manage, and operate sensitive workloads in the cloud. What is different in the AWS GovCloud (US)? The AWS GovCloud (US) is built on VMware’s Cloud Services Platform (CSP).
Announcing the Carbon Black Cloud Splunk App v1.1.6
Posted on Sep 13, 2022Version 1.1.6 of the VMware Carbon Black Cloud App for Splunk has been released and addresses some issues. Version 1.1.6 The following bugs have been fixed in 1.1.6: Updated Alert Action to allow Splunk index naming conventions. Resources Installation, configuration and user guides Guide on TechZone Download from splunkbase Have questions or feedback? Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community Report bugs and change requests to Carbon Black Support
Carbon Black EDR Event Forwarder 3.8.2 Released
Posted on Aug 25, 2022Event Forwarder 3.8.2, the initial release of containerized Event Forwarder, is now generally available for all on-prem EDR customers! Event Forwarder 3.8.2 is available as a containerized distribution and as a standard RPM distribution. Containerized Event Forwarder 3.8.2 is compatible with containerized EDR Server, while Event Forwarder versions prior to 3.8.2 are not compatible with containerized EDR Server. This is a maintenance release that delivers the following: Features Compatibility with containerized EDR Server via a new Event Forwarder docker image Bug Fixes / Other Changes An adjustment to a change in RabbitMQ authentication released in EDR Server 7.
Announcing Advanced Workload Security for AWS
Posted on Aug 4, 2022We are excited to announce that VMware Carbon Black Workload will extend support for native AWS EC2 instances to multi-cloud environments. By using a single unified console that integrates into existing infrastructure, security and IT teams can reduce the attack surface and strengthen security postures, while achieving consistent and unified visibility for workloads running on AWS, VMware Cloud and on-premises environments. This offering helps bring operational confidence and reduce time to resolution to future-proof AWS workloads.
Announcing the Release of Carbon Black EDR 7.7 with Live Query API
Posted on Jul 26, 2022EDR Live Query exposes an operating system as a high-performance relational database, which enables you to write SQL-based queries that explore operating system data. These queries allow you to gain a better understanding of your environment, analyze security vulnerabilities, and identify anomalies like unencrypted disks or processes running without a binary on disk. Live Query is based on osquery, which is an open-source project that uses a SQLite interface. The Live Query API allows you to execute queries against the operating system via API call and analyze the results outside of the EDR console.
Announcing the release of v1.4.0 of Carbon Black Cloud Python SDK
Posted on Jul 26, 2022What’s New? We’re excited to announce the release of v1.4.0 of the Carbon Black Cloud Python SDK. There are several new features in this release: Support for the new Policy APIs. Credentials handler now supports OAuth tokens. Support for querying a single Report from a Feed. Support for Alert notes. Breaking Changes to Be Aware Of The Policy object has been moved from cbc_sdk.endpoint_standard to cbc_sdk.platform, as it now uses the new Policy Services API rather than the old APIs through Integration Services.
How to migrate from Policy v3 API to Policy Service v1
Posted on Jul 22, 2022We recently announced the new Policy Service v1 API. We now have all the information you need to migrate your integrations and automation to take advantage of the new API and be ready to extend when new features are added. Read the Policy API Migration Guide for the details. Changes to the API Details of the new API are here. In addition to the structure of the API requests and responses, the type of API key for authentication has changed.
Carbon Black EDR Event Forwarder 3.7.6 Released
Posted on Jul 20, 2022Event Forwarder 3.7.6 is now generally available for all on-prem EDR customers. Event Forwarder 3.7.6 is the only version that should be run with Server 7.7.0 at the time of this writing and replaces 3.8.0 and 3.8.1 as the latest stable release. This is a maintenance release that delivers the following bug fixes: Corrects an issue in which Event Forwarder could not authenticate with EDR Server versions 7.7.0 and greater, causing Event Forwarder to fail to start.
Announcing Differential Analysis for Carbon Black Cloud Audit and Remediation
Posted on Jul 18, 2022Resources Customers with Carbon Black Cloud Audit & Remediation can now perform differential analysis on scheduled queries using the Differential Queries API. This feature will allow users to answer the question, “What has changed since the last time this query ran?” The Differential Analysis API enables users to only view changes to the results of scheduled queries between different sessions, saving time and manual effort by making it easier to track system changes over time.
Announcing the VMware Carbon Black Cloud Apps for ServiceNow
Posted on Jul 6, 2022VMware Carbon Black’s latest integrations combine industry-leading endpoint telemetry and response actions with ServiceNow’s solutions for IT and Security teams to accelerate cross-functional workflows through automation. IT and Security teams can now leverage Carbon Black Cloud telemetry and endpoint response actions from within their ServiceNow console and workflows, streamlining hand-offs between analysts and standardizing common workflows. The apps are now available in the ServiceNow app store and provide joint customers with access to pre-built ticketing and incident response workflows powered by Carbon Black Cloud data and response actions.
Announcing the Carbon Black Cloud Splunk App v1.1.5
Posted on Jul 5, 2022Version 1.1.5 of the VMware Carbon Black Cloud App for Splunk has been released and addresses some issues. Earlier in 2022 in Version 1.1.4 of the app, the ability to ingest Watchlist Hits via the Data Forwarder was added. Version 1.1.5 The following bugs have been fixed in 1.1.5: Updated client handler to process more than 2500 remediation results without a failure in code. Updated client handler to capture 410 errors on live query result histories, and save the checkpoint.
Announcing the United Kingdom Point of Presence (UK POP)
Posted on Jun 21, 2022We’re pleased to announce the United Kingdom Point of Presence (UK POP) for Carbon Black Cloud is available. The PoP will deliver cloud native endpoint and workload protection for customers that need to meet the UK government’s Cyber Essentials Plus requirements, while providing peace of mind for all UK customers who require their telemetry data to remain resident within the UK. Read more on the VMware Security Blog. What is different in the UK PoP?
Announcing VMware Carbon Black Cloud App v2.1.0 and VMware Carbon Black EDR App v2.0.1
Posted on May 18, 2022We’re pleased to announce improvements to the two app for IBM QRadar - VMware Carbon Black Cloud App v2.1.0 and VMware Carbon Black EDR App v2.0.1. Improvements in VMware Carbon Black Cloud App v2.1.0 Features: Support of multi-tenancy Ability to configure a custom Log Source Identifier Ability to toggle ON/OFF Audit Logs UI Changes: The help tooltips on the Settings pages are displayed only on click on the “?” icon Watchlist Alerts are locked if Enterprise EDR is not available Upgrades of dependencies because of vulnerabilities in older versions Bug Fixes:
Carbon Black Cloud Threat Intelligence Connector
Posted on Apr 28, 2022Overview The Carbon Black Cloud Threat Intelligence connector allows the importing of threat intelligence data by using the STIX/TAXII standards. This new version supports the major versions of STIX (1.2/2.0/2.1). In contrast to the previous version it is a standalone connector with improved usability and more features, rather than part of the CBC SDK. Prerequisites To use this connector you must have the following products: Carbon Black Cloud, Enterprise EDR Carbon Black Cloud Threat Intelligence Connector (GitHub) Third-Party Threat Intelligence data (STIX 1.
