Blog Post Archive

    In order to improve the resilience and stability of the VMware Carbon Black Cloud, we are setting the default time range setting of the V6 Alerts API to one month. If no time range is specified in the search request, the API will search through the past one month of data instead of searching through all alerts. Affected routes include _search, _facet, and workflow/_criteria. This change will take effect starting Wednesday, October 20th.

    Read More >>

    Since VMware’s acquisition of Carbon Black, Carbon Black Cloud and Workspace ONE Intelligence have been working on updating the existing integration to be more seamless, building towards the vision of Intrinsic Security. Soon, customers who have enabled the Carbon Black Cloud to Workspace ONE Intelligence integration will be migrated to a new integration experience. When is this happening? Customers who have the existing Carbon Black Cloud and Workspace ONE Intelligence integration enabled will be migrated on September 20th.

    Read More >>

    Forward Alerts to an S3 Bucket The Data Forwarder is the recommend export method for reliable and guaranteed delivery. This method works at scale to support any size customer or MSSP by writing jsonl zipped content to an S3 bucket. See the Quick Setup instructions for more details. Exporting Alerts via the Alerts API If the Data Forwarder doesn’t work for you then the following algorithm will allow you to fetch alerts with no duplicates using the Alerts API.

    Read More >>

    CB Analytics Identifier Unification

    Posted on Aug 11, 2021

    The following change will take effect on August 19th, please reach out to support if you have concerns. In the V6 Alerts API response, customers viewing CB Analytics alerts may notice that legacy_alert_id now equals id. The field legacy_alert_id used to represent an 8-character ID and differed from the standard GUID (ie. 33bca411-77b6-4c6c-a643-ce9e7f82c742) format used across all other alert types in the Carbon Black Cloud. To better unify alerts within our platform, Carbon Black Cloud has aligned on the GUID format as our standard for all types of alerts in the product.

    Read More >>

    On June 3rd, VMware hosted Security Connect, an event focused on our security community and the tools they use to deliver security to their organizations. During this event, several sessions were provided that help customers leverage the full power of the Carbon Black Cloud through open APIs and technical integrations. Even though the live portion of the event has passed, you can still register today to access the sessions on-demand until early September.

    Read More >>

    What’s New? We’re excited to announce the release of v1.3 of the Carbon Black Cloud Python SDK. This release has breaking changes compared to the previous version (1.2.x) that will require new API keys and possibly changes to your integration code, as well as new features and bug fixes. User administration features User Management - create and modify user accounts. The SDK provides functions that make using the APIs more intuitive and aligned to common use cases.

    Read More >>

    We are happy to announce the release of two new APIs for the Carbon Black Cloud: These APIs allow you to manage Users and control the level of access and permissions in your multi-tenant environment for all Carbon Black Cloud products: User Management - create, modify, or list users in an organization Access Profiles and Grants - create and manage grants for users in one or more organizations For more details on the functionality, use cases and more, check out the User Exchange.

    Read More >>

    Announcing Live Response v6

    Posted on Apr 21, 2021

    Live Response API releasing v6: now with granular RBAC! Live Response allows security operators to collect information and take action on remote endpoints in real time for all Carbon Black Cloud products. Some of these actions include the ability to upload, download, remove files, execute or terminate processes, and more. Live Response - manage files, processes and more on remote endpoints Find more details on the highlights, what has changed, how to migrate from v3 to v6, and more here.

    Read More >>

    The CBC Data Forwarder is making a change to how it handles endpoint.event.netconn and endpoint.event.moduleload events to provide additional visibility for customers on March 22nd. Netconn For customers who are using an HTTP proxy, we’re making a change to endpoint.event.netconn events that will use the same approach that the Platform Search API uses to emit netconn & netconn_proxy events: For organizations whose endpoints do not have an HTTP proxy configured, there will be no change - all netconn events will continue to emit as endpoint.

