We have discovered a critical issue with certain versions of the Cb Response Binary Detonation integrations released in the last month. A patch that was rolled out to the Binary Detonation integrations in September erroneously submitted corrupt files to the binary detonation providers, potentially resulting in invalid responses from the analysis platform. No sensitive information was leaked as part of this bug. Specifically, the first five bytes of the file were missing on every submission of a file to a binary detonation appliance.
We are pleased to announce the release of an updated Cb Reporting script. https://github.com/carbonblack/cb-reporting/blob/master/incident_report.py The incident report script is an example python program that demonstrates how to build a basic incident report using the Cb API bindings for python. The incident report uses the Cb API to trace information about the lifetime of a process of interest: Target process event information: module loads, cross process interactions, file modifications, registry modifications (windows) as well as intelligence feed hits, and the hosts/paths on which the target was seen The tree of execution that lead to the target process - binary information about each A list of processes that have written to the target process/binary, details about each The child processes of the target process + corresponding binaries The only dependencies are on the Jinja2 templating engine module for python (2.
The Carbon Black Developer Network is proud to announce the first public release of our new Splunk Add-On for Cb Defense. This add-on is available for download now from Splunkbase and integrates Splunk with your Cb Defense console, forwarding alerts from Cb Defense right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. Requirements This app requires Cb Defense and Splunk version 6.
The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Cb Defense. This connector allows you to forward alert notifications from your Cb Defense cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Cb Defense streaming prevention system.
We are proud to announce that CbAPI 1.2 is now available for installation via Python’s PyPI. This release includes compatibility with Cb Defense and the new APIs available in Cb Protection 8.0. Documentation is available on https://cbapi.readthedocs.io and you can install it now via pip: pip install --upgrade cbapi Happy hunting!
Changelog Fixed issue where ip addresses and hashes weren’t being validated for single entries This version of the TAXII Connector was built with libtaxii version 1.1.110 and STIX version 22.214.171.124
Changelog Bug Fixes Added clearer error message when unable to connect to Cb Response Fix bug when installed in a distributed search head environment Download the Splunk app on splunkbase Source code for this app lives on Github
Changelog New Features Added support for observables within a list Added support for DATA_SET collection types Added ability to configure default risk score per feed Added support for indicator observables Source code and RPM can be found on GitHub This version of the TAXII connector was built on the EclecticIQ client cabby STIX parsing is done by python-stix version 126.96.36.199 Cybox parsing is performed using cybox-python version 2.
We are proud to announce that CbAPI 1.0 is now available for installation via Python’s PyPI. cbapi provides a straightforward interface to the Cb Protection and Response REST APIs. This library provides a Pythonic layer to access the raw power of the REST APIs of both products, making it trivial to do the easy stuff and handling all of the “sharp corners” behind the scenes for you. If you haven’t seen or worked with cbapi since its 0.
Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.2 New Features report_title is now retrieved via the Cb Response REST API for feed hits performance increases all around updated UI Added tests for RabbitMQ stressing #64 Added process_path for all events if one exists. TLS RabbitMQ Support (thanks to Red Canary) Post Processing With the addition of feed_title, post processing needs to be enabled by supplying cb_server_url, api_verify_ssl and api_token # # Post Processing Options # # Supported post processing: # # 1) report_title in feed hits # # Post processing requires cb_server_url, api_verify_ssl, and api_token to be set.
Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.0 New Features HTTP output plugin output (thanks to eSentire) Output Changes In addition, new fields were added to the output (thanks to Red Canary): Process start message (procstart or process): parent_path: Path to the parent process parent_create_time: Parent process creation time parent_md5: Parent process binary MD5 hash expect_followon_w_md5: In certain cases, the MD5 for the new process isn’t available at the time the message is generated.
The Cb Response App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk. When used along side Splunk’s Enterprise Security, the Cb Response App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.
We encourage everyone to release their code publicly on GitHub but on the other hand understand that contributions come in all shapes and sizes. Some contributions, like Red Canary’s Surveyor or Bobby Argenbright’s Forager tool, warrant their own repository (and in some cases, their own cool icon!) However, other contributions may be a single script or a few lines of API code. To help collect these smaller contributions into one place, we’ve created the new Carbon Black Developer Community GitHub organization, available at https://github.
This release is a minor bugfix release that fixed the following issues: Source and destination IP addresses are sometimes flipped in the LEEF output Unique ID for Alerts was incorrectly used to calculate the Process link (link_process) In addition, two changes were made in this release: A link_sensor is now generated for all raw endpoint events The list of Watchlist, Feed, and Binarystore events is expanded to any Cb Response event type that starts with watchlist.
What a difference a year makes! Almost a year ago, we released a bunch of new features in cbapi to help developers become more productive with the Carbon Black Enterprise Response REST API. Since then, we’ve changed the name of the company, created an entirely new Developer Network website, created a new, even easier-to-use and more powerful Python API, and most importantly, merged the APIs for both Enterprise Response and Enterprise Protection into the same code base!