New Policy Service API Release
Posted on Apr 25, 2022Overview Policies are a group of rules and sensor settings that determine preventative behavior. Each endpoint sensor, or sensor group, is assigned to a policy. With the Policy Service API, you can now manage your Policies for endpoints and workloads with a single CUSTOM API key. This will allow more granular permission controls when creating API keys to manage Policies. This iteration of the Policies API also aligns many field names with those used elsewhere in the product.
Announcing the release of v1.3.6 of Carbon Black Cloud Python SDK
Posted on Apr 19, 2022What’s New? We’re excited to announce the release of v1.3.6 of the Carbon Black Cloud Python SDK. There are three new features in this release: Container Runtime Alerts, generated by Kubernetes containers when you have VMware Carbon Black Container. NSX Remediation functionality. Device Facet API now supported. The Complete Changelog Here’s a complete changelog for this release of the SDK which includes some less visible changes: New Features Support for Device Facet API.
KMS Encryption and Simplified Bucket Policies for the S3 Carbon Black Cloud Data Forwarder
Posted on Apr 6, 2022We have simplified the Data Forwarder to require fewer permissions. The following actions are no longer required in the bucket policy: “s3:AbortMultipartUpload” “s3:GetObjectAcl” “s3:ListMultipartUploadParts” Additionally, it is now possible to enable KMS encryption on any AWS S3 bucket used to store data sent from the Carbon Black Cloud Data Forwarder. The following instructions are intended for existing customers who have already enabled a CBC Data Forwarder, and who wish to enable KMS encryption on their existing S3 bucket.
Announcing Container Runtime Alerts
Posted on Mar 21, 2022Overview With the release of the Container Runtime Security for VMware Carbon Black Container, Container Runtime alerts are now included in the Alerts API and the Data Forwarder. With this change, you can now pull Container alerts into your SIEM, SOAR, or other analysis platform just like CB Analytics, Watchlist, and Device Control alerts. Requirements Carbon Black Cloud Container More information Container Runtime Data Forwarder Carbon Black Cloud APIs
VMware Carbon Black Cloud + NSX Remediation
Posted on Mar 9, 2022Overview The integration between Carbon Black Cloud Workload and NSX-T orchestrates network remediations using NSX-T Distributed Firewall (DFW) policies, and associated tags. After registering the Carbon Black Cloud Workload with the NSX Manager, you can use the newly created NSX policies to remediate VM workloads within the Carbon Black Cloud console, or remove already applied NSX policies tags from certain VM workloads. Prerequisites The VM workload must be associated with a Carbon Black Cloud Workload appliance that is registered with NSX, and has an active NSX connectivity.
Cb Event Forwarder 3.8.1 Released
Posted on Mar 8, 2022Announcing the Release of Carbon Black EDR Event Forwarder 3.8.1 We’re excited to announce the release of Carbon Black EDR Event Forwarder 3.8.1 for on-prem EDR customers. Event Forwarder 3.8.1 is a maintenance release, which delivers the following bug fixes and improvements: Bug Fixes / Improvements Fixes a bug where timestamps were not included with certain event-types Fixes a bug where messages were silently dropped in certain error cases Improved hostname detection Better error logging for configuration errors Download On-prem EDR customers can download Event Forwarder 3.
Announcing New MITRE ATT&CK Techniques in Carbon Black Cloud
Posted on Feb 28, 2022What has changed with MITRE ATT&CK v10? In the last year, as part of their bi-annual content releases, MITRE added new techniques, converted some techniques to sub-techniques, renamed other techniques, and also deprecated several techniques. These are specified in the MITRE ATT&CK v10. The latest backend release of Carbon Black Cloud introduces new MITRE TTPs, both new techniques and sub techniques, throughout the platform. These are intended to simplify defender workflows and improve overall communication around adversary tactics and techniques.
How To Manually Change Log Source Identifier in VMware Carbon Black Cloud App v2.0 for IBM QRadar
Posted on Feb 2, 2022Do I need this change? VMware Carbon Black Cloud App v2 changed the log source identifier that was used to send the events from CBC to QRadar from cbcloud (in v1.0) to localhost (in v2.0). As a result if you already have any log sources of type syslog that uses localhost as the log source identifier then the events will be processed by the existing DSM and not by the DSM provided by the app.
Yara Manager 2.2.0 Released
Posted on Jan 31, 2022The 2.2.0 release of the Yara Manager has the following changes: Updated version number to match Yara Connector. Fixed uploading and validation of rules that depend on OpenSSL (e.g., using pe.imphash in a condition). Updated several third-party packages to prevent potential security issues. Some code cleanup. Documentation: /reference/enterprise-response/connectors/cb-yara-manager-guide/
Announcing the release of v1.3.5 of Carbon Black Cloud Python SDK
Posted on Jan 26, 2022What’s New? We’re excited to announce the release of v1.3.5 of the Carbon Black Cloud Python SDK. The major new functionality of this release is improvements to Live Query, with new helper functions and exporting of results, both synchronously and asynchronously (using the Jobs API). The Live Query documentation on the Developer Network has also been updated. Also appearing in this release is a new SDK Guide for the Vulnerabilities API, and a new credential handler that uses AWS Secret Keeper to store credentials.
Cb Event Forwarder 3.8.0 Released
Posted on Jan 7, 2022Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.8.0 New Features The new EDR event task.error.logged is now supported. This event is enabled using task_errors=ALL in the EF configuration file. It is also supported in the EDR console configuration page for EF, starting with EDR v7.5.0. compression_type=lz4 A new compression type, lz4 is now available. The gzip type is still the default. LZ4 is a lossless data compression algorithm that is focused on compression and decompression speed.
Watchlist Hit Forwarding in the Carbon Black Cloud Data Forwarder
Posted on Dec 17, 2021Now Available: Watchlist Hit Forwarding in the Carbon Black Cloud Data Forwarder Carbon Black Cloud Enterprise EDR customers can now forward Watchlist Hits to external tools and workflows using the Data Forwarder. The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event, alert and watchlist data in near-real time within other tools and workflows without having to perform one-off API calls.
Announcing VMware Carbon Black Cloud App v2.0 for IBM QRadar
Posted on Dec 1, 2021Carbon Black Cloud Integration with IBM QRadar We are proud to announce the release of version 2.0 of the unified integration that connects the VMware Carbon Black Cloud platform with IBM QRadar. Through this application, customers can eliminate disparate log sources and outdated integrations in their QRadar SIEM and streamline their security operations and processes. The release of this application eliminates the need for disparate modules to integrate your endpoint alerts, events and response actions into the QRadar console.