    Read More >>

    What’s New? We’re excited to announce the 1.2 release of the Carbon Black Cloud Python SDK. This release brings new features to the Carbon Black Cloud SDK along with guides and tutorials. The new features in this release include: Search, Vulnerability Assessment and Sensor Lifecycle Management for Workload Reputation Overrides written tutorial for Platform VM Workloads Search written tutorial for Workload VM Workloads Search example script for Workload Bug Fixes:

    Read More >>

    With the latest release of our Carbon Black Cloud App for Splunk, we’ve consolidated key features from our platform into a single integrated solution that streamlines SIEM and SOAR workflows between Splunk and the Carbon Black Cloud. In this blog, we’ll provide overviews of several key use cases that simplify and accelerate modern SOC workflows using a single pane of glass. Hash Banning by Certificate Prevention based on MITRE Attack Behaviors Identifying and Mitigating Malicious PowerShell Activity Automated Mitigation of Exploitable Vulnerabilities Using Live Query to Enrich LSASS Scraping Investigations These use cases can be achieved within the Splunk console using the Carbon Black Cloud App for Splunk and can also be implemented and extended through dedicated SOAR platforms, including Splunk Phantom.

    Read More >>

    We’re pleased to announce enhancements to the VMware Carbon Black Cloud App for Splunk 8. This app provides an updated solution for customers to access their Carbon Black Cloud Endpoint and Workload features and data within the Splunk console. Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk. Enhancements include: Built-in Data Inputs: Device Control Alerts Audit Logs Live Query Results Vulnerability Assessment Common Information Model for:

    Read More >>

    What’s New? We’re excited to announce the 1.1 release of the Carbon Black Cloud Python SDK. This release brings new features to the Carbon Black Cloud SDK along with various bug fixes. The new features in this release include: Reputation Overrides for Endpoint Standard with Enterprise EDR support coming soon Device Control for Endpoint Standard Live Query Templates/Scheduled Runs and Template History Add set_time_range for Alert query Bug Fixes:

    Read More >>

    What is it? The Reputation Overrides API is now available for Endpoint Standard customers. The Reputation Overrides API enables customers and partners to automate the management of hashes, certificates and IT Tools to their organization’s Allow List or Banned List. The operations you perform with this API are reflected in the Reputations page in the CBC console, and in the Deny/Block, Terminate or Allow reactions performed by Endpoint Standard sensors.

    Read More >>

    February 3rd at 10am Mountain Time Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black Cloud and Splunk. What is it This event is a chance to meet members of the VMware Carbon Black Developer Relations team and other developers in the Developer Community. We invite you to brew a cup of your favorite coffee or tea and join us on February 3rd at 10am Mountain Time (5pm GMT) for a demo of the new unified Splunk App for the Carbon Black Cloud.

    Read More >>

    What’s New? We’re excited to announce the 1.0 release of the Carbon Black Cloud Python SDK. This release completes the alpha feedback period, further quality assurance work, and inclusion of new search APIs. The new features in this release include: Process and Process Event searches for Enterprise EDR and Endpoint Standard data Enriched Event searches for Endpoint Standard Addition of Python Futures to support asynchronous queries for customers who want to leverage that feature, while continuing to also provide the simplified experience which hides the multiple API calls required.

    Read More >>

    What is it? The Device Control API lets you view, manage, approve and implement blocking policies across your organization for external USB storage devices. This gives IT and Security Operations administrators direct access to the external devices in their environment to change how those devices can operate. Who is it for? Carbon Black Cloud Endpoint Standard customers with a Windows 3.6.0.1897 sensor or above. What can you do with it? Retrieve an inventory of external devices and their associated metadata within an organization Search for a specific external device and its associated metadata Create an approval for an external device, set of devices, or for specific vendor and product models Cross reference additional external device data after an alert Where do I go to get started?

    Read More >>

    We’re pleased to announce the release of the VMware Carbon Black Cloud App for Splunk. This app provides an updated solution for customers to access their Carbon Black Cloud Endpoint and Workload features and data within the Splunk console. Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk. The app is available for download from Splunkbase here. Depending on your installation, the Input Add-on or Technology Add-on may also be required.

    Read More >>

    The Carbon Black Cloud Syslog Connector Version 1.3.0 has been officially released! The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and: Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols This release adds the following features:

    Read More >>

    Watch the Video Demo See how to get started using the Carbon Black Cloud Python SDK, or view the full instructions on GitHub. var player; var time_update_interval; function onYouTubeIframeAPIReady() { player = new YT.Player('video-placeholder', { width: 600, height: 400, videoId: 'Mcy75uY9qU4', playerVars: { color: 'white' } }); } function initialize(){ updateTimerDisplay(); clearInterval(time_update_interval); time_update_interval = setInterval(function () { updateTimerDisplay(); }, 1000) } function updateTimerDisplay(){ $('#current-time').text(formatTime( player.getCurrentTime() )); $('#duration').text(formatTime( player.