The Carbon Black Developer Network is proud to announce a new major release of the Carbon Black Event Forwarder, 3.2.0. The Carbon Black Event Forwarder is a standalone service that will listen on the Carbon Black enterprise bus and export events (both watchlist/feed hits as well as raw endpoint events, if configured) in a normalized JSON or LEEF format. The events can be saved to a file, delivered to a network service or archived automatically to an Amazon AWS S3 bucket.
It’s been an exciting few weeks for us on the Carbon Black blog. In addition to discussing the efficacy of Patterns of Attack versus Indicators of Compromise, we’ve talked about shifting the economic balance of cyber-attacks, the “story” your data is trying to tell you and, perhaps most importantly, the importance of sharing the right kind of threat intelligence to form a Collective Defense. Today, I’m proud to reveal Carbon Black’s specific initiatives in the realm of Collective Defense in an effort to unite the cyber-security community in the battle against common adversaries.
The 1.2.4 release of the ThreatConnect connector adds one feature: Added proxy support
The 3.1.4 release of cb-event-forwarder adds two features: updated code to support go 1.6.1 The following keys within ioc_attr and netconns will now be present in the top level dictionary and normalized for QRadar. local_ip -> src, local_port -> srcPort, protocol -> proto, remote_ip -> dst, remote_port -> dstPort.
The 0.9.1 release of the Splunk App for Cb Response adds new features New ‘Overview’ dashboard to summarize watchlist hits and feed hits New Carbon Black Data model New `cb` macro Get the app on splunkbase: https://splunkbase.splunk.com/app/3099/ Special thanks to Michael Haag for his code contribution: https://github.com/carbonblack/splunk-arf-app/pull/1
The latest release of CbAPI 0.8.1 fixes two incompatibilities with the Carbon Black Enterprise Response server version 5.1.1. All users are recommended to update cbapi via pip by running: pip install --upgrade cbapi
Changelog CbTAXII version 1.4 now uses the Python requests library for HTTP/HTTPS connections to TAXII servers. This enhances the compatibility of the TAXII connector to a wider variety of TAXII servers. In addition, you can now optionally disable SSL certificate validation for a specific TAXII server by setting the sslverify option: # by default, we validate SSL certificates. Turn this off by setting sslverify=false sslverify=false This version of CbTAXII was built with libtaxii version 1.
Changelog This version of the WildFire connector upgrades the WildFire API to the latest version, fixing compatibility problems with both the cloud and on-premise WildFire appliances. The old API used by previous versions of the WildFire connector is no longer supported or available, so all users of the WildFire connector must upgrade for the connector to function. Also included in this release: Fixes to high CPU usage. The connector should now use a very small CPU% when running.
The 3.1.3 release of cb-event-forwarder adds two features: Allow S3 configuration to specificy a prefix (sub-folder) Decode the search query for feed hits where ioc_type is query and fixes the following issues LEEF output does not escape CR (Carriage Return) characters Pre start script should redirect output
Carbon Black is proud to announce the launch of our new Carbon Black Developer Network web site! Carbon Black is committed to providing open APIs and enabling all customers to integrate Carbon Black’s products into their security technology stack. As part of that commitment, Carbon Black’s Developer Relations team has created this site to provide the security community the technical documentation required to build best-in-class defenses against today’s advanced threats.
The 3.1.2 release of cb-event-forwarder adds two features: You can now send arbitrary messages for debugging/testing purposes through the forwarder to the output location. This is only available when the cb-event-forwarder is started with the -debug command line switch. Messages sent via this mechanism are also logged for audit purposes. S3: You can now explicitly specify the location of the AWS credential file to use for authentication in the credential_profile option in the [s3] section of the configuration file.
We have just published the Python Cb Response bindings to the central Python packaging repository, PyPI. The recommended way to install the cbapi Python module is now via the standard Python pip package: $ pip install cbapi The current version of cbapi on PyPI is 0.8.0. We will announce new releases here as they become available. Happy hunting!
cb-event-forwarder 3.1.0 The 3.1.0 release of cb-event-forwarder adds the following features over 3.0.0: “Deep links” into the Cb server UI are now optionally available in the output These links allow you to directly access the relevant sensor, binary, or process context for each event output by the cb-event-forwarder. The new variable cb_server_url has been added to the configuration file to support this new feature. Set this variable to the base URL of the Carbon Black web UI.
Major new features in 3.0 Vastly improved performance & reliability New monitoring infrastructure; the service has a JSON-based API to retrieve diagnostics on its processing. See the README for more details. In general, the new cb-event-forwarder 3.0 is designed to be a drop-in replacement for previous versions of the event forwarder. There are a few bug fixes, configuration changes and enhancements of note. The most important change is that the service is now managed by the “upstart” system in CentOS 6.
July 13, 2015 Major release with new features. New functions added to cbapi in this release include: Extended API - an easier way to use the cbapi binary_search_iter - Query the binary datastore the same as binary_search, but returns an iterator over the results… for binary in binary_search_iter(...) process_search_iter - Same as above, but for process_search process_search_and_events_iter - Provides the event data for every process returned by process_search_iter User management functions user_add_from_data - Adds a new authorized user into Cb user_enum - Enumerates Cb’s user database user_info - Retrieves information about one user from Cb output_user_activity - Retrieves login activity from the Cb server user_del - Deletes a user from Cb Feed API - see examples, such as feed_action_add.