Advanced Filtering for the Carbon Black Cloud Data Forwarder
Posted on Nov 8, 2021Advanced Event Filtering with Custom Queries Advanced Filters are now available for the VMware Carbon Black Cloud Data Forwarder. With this update you can reduce the volume of data that’s delivered to downstream tools by providing the ability to specify precisely which events are needed for your use case. The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event and alert data in near-real time within other tools and workflows without having to perform one-off API calls.
New Recommendations API for Carbon Black Cloud Endpoint Standard
Posted on Oct 12, 2021All new Recommendations for the Carbon Black Cloud We’re excited to announce that Recommendations are available in the Carbon Black Cloud Endpoint Standard product to assist you in tuning your console and optimizing your environment. The Recommendations API provides programmatic access to the same features available through the Carbon Black Cloud console: Rapidly configure a Policy tailored for your environment View top ten Recommendations daily Accept and reject Recommendations Tune new configurations based on the system Recommendations rather than requiring manual investigation of activity in that environment How to get access: Learn how to use the Recommendations feature in the Carbon Black Cloud console Get started with the Recommendations API Access the Recommendations features in the Carbon Black Cloud Python SDK Have questions or feedback?
VMworld and Code Connect Sessions
Posted on Oct 5, 2021On October 5th - 6th 2021, VMware will host VMworld, including Code Connect. Register here to join the sessions live, or view on demand after the event. During this event there will be several sessions to help customers leverage the full power of the Carbon Black Cloud through open APIs and technical integrations. After the live portion of the event has passed, you can still register to access the sessions on-demand.
Announcing the release of VMware Carbon Black EDR App v2.0.0 for IBM QRadar
Posted on Oct 4, 2021What’s new? The 2.0.0 version of VMware Carbon Black EDR App for IBM QRadar lets administrators leverage an industry-leading, EDR (Endpoint Detection and Response) solution to detect risk and take action on endpoint activity from the QRadar console has had a refresh to be compatible with QRadar 7.3.3 Patch 6+, and more recent versions. Where to find the app Details of the app are available here. Download the app from IBM App Exchange.
Default Time Range Setting Change for V6 Alerts API
Posted on Sep 3, 2021In order to improve the resilience and stability of the VMware Carbon Black Cloud, we are setting the default time range setting of the V6 Alerts API to one month. If no time range is specified in the search request, the API will search through the past one month of data instead of searching through all alerts. Affected routes include _search, _facet, and workflow/_criteria. This change will take effect starting Wednesday, October 20th.
Workspace ONE Intelligence Integration Update
Posted on Sep 3, 2021Since VMware’s acquisition of Carbon Black, Carbon Black Cloud and Workspace ONE Intelligence have been working on updating the existing integration to be more seamless, building towards the vision of Intrinsic Security. Soon, customers who have enabled the Carbon Black Cloud to Workspace ONE Intelligence integration will be migrated to a new integration experience. When is this happening? Update: The date of migration is yet to be determined. We were previously targeting September 20th 2021, however this has been delayed.
VMware Carbon Black Cloud Alert Export Best Practices
Posted on Aug 25, 2021Note: See the Alert Bulk Export Guide which has been updated for the Alerts v7 API, released in June 2023. Forward Alerts to an S3 Bucket The Data Forwarder is the recommended export method for reliable and guaranteed delivery. This method works at scale to support any size customer or MSSP by writing jsonl zipped content to an S3 bucket. See the Quick Setup instructions for more details. Exporting Alerts via the Alerts API If the Data Forwarder doesn’t work for you then the following algorithm will allow you to fetch alerts with no duplicates using the Alerts API.
CB Analytics Identifier Unification
Posted on Aug 11, 2021The following change will take effect on August 19th, please reach out to support if you have concerns. In the V6 Alerts API response, customers viewing CB Analytics alerts may notice that legacy_alert_id now equals id. The field legacy_alert_id used to represent an 8-character ID and differed from the standard GUID (ie. 33bca411-77b6-4c6c-a643-ce9e7f82c742) format used across all other alert types in the Carbon Black Cloud. To better unify alerts within our platform, Carbon Black Cloud has aligned on the GUID format as our standard for all types of alerts in the product.
Security Connect Sessions Available On-Demand
Posted on Jun 24, 2021On June 3rd, VMware hosted Security Connect, an event focused on our security community and the tools they use to deliver security to their organizations. During this event, several sessions were provided that help customers leverage the full power of the Carbon Black Cloud through open APIs and technical integrations. Even though the live portion of the event has passed, you can still register today to access the sessions on-demand until early September.
Announcing the release of v1.3 of Carbon Black Cloud Python SDK
Posted on Jun 7, 2021What’s New? We’re excited to announce the release of v1.3 of the Carbon Black Cloud Python SDK. This release has breaking changes compared to the previous version (1.2.x) that will require new API keys and possibly changes to your integration code, as well as new features and bug fixes. User administration features User Management - create and modify user accounts. The SDK provides functions that make using the APIs more intuitive and aligned to common use cases.
Announcing User Management, Access Profiles and Grants APIs
Posted on May 27, 2021We are happy to announce the release of two new APIs for the Carbon Black Cloud: These APIs allow you to manage Users and control the level of access and permissions in your multi-tenant environment for all Carbon Black Cloud products: User Management - create, modify, or list users in an organization Access Profiles and Grants - create and manage grants for users in one or more organizations
Announcing Live Response v6
Posted on Apr 21, 2021Live Response API releasing v6: now with granular RBAC! Live Response allows security operators to collect information and take action on remote endpoints in real time for all Carbon Black Cloud products. Some of these actions include the ability to upload, download, remove files, execute or terminate processes, and more. Live Response - manage files, processes and more on remote endpoints Find more details on the highlights, what has changed, how to migrate from v3 to v6, and more here.
Upcoming Carbon Black Cloud Data Forwarder Changes for Netconns and Moduleloads
Posted on Mar 12, 2021The CBC Data Forwarder is making a change to how it handles endpoint.event.netconn and endpoint.event.moduleload events to provide additional visibility for customers on March 22nd. Netconn For customers who are using an HTTP proxy, we’re making a change to endpoint.event.netconn events that will use the same approach that the Platform Search API uses to emit netconn & netconn_proxy events: For organizations whose endpoints do not have an HTTP proxy configured, there will be no change - all netconn events will continue to emit as endpoint.