    Read More >>

    All new Python Bindings for the Carbon Black Cloud We’re excited to announce the Alpha release of the Carbon Black Cloud Python SDK. This release provides an updated package leveraging Python 3.6+ to access data and features of the Carbon Black Cloud platform. The CBC SDK replaces the platform functionality that was available in CBAPI. CBAPI will continue to function, but it will not be supported or updated for Carbon Black Cloud products going forward.

    Read More >>

    Join us for another virtual meetup!

    Posted on Oct 15, 2020

    October 22nd at 4pm MDT Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black Cloud and/or CBAPI, the Python SDK. What is it This event is a chance to meet members of the VMware Carbon Black Developer Relations team and other developers in the Developer Community. We’ll start out the hour with a demo and discussion about the alpha release of our new Carbon Black Cloud Python SDK.

    Read More >>

    We are happy to announce the release of two new search APIs for the Carbon Black Cloud: Enriched Events Processes These APIs help you find specific applications and their activity across all endpoint events and processes reported by Carbon Black Cloud sensors. You can: Search for endpoint activity at the process or the individual event level Retrieve summaries or details about events, including statistical selections of the most prevalent values for some of the most interesting data fields Formulate valid search queries — get suggestions for partial fields or values and validate queries before running them in the Search service Manage your submitted search queries — check the status of a long-running queries and even cancel queries Which API is right for me?

    Read More >>

    What is the Zscaler Internet Access Sandbox Integration? This integration is between Zscaler’s Internet Access (ZIA) Sandbox and Carbon Black Cloud Endpoint Standard or Enterprise EDR. Zscaler can scan all files before they reach the endpoint if they come through the network, but cannot scan files coming in from other methods, or prior to sensor installation. This connector will scan for any Endpoint Standard events or Enterprise EDR processes. It pulls the processes, checks the unique hashes against a database of files that have been checked in the past, and if the file is not known, a request to Zscaler’s Sandbox is made to see if they have any information on it.

    Read More >>

    Carbon Black Cloud customers using the Event Forwarder now have additional capabilities to filter endpoint.event data delivered to their designated S3 bucket. Users of the Event Forwarder can now filter data by: Event_origin Type Alert_id Sensor_action These filters are available with the .59 release. What is the Event Forwarder? The Carbon Black Cloud Event Forwarder enables users to extract data from our console to be used in external dashboards and tools alongside other security data.

    Read More >>

    As of February 2020, we updated the Service Category portion of the path for the Enterprise EDR Process Search V1 and V2 API. The new Service Category is /api/investigate/ and should be used for all API calls. The current Service Category /threathunter/search/ will be deactivated on December 31st, 2020. After that, the path will not return complete results, and all users will be required to use the new /api/investigate/ Service Category.

    Read More >>

    We are happy to announce the release of the Carbon Black Cloud Sensor Update Services API 1.0. What is it? This API replaces the following: /appservices/v6/orgs/{org_key}/device_actions POST Specifically with “UPDATE_SENSOR_VERSION” action Who is it for? The Sensor Update Services API can be used by any Carbon Black Cloud user with permission in the service category “org.kits” set to EXECUTE. What does it do? The Sensor Update Service lets you batch sensor updates automatically across your organization and provides visibility into the update jobs progress.

    Read More >>

    We are happy to announce some additional alert fields for the Event Forwarder Configuration API. The tables below provide the new field names and descriptions of each. All field information can be found in the Event Forwarder Data Mapping Guide. New Common Alert Fields Field Name Description device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.

    Read More >>

    Join us for our first virtual meetup!

    Posted on Jul 23, 2020

    Aug 5th at 3pm MDT Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black and cross-product SIEM integrations, like Splunk. What is it We want to forge a deeper connection with the developer community, discuss meaningful topics, and learn from one another. Since we didn’t get to meet you in person at CB Connect Developer Day, we can’t hang out in person, and our community is spread all over the world anyway, we thought we’d have a virtual hangout so we could get together and discuss questions, ideas, problems, and more!

    Read More >>

    CBAPI 1.7.1 Released

    Posted on Jul 22, 2020

    We are proud to announce that CbAPI 1.7.1 is now available for installation via Python’s PyPI. This release contains a variety of changes from bug fixes to exception enhancements. Check out what has changed below. We also want to thank all the collaborators on CBAPI that made this release possible. If you have any improvements or new ideas, feel free to make an issue or create a pull request at our CBAPI GitHub repo.