Announcing the v1.2 release of Carbon Black Cloud Python SDK
Posted on Mar 10, 2021What’s New? We’re excited to announce the 1.2 release of the Carbon Black Cloud Python SDK. This release brings new features to the Carbon Black Cloud SDK along with guides and tutorials. The new features in this release include: Search, Vulnerability Assessment and Sensor Lifecycle Management for Workload Reputation Overrides written tutorial for Platform VM Workloads Search written tutorial for Workload VM Workloads Search example script for Workload Bug Fixes:
Threat Hunting and Incident Response Use Cases for Carbon Black Cloud App on Splunk
Posted on Mar 9, 2021With the latest release of our Carbon Black Cloud App for Splunk, we’ve consolidated key features from our platform into a single integrated solution that streamlines SIEM and SOAR workflows between Splunk and the Carbon Black Cloud. In this blog, we’ll provide overviews of several key use cases that simplify and accelerate modern SOC workflows using a single pane of glass. Hash Banning by Certificate Prevention based on MITRE Attack Behaviors Identifying and Mitigating Malicious PowerShell Activity Automated Mitigation of Exploitable Vulnerabilities Using Live Query to Enrich LSASS Scraping Investigations These use cases can be achieved within the Splunk console using the Carbon Black Cloud App for Splunk and can also be implemented and extended through dedicated SOAR platforms, including Splunk Phantom.
Announcing Enhancements for Carbon Black Cloud App for Splunk
Posted on Mar 1, 2021We’re pleased to announce enhancements to the VMware Carbon Black Cloud App for Splunk 8. This app provides an updated solution for customers to access their Carbon Black Cloud Endpoint and Workload features and data within the Splunk console. Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk. Enhancements include: Built-in Data Inputs: Device Control Alerts Audit Logs Live Query Results Vulnerability Assessment Common Information Model for:
Announcing the v1.1 release of Carbon Black Cloud Python SDK
Posted on Jan 26, 2021What’s New? We’re excited to announce the 1.1 release of the Carbon Black Cloud Python SDK. This release brings new features to the Carbon Black Cloud SDK along with various bug fixes. The new features in this release include: Reputation Overrides for Endpoint Standard with Enterprise EDR support coming soon Device Control for Endpoint Standard Live Query Templates/Scheduled Runs and Template History Add set_time_range for Alert query Bug Fixes:
Reputation Override APIs now available for Endpoint Standard
Posted on Jan 26, 2021What is it? The Reputation Overrides API is now available for Endpoint Standard customers. The Reputation Overrides API enables customers and partners to automate the management of hashes, certificates and IT Tools to their organization’s Allow List or Banned List. The operations you perform with this API are reflected in the Reputations page in the CBC console, and in the Deny/Block, Terminate or Allow reactions performed by Endpoint Standard sensors.
Join us for a virtual meetup Rescheduled for February 3rd!
Posted on Jan 19, 2021February 3rd at 10am Mountain Time Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black Cloud and Splunk. What is it This event is a chance to meet members of the VMware Carbon Black Developer Relations team and other developers in the Developer Community. We invite you to brew a cup of your favorite coffee or tea and join us on February 3rd at 10am Mountain Time (5pm GMT) for a demo of the new unified Splunk App for the Carbon Black Cloud.
Announcing the 1.0 release of Carbon Black Cloud Python SDK
Posted on Dec 11, 2020What’s New? We’re excited to announce the 1.0 release of the Carbon Black Cloud Python SDK. This release completes the alpha feedback period, further quality assurance work, and inclusion of new search APIs. The new features in this release include: Process and Process Event searches for Enterprise EDR and Endpoint Standard data Enriched Event searches for Endpoint Standard Addition of Python Futures to support asynchronous queries for customers who want to leverage that feature, while continuing to also provide the simplified experience which hides the multiple API calls required.
Announcing the Device Control API 1.0 Release!
Posted on Nov 30, 2020What is it? The Device Control API lets you view, manage, approve and implement blocking policies across your organization for external USB storage devices. This gives IT and Security Operations administrators direct access to the external devices in their environment to change how those devices can operate. Who is it for? Carbon Black Cloud Endpoint Standard customers with a Windows 3.6.0.1897 sensor or above. What can you do with it? Retrieve an inventory of external devices and their associated metadata within an organization Search for a specific external device and its associated metadata Create an approval for an external device, set of devices, or for specific vendor and product models Cross reference additional external device data after an alert Where do I go to get started?
Announcing the VMware Carbon Black Cloud App for Splunk 1.0.0 Release!
Posted on Nov 18, 2020We’re pleased to announce the release of the VMware Carbon Black Cloud App for Splunk. This app provides an updated solution for customers to access their Carbon Black Cloud Endpoint and Workload features and data within the Splunk console. Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk. The app is available for download from Splunkbase here. Depending on your installation, the Input Add-on or Technology Add-on may also be required.
Announcing the Carbon Black Cloud Syslog Connector 1.3.0 Release!
Posted on Nov 12, 2020The Carbon Black Cloud Syslog Connector Version 1.3.0 has been officially released! The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and: Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols This release adds the following features:
Getting Started with the Carbon Black Cloud Python SDK
Posted on Nov 3, 2020Watch the Video Demo See how to get started using the Carbon Black Cloud Python SDK, or view the full instructions on GitHub. var player; var time_update_interval; function onYouTubeIframeAPIReady() { player = new YT.Player('video-placeholder', { width: 600, height: 400, videoId: 'Mcy75uY9qU4', playerVars: { color: 'white' } }); } function initialize(){ updateTimerDisplay(); clearInterval(time_update_interval); time_update_interval = setInterval(function () { updateTimerDisplay(); }, 1000) } function updateTimerDisplay(){ $('#current-time').text(formatTime( player.getCurrentTime() )); $('#duration').text(formatTime( player.
Announcing the Alpha release of the Carbon Black Cloud Python SDK
Posted on Oct 15, 2020All new Python Bindings for the Carbon Black Cloud We’re excited to announce the Alpha release of the Carbon Black Cloud Python SDK. This release provides an updated package leveraging Python 3.6+ to access data and features of the Carbon Black Cloud platform. The CBC SDK replaces the platform functionality that was available in CBAPI. CBAPI will continue to function, but it will not be supported or updated for Carbon Black Cloud products going forward.
Join us for another virtual meetup!
Posted on Oct 15, 2020October 22nd at 4pm MDT Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black Cloud and/or CBAPI, the Python SDK. What is it This event is a chance to meet members of the VMware Carbon Black Developer Relations team and other developers in the Developer Community. We’ll start out the hour with a demo and discussion about the alpha release of our new Carbon Black Cloud Python SDK.
New Release: Carbon Black Cloud Platform Search APIs
Posted on Oct 2, 2020We are happy to announce the release of two new search APIs for the Carbon Black Cloud: Enriched Events Processes These APIs help you find specific applications and their activity across all endpoint events and processes reported by Carbon Black Cloud sensors. You can: Search for endpoint activity at the process or the individual event level Retrieve summaries or details about events, including statistical selections of the most prevalent values for some of the most interesting data fields Formulate valid search queries — get suggestions for partial fields or values and validate queries before running them in the Search service Manage your submitted search queries — check the status of a long-running queries and even cancel queries Which API is right for me?
Check out the Carbon Black Cloud Zscaler Integration
Posted on Sep 28, 2020What is the Zscaler Internet Access Sandbox Integration? This integration is between Zscaler’s Internet Access (ZIA) Sandbox and Carbon Black Cloud Endpoint Standard or Enterprise EDR. Zscaler can scan all files before they reach the endpoint if they come through the network, but cannot scan files coming in from other methods, or prior to sensor installation. This connector will scan for any Endpoint Standard events or Enterprise EDR processes. It pulls the processes, checks the unique hashes against a database of files that have been checked in the past, and if the file is not known, a request to Zscaler’s Sandbox is made to see if they have any information on it.
Event Forwarder Filtering Now Available
Posted on Sep 23, 2020Carbon Black Cloud customers using the Event Forwarder now have additional capabilities to filter endpoint.event data delivered to their designated S3 bucket. Users of the Event Forwarder can now filter data by: Event_origin Type Alert_id Sensor_action These filters are available with the .59 release. What is the Event Forwarder? The Carbon Black Cloud Event Forwarder enables users to extract data from our console to be used in external dashboards and tools alongside other security data.
Path Change for Process Search V1 and V2 API
Posted on Sep 14, 2020As of February 2020, we updated the Service Category portion of the path for the Enterprise EDR Process Search V1 and V2 API. The new Service Category is /api/investigate/ and should be used for all API calls. The current Service Category /threathunter/search/ will be deactivated on December 31st, 2020. After that, the path will not return complete results, and all users will be required to use the new /api/investigate/ Service Category.
New Release: Carbon Black Cloud Sensor Update Services API
Posted on Aug 19, 2020We are happy to announce the release of the Carbon Black Cloud Sensor Update Services API 1.0. What is it? This API replaces the following: /appservices/v6/orgs/{org_key}/device_actions POST Specifically with “UPDATE_SENSOR_VERSION” action Who is it for? The Sensor Update Services API can be used by any Carbon Black Cloud user with permission in the service category “org.kits” set to EXECUTE. What does it do? The Sensor Update Service lets you batch sensor updates automatically across your organization and provides visibility into the update jobs progress.
New Alert Fields for the CBC Event Forwarder
Posted on Aug 12, 2020We are happy to announce some additional alert fields for the Event Forwarder Configuration API. The tables below provide the new field names and descriptions of each. New Common Alert Fields Field Name Description device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) device_external_ip IP address of the endpoint from the perspective of the Carbon Black Cloud.
Join us for our first virtual meetup!
Posted on Jul 23, 2020Aug 5th at 3pm MDT Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black and cross-product SIEM integrations, like Splunk. What is it We want to forge a deeper connection with the developer community, discuss meaningful topics, and learn from one another. Since we didn’t get to meet you in person at CB Connect Developer Day, we can’t hang out in person, and our community is spread all over the world anyway, we thought we’d have a virtual hangout so we could get together and discuss questions, ideas, problems, and more!
CBAPI 1.7.1 Released
Posted on Jul 22, 2020We are proud to announce that CbAPI 1.7.1 is now available for installation via Python’s PyPI. This release contains a variety of changes from bug fixes to exception enhancements. Check out what has changed below. We also want to thank all the collaborators on CBAPI that made this release possible. If you have any improvements or new ideas, feel free to make an issue or create a pull request at our CBAPI GitHub repo.
Enterprise EDR Access Level Changes
Posted on Jul 22, 2020Overview There are changes to a few permissions that have been made to remove the ThreatHunter reference. This change comes following the renaming of ThreatHunter to Enterprise EDR. The permissions name changes are only visual and will have no effect on existing API keys which utilize the old permission names. If you need to create a new Access Level or API Key make sure to look for the following permissions.
Eliminating Offensive Terminology in the Developer Network
Posted on Jul 6, 2020We at VMware Carbon Black are working to eliminate offensive terminology from Carbon Black products and communities, including the Developer Network. Going forward, we will make the following language amendments: We will use the terms “approved” and “banned” going forward rather than the terms “whitelist” and “blacklist” We will use the terms “primary” and “secondary clone” or “minion” going forward rather than the terms “master” and “slave”. Original and replica will also be used in some instances.
New Release: Binary Toolkit for the Carbon Black Cloud
Posted on Jun 26, 2020We are happy to announce the 1.0 release of the Carbon Black Cloud Binary Toolkit. What is it The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine.
Using the new Jobs Service API
Posted on Jun 16, 2020First, who should use the Job Service API? In May we released the Job Service API, an API that helps manage long-running tasks. This API is most useful for users managing large data sets where there is risk of an API request timing out before the task completes. The Job Service API enables asynchronous task execution so that jobs don’t time out, thus preventing data loss. For those managing smaller data sets, this API is less useful, and you can use regular API calls instead of using asynchronous API routes.
CBC Data Forwarder vs CBC Syslog
Posted on Jun 15, 2020Do you need to forward Carbon Black Cloud data to your environment? There are two tools that exist to help forward Carbon Black Cloud data, the Carbon Black Cloud Data Forwarder or Carbon Black Cloud Syslog. The Carbon Black Cloud Data Forwarder is the recommended best practice as the tool is integrated into the Carbon Black Cloud and provides improved scaling for large volumes of data. The data forwarder is capable of forwarding both alerts and events to an S3 bucket.
Kicking off Developer Day 2020
Posted on May 7, 2020Developer Day 2020 kicks off today with seven on-demand sessions for more than 2,300 registrants. This is the first time Developer Day has been held in a virtual setting and the VMware Carbon Black team is excited to welcome the largest group of developers we have ever had in attendance. With eight new members added to the Developer Relations team in the past year, VMware Carbon Black is focused on empowering this vast community of developers.
Announcing the Carbon Black Cloud Syslog Connector 1.0.2 Release!
Posted on May 6, 2020The Carbon Black Cloud Syslog Connector Version 1.0.2 has been officially released! The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and: Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols This release adds the following features:
Developer Day 2020: Register Now!
Posted on May 5, 2020Every year, Developer Day hits capacity. With this year going virtual, no one gets wait-listed or turned away! Join us virtually on May 12th to get hands-on experience working with the Carbon Black Cloud open APIs and developer tools. During the event, the Developer Relations team will be available live in the virtual environment to answer your questions. Register now! Make sure to check the box for Developer Day and join us for the rest of the conference on May 13 + 14 for a deeper dive into our technology, company, and threat research.
Announcing Our New Product Names
Posted on Feb 10, 2020As of January 2020, we have renamed all of our products as part of our transition into the VMware Security Business Unit. This blog post outlines each of the new products and maps them to their legacy names. Our API documentation will be updated over the coming months to reflect the new names. This will not affect any API or Integration code. Carbon Black Cloud Products CB Defense is now called Endpoint Standard CB LiveOps is now called Audit and Remediation CB ThreatHunter is now called Enterprise Endpoint Detection and Response, or Enterprise EDR On-Premise Products CB Response is now called Carbon Black Endpoint Detection and Response, or Carbon Black EDR CB Protection is now called Carbon Black App Control
How can we improve our API documentation site?
Posted on Nov 20, 2019Have trouble finding documentation? Need more resources? Want a different API? Let us know how we can help.
CB Predictive Security Cloud Becomes VMware Carbon Black Cloud
Posted on Nov 19, 2019As Carbon Black happily transformed into the Security Business Unit of VMware, it created the opportunity to evaluate our brand and simplify. The platform and your products are not changing, but the name of the platform is. The first step is happening today, October 28th, as your login screen and much of our website are moving away from the CB Predictive Security Cloud. Do not be alarmed when you see the text change to VMware Carbon Black Cloud or Carbon Black Cloud, depending on where it’s being used.
Carbon Black Cloud API Enhancements
Posted on Sep 30, 2019We have exposed new enhancements to the Alerts and Devices Platform APIs, giving you more efficient control over the devices and data in your organizations. The most current documentation on these APIs is available at the Platform APIs page. Enhanced Alerts API & Use Case Workflows We have extended the capabilities of the Alerts API by improving the methods of retrieving alerts and adding functionality to manage the workflows. With the addition of the Search Request pathway in the Alerts API, you can now filter on dozens of fields, including creation time, category, type, status, tag, and more, allowing you to more efficiently call the API.
Enterprise EDR App for Splunk 1.0.0 Released
Posted on Jan 29, 2019The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Enterprise EDR. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now on Splunkbase under CB Response App for Splunk. The Enterprise EDR App for Splunk allows a Splunk Administrator to connect to and pull Enterprise EDR notifications from the Carbon Black Cloud. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk.
Calling all API Developers!
Posted on Jan 22, 2019Research Study for API Developers We want to learn more about you! Share about your process creating API integrations. Tell us about your background, daily duties, biggest contributions, and greatest challenges. These insights will enhance our ability to align our product development with what you need. Please fill in your email and availability in the following form and you will be contacted shortly. Loading... Note: If the Google form failed to load, please follow this link: form.
CbAPI 1.4.0 Released
Posted on Jan 10, 2019We are proud to announce that CbAPI 1.4.0 is now available for installation via Python’s PyPI. This release includes compatibility with Carbon Black Cloud Enterprise EDR and the new APIs available in Carbon Black Cloud’s Enterprise EDR. Currently, the Process Search API is exposed. As of version 1.4.0, there are three available model objects: Process Event Tree Install The Python CbAPI works with Python 2.x and 3.x, however we do recommend using Python 3.
CB Customer Spotlight Series: Q & A with Integral’s Sean McFeely
Posted on Nov 15, 2018Featuring Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense This year at CB Connect 2018, we had our first ever Developer Day to recognize our vibrant partner and developer ecosystem. We had an amazing group of 100 developers attend, culminating in a hackathon. Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense, was an attendee and speaker at Developer Day and submitted his own project, cbinterface, to the hackathon.
Highlights from Developer Day
Posted on Oct 22, 2018Cb Connect Day 0: Carbon Black hosted over a hundred developers at the first ever Developer Day. This community of developers is the engine that extends our platform to integrate with other products/tools/services to build a stronger security stack for organizations. Our attendees flew in from all over the world - Australia, Norway, Turkey, and many other locations with the objective of learning more about our APIs, use cases around extensibility of our platform, watching live technical demonstrations, and to see where we’re going with the Carbon Black Cloud.
CB Connect 2018 Developer Day
Posted on Sep 24, 2018SOLD OUT – Developer Day Due to high demand Developer Day at CB Connect is now sold out. Join the waitlist today to secure a spot should spaces open up. The waitlist is on a first-come first-serve basis, and you will be notified via email if you are selected to participate. CB Connect is Carbon Black’s premier customer and partner event of the year. CB Connect heads to New York City this fall for an action-packed, two-day conference about the future of endpoint security.
Endpoint Standard REST API Tutorial Using Postman
Posted on May 8, 2018The Endpoint Standard REST API provides a RESTful API for CbDefense, which means that it can be consumed by practically any language. Postman is a REST API Development Environment that allows users to interact with a REST API in a quick & easy way. This is a quick tutorial on how to use Postman to interact with the CbDefense REST API. Requirements Access to your Endpoint Standard instance. A connector configured on CbDefense or the ability to create a connector.
Endpoint Standard Splunk Add-On 2.0.1 Released
Posted on Mar 20, 2018The Carbon Black Developer Network is proud to announce the second major public release of our Endpoint Standard Add-On for splunk. This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. var player; var time_update_interval; function onYouTubeIframeAPIReady() { player = new YT.
Endpoint Standard App for Splunk 1.0.0 Released
Posted on Mar 14, 2018The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Endpoint Standard. This app is available for download now from Splunkbase under CB Defense Add-On for Splunk. This first release includes pre-built visualizations from Cb, that provide an overview of Endpoint Standard environments as well as dashboards to search through threat and policy notifications, view and manipulate device status, etc. Endpoint Standard Overview Dashboard Comprehensive Overview of your Endpoint Standard data in Splunk view total detections, policy actions, rare applications triage threats by severity Threat Search geoip map of threats based on severity additional table of threat information searchable (SPL) to isolate threat events of interest Policy Action Search geoip map of Policy Actions by reputation tabular display of policy activities searchable (SPL) to isolate policy events of interest Login Map (Splunk) geoip map and table of Logins (attempted and successful) to Splunk instances Device Search powered by the devicesearch custom search command uses the Endpoint Standard REST API to retrieve device status information geoip map of devices by external IPs + table of the same enter a device query to filter results like ‘hostname:WIN-1984VBRULES’ or ‘ipAddress:172.
Critical Update - EDR Binary Detonation Integrations
Posted on Oct 16, 2017We have discovered a critical issue with certain versions of the EDR Binary Detonation integrations released in the last month. A patch that was rolled out to the Binary Detonation integrations in September erroneously submitted corrupt files to the binary detonation providers, potentially resulting in invalid responses from the analysis platform. No sensitive information was leaked as part of this bug. Specifically, the first five bytes of the file were missing on every submission of a file to a binary detonation appliance.
Cb Reporting released
Posted on Aug 8, 2017We are pleased to announce the release of an updated Cb Reporting script. https://github.com/carbonblack/cb-reporting/blob/master/incident_report.py The incident report script is an example python program that demonstrates how to build a basic incident report using the Cb API bindings for python. The incident report uses the Cb API to trace information about the lifetime of a process of interest: Target process event information: module loads, cross process interactions, file modifications, registry modifications (windows) as well as intelligence feed hits, and the hosts/paths on which the target was seen The tree of execution that lead to the target process - binary information about each A list of processes that have written to the target process/binary, details about each The child processes of the target process + corresponding binaries The only dependencies are on the Jinja2 templating engine module for python (2.
Endpoint Standard Splunk Add-On 1.0.1 Released
Posted on Jun 27, 2017The Carbon Black Developer Network is proud to announce the first public release of our new Splunk Add-On for Endpoint Standard (formerly CB Response). This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. Requirements This app requires Endpoint Standard and Splunk version 6.
Endpoint Standard Syslog Connector 1.2.3 Released
Posted on Jun 27, 2017The latest Syslog Connector can be found here. The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Endpoint Standard. This connector allows you to forward alert notifications from your Endpoint Standard cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Endpoint Standard streaming prevention system.
Endpoint Standard Syslog Connector 1.2.3 Released
Posted on Jun 27, 2017The latest Syslog Connector can be found here. The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Endpoint Standard. This connector allows you to forward alert notifications from your Endpoint Standard cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Endpoint Standard streaming prevention system.
CbAPI 1.2.0 Released
Posted on Jun 22, 2017We are proud to announce that CbAPI 1.2 is now available for installation via Python’s PyPI. This release includes compatibility with Endpoint Standard and the new APIs available in Carbon Black App Control 8.0. Documentation is available on https://cbapi.readthedocs.io and you can install it now via pip: pip install --upgrade cbapi Happy hunting!
TAXII Connector 1.5.5 for EDR Released
Posted on May 25, 2017Changelog Fixed issue where ip addresses and hashes weren’t being validated for single entries This version of the TAXII Connector was built with libtaxii version 1.1.110 and STIX version 1.2.0.2
Cb TAXII Connector 1.5.4 for EDR Released
Posted on Apr 7, 2017Changelog New Features Added support for observables within a list Added support for DATA_SET collection types Added ability to configure default risk score per feed Added support for indicator observables Source code and RPM can be found on GitHub This version of the TAXII connector was built on the EclecticIQ client cabby STIX parsing is done by python-stix version 1.2.0.2 Cybox parsing is performed using cybox-python version 2.1.0.13
EDR App for Splunk 2.0.5 Released
Posted on Apr 7, 2017Changelog Bug Fixes Added clearer error message when unable to connect to EDR Fix bug when installed in a distributed search head environment Download the Splunk app on Splunkbase under CB Response App for Splunk
CbAPI 1.0.1 Released
Posted on Jan 11, 2017We are proud to announce that CbAPI 1.0 is now available for installation via Python’s PyPI. cbapi provides a straightforward interface to the App Control and EDR REST APIs. This library provides a Pythonic layer to access the raw power of the REST APIs of both products, making it trivial to do the easy stuff and handling all of the “sharp corners” behind the scenes for you. If you haven’t seen or worked with cbapi since its 0.
Cb Event Forwarder 3.3.2 Released
Posted on Jan 4, 2017Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.2 New Features report_title is now retrieved via the EDR REST API for feed hits performance increases all around updated UI Added tests for RabbitMQ stressing #64 Added process_path for all events if one exists. TLS RabbitMQ Support (thanks to Red Canary) Post Processing With the addition of feed_title, post processing needs to be enabled by supplying cb_server_url, api_verify_ssl and api_token # # Post Processing Options # # Supported post processing: # # 1) report_title in feed hits # # Post processing requires cb_server_url, api_verify_ssl, and api_token to be set.
CB Event Forwarder 3.3.0 Released
Posted on Oct 19, 2016Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.0 New Features HTTP output plugin output (thanks to eSentire) Output Changes In addition, new fields were added to the output (thanks to Red Canary): Process start message (procstart or process): parent_path: Path to the parent process parent_create_time: Parent process creation time parent_md5: Parent process binary MD5 hash expect_followon_w_md5: In certain cases, the MD5 for the new process isn’t available at the time the message is generated.
EDR App for Splunk 2.0.0 Released
Posted on Sep 27, 2016The EDR App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk. When used along side Splunk’s Enterprise Security, the EDR App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.
The Cb Community Repository
Posted on Aug 4, 2016We encourage everyone to release their code publicly on GitHub but on the other hand understand that contributions come in all shapes and sizes. Some contributions, like Red Canary’s Surveyor or Bobby Argenbright’s Forager tool, warrant their own repository (and in some cases, their own cool icon!) However, other contributions may be a single script or a few lines of API code. To help collect these smaller contributions into one place, we’ve created the new Carbon Black Developer Community GitHub organization, available at https://github.
CB Event Forwarder 3.2.3 Released
Posted on Aug 3, 2016This release is a minor bugfix release that fixed the following issues: Source and destination IP addresses are sometimes flipped in the LEEF output Unique ID for Alerts was incorrectly used to calculate the Process link (link_process) In addition, two changes were made in this release: A link_sensor is now generated for all raw endpoint events The list of Watchlist, Feed, and Binarystore events is expanded to any EDR event type that starts with watchlist.
Presentation on the new Carbon Black Python API
Posted on Jul 18, 2016What a difference a year makes! Almost a year ago, we released a bunch of new features in cbapi to help developers become more productive with the Carbon Black EDR REST API. Since then, we’ve changed the name of the company, created an entirely new Developer Network website, created a new, even easier-to-use and more powerful Python API, and most importantly, merged the APIs for both EDR and App Control into the same code base!
CB Event Forwarder 3.2.0 Released
Posted on Jun 27, 2016The Carbon Black Developer Network is proud to announce a new major release of the Carbon Black Event Forwarder, 3.2.0. The Carbon Black Event Forwarder is a standalone service that will listen on the Carbon Black enterprise bus and export events (both watchlist/feed hits as well as raw endpoint events, if configured) in a normalized JSON or LEEF format. The events can be saved to a file, delivered to a network service or archived automatically to an Amazon AWS S3 bucket.
ThreatConnect connector 1.2.4 Released
Posted on Jun 1, 2016The 1.2.4 release of the ThreatConnect connector adds one feature: Added proxy support
The new cbapi: Unifying the Python Carbon Black APIs
Posted on May 16, 2016The EDR product was developed as an “API-first” application. Every action in the product can be performed programmatically through the API. In fact, the entire Carbon Black EDR web user interface is implemented on top of the API — the web user interface is a JavaScript application that calls API calls straight from your web browser (check out the Chrome Developer Tools screencast if you’re interested in more details). To expose the power of this API in Python applications, the first version of the cbapi module was published on August 21, 2013 on GitHub.
CB Event Forwarder 3.1.4 Released
Posted on Apr 25, 2016The 3.1.4 release of cb-event-forwarder adds two features: updated code to support go 1.6.1 The following keys within ioc_attr and netconns will now be present in the top level dictionary and normalized for QRadar. local_ip -> src, local_port -> srcPort, protocol -> proto, remote_ip -> dst, remote_port -> dstPort.
Splunk App for EDR 0.9.1 Released
Posted on Apr 15, 2016The 0.9.1 release of the Splunk App for EDR adds new features New ‘Overview’ dashboard to summarize watchlist hits and feed hits New Carbon Black Data model New `cb` macro Get the app on splunkbase: Special thanks to Michael Haag for his code contribution.
CbAPI 0.8.1 Released
Posted on Apr 14, 2016The latest release of CbAPI 0.8.1 fixes two incompatibilities with the Carbon Black Enterprise Response server version 5.1.1. All users are recommended to update cbapi via pip by running: pip install --upgrade cbapi
TAXII Connector 1.4 for EDR Released
Posted on Apr 13, 2016Changelog CbTAXII version 1.4 now uses the Python requests library for HTTP/HTTPS connections to TAXII servers. This enhances the compatibility of the TAXII connector to a wider variety of TAXII servers. In addition, you can now optionally disable SSL certificate validation for a specific TAXII server by setting the sslverify option: # by default, we validate SSL certificates. Turn this off by setting sslverify=false sslverify=false This version of CbTAXII was built with libtaxii version 1.
Palo Alto Networks WildFire Connector 2.3 for EDR Released
Posted on Apr 13, 2016Changelog This version of the WildFire connector upgrades the WildFire API to the latest version, fixing compatibility problems with both the cloud and on-premise WildFire appliances. The old API used by previous versions of the WildFire connector is no longer supported or available, so all users of the WildFire connector must upgrade for the connector to function. Also included in this release: Fixes to high CPU usage. The connector should now use a very small CPU% when running.
CB Event Forwarder 3.1.3 Released
Posted on Apr 5, 2016The 3.1.3 release of cb-event-forwarder adds two features: Allow S3 configuration to specificy a prefix (sub-folder) Decode the search query for feed hits where ioc_type is query and fixes the following issues LEEF output does not escape CR (Carriage Return) characters Pre start script should redirect output
Welcome to the Carbon Black Developer Network!
Posted on Mar 1, 2016Carbon Black is proud to announce the launch of our new Carbon Black Developer Network web site! Carbon Black is committed to providing open APIs and enabling all customers to integrate Carbon Black’s products into their security technology stack. As part of that commitment, Carbon Black’s Developer Relations team has created this site to provide the security community the technical documentation required to build best-in-class defenses against today’s advanced threats.
CB Event Forwarder 3.1.2 Released
Posted on Jan 29, 2016The 3.1.2 release of cb-event-forwarder adds two features: You can now send arbitrary messages for debugging/testing purposes through the forwarder to the output location. This is only available when the cb-event-forwarder is started with the -debug command line switch. Messages sent via this mechanism are also logged for audit purposes. S3: You can now explicitly specify the location of the AWS credential file to use for authentication in the credential_profile option in the [s3] section of the configuration file.
CbAPI now available on PyPI
Posted on Jan 15, 2016We have just published the Python EDR bindings to the central Python packaging repository, PyPI. The recommended way to install the cbapi Python module is now via the standard Python pip package: $ pip install cbapi The current version of cbapi on PyPI is 0.8.0. We will announce new releases here as they become available. Happy hunting!
CB Event Forwarder 3.1.0 Released
Posted on Dec 24, 2015cb-event-forwarder 3.1.0 The 3.1.0 release of cb-event-forwarder adds the following features over 3.0.0: “Deep links” into the Cb server UI are now optionally available in the output These links allow you to directly access the relevant sensor, binary, or process context for each event output by the cb-event-forwarder. The new variable cb_server_url has been added to the configuration file to support this new feature. Set this variable to the base URL of the Carbon Black web UI.
CB Event Forwarder 3.0.0 Released
Posted on Dec 10, 2015Major new features in 3.0 Vastly improved performance & reliability New monitoring infrastructure; the service has a JSON-based API to retrieve diagnostics on its processing. See the README for more details. In general, the new cb-event-forwarder 3.0 is designed to be a drop-in replacement for previous versions of the event forwarder. There are a few bug fixes, configuration changes and enhancements of note. The most important change is that the service is now managed by the “upstart” system in CentOS 6.
New cbapi release - Summer 2015
Posted on Jul 13, 2015July 13, 2015 Major release with new features. New functions added to cbapi in this release include: Extended API - an easier way to use the cbapi binary_search_iter - Query the binary datastore the same as binary_search, but returns an iterator over the results… for binary in binary_search_iter(...) process_search_iter - Same as above, but for process_search process_search_and_events_iter - Provides the event data for every process returned by process_search_iter User management functions user_add_from_data - Adds a new authorized user into Cb user_enum - Enumerates Cb’s user database user_info - Retrieves information about one user from Cb output_user_activity - Retrieves login activity from the Cb server user_del - Deletes a user from Cb Feed API - see examples, such as feed_action_add.
Carbon Black SDK release
Posted on Jan 1, 0001CB SDK RELEASE The Carbon Black SDK provides a framework for easilly creating arbitrary connectors and integrations with Carbon Black products. The cb-integration project provides python libraries for generic integrations, a specialized framework for binary analysis connectors. See the source code in the cb-integration repo for implementation details. The CBSDK is cross platform, and should work on any environment that has docker 1.7+ and docker-compose. At its core, the CBSDK provides a lightweight linux container, for connectors - that can be pulled from dockerhub with: $ docker pull cbdevnetwork/cbsdk .
CB Event Forwarder 4.0.0 Beta
Posted on Jan 1, 00014.0.0 BETA PRERELEASE In general, the new cb-event-forwarder 4.0 is designed to be a (nearly) drop-in replacement for previous versions of the event forwarder, supporting the same features (along with a number of oft-requested enhancements, suggestions and bugfixes) merely using a new configuration format - YAML. configuration format changed to yaml - old configurations will not work :/ architectural overhaul plugins - output new format option format: template and provide a template to format the output CbR event messages multiple-input multiple-output pipeline for events can consume events from multiple CbR mq systems in input: can output to multiple event types & formats in output: (optional) event filtering (between input and output, for all events seen by the forwarder) at the event-forwarder using golang’s templating language simply provide a filter : { template : {{return KEEP or DROP to keep or drop a message}}} output format updates and tweaks very similar to previous format , standardization of alert/feeds/watchlist.