    Read More >>

    Enterprise EDR Access Level Changes

    Posted on Jul 22, 2020

    Overview There are changes to a few permissions that have been made to remove the ThreatHunter reference. This change comes following the renaming of ThreatHunter to Enterprise EDR. The permissions name changes are only visual and will have no effect on existing API keys which utilize the old permission names. If you need to create a new Access Level or API Key make sure to look for the following permissions.

    Read More >>

    We at VMware Carbon Black are working to eliminate offensive terminology from Carbon Black products and communities, including the Developer Network. Going forward, we will make the following language amendments: We will use the terms “approved” and “banned” going forward rather than the terms “whitelist” and “blacklist” We will use the terms “primary” and “secondary clone” or “minion” going forward rather than the terms “master” and “slave”. Original and replica will also be used in some instances.

    Read More >>

    We are happy to announce the 1.0 release of the Carbon Black Cloud Binary Toolkit. What is it The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine.

    Read More >>

    Using the new Jobs Service API

    Posted on Jun 16, 2020

    First, who should use the Job Service API? In May we released the Job Service API, an API that helps manage long-running tasks. This API is most useful for users managing large data sets where there is risk of an API request timing out before the task completes. The Job Service API enables asynchronous task execution so that jobs don’t time out, thus preventing data loss. For those managing smaller data sets, this API is less useful, and you can use regular API calls instead of using asynchronous API routes.

    Read More >>

    CBC Data Forwarder vs CBC Syslog

    Posted on Jun 15, 2020

    Do you need to forward Carbon Black Cloud data to your environment? There are two tools that exist to help forward Carbon Black Cloud data, the Carbon Black Cloud Data Forwarder or Carbon Black Cloud Syslog. The Carbon Black Cloud Data Forwarder is the recommended best practice as the tool is integrated into the Carbon Black Cloud and provides improved scaling for large volumes of data. The data forwarder is capable of forwarding both alerts and events to an S3 bucket.

    Read More >>

    Kicking off Developer Day 2020

    Posted on May 7, 2020

    Developer Day 2020 kicks off today with seven on-demand sessions for more than 2,300 registrants. This is the first time Developer Day has been held in a virtual setting and the VMware Carbon Black team is excited to welcome the largest group of developers we have ever had in attendance. With eight new members added to the Developer Relations team in the past year, VMware Carbon Black is focused on empowering this vast community of developers.

    Read More >>

    The Carbon Black Cloud Syslog Connector Version 1.0.2 has been officially released! The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and: Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols This release adds the following features:

    Read More >>

    Developer Day 2020: Register Now!

    Posted on May 5, 2020

    Every year, Developer Day hits capacity. With this year going virtual, no one gets wait-listed or turned away! Join us virtually on May 12th to get hands-on experience working with the Carbon Black Cloud open APIs and developer tools. During the event, the Developer Relations team will be available live in the virtual environment to answer your questions. Register now! Make sure to check the box for Developer Day and join us for the rest of the conference on May 13 + 14 for a deeper dive into our technology, company, and threat research.

    Read More >>

    Announcing Our New Product Names

    Posted on Feb 10, 2020

    As of January 2020, we have renamed all of our products as part of our transition into the VMware Security Business Unit. This blog post outlines each of the new products and maps them to their legacy names. Our API documentation will be updated over the coming months to reflect the new names. This will not affect any API or Integration code. Carbon Black Cloud Products CB Defense is now called Endpoint Standard CB LiveOps is now called Audit and Remediation CB ThreatHunter is now called Enterprise Endpoint Detection and Response, or Enterprise EDR On-Premise Products CB Response is now called Carbon Black Endpoint Detection and Response, or Carbon Black EDR CB Protection is now called Carbon Black App Control

    Read More >>

    Have trouble finding documentation? Need more resources? Want a different API? Let us know how we can help.

    Read More >>

    As Carbon Black happily transformed into the Security Business Unit of VMware, it created the opportunity to evaluate our brand and simplify. The platform and your products are not changing, but the name of the platform is. The first step is happening today, October 28th, as your login screen and much of our website are moving away from the CB Predictive Security Cloud. Do not be alarmed when you see the text change to VMware Carbon Black Cloud or Carbon Black Cloud, depending on where it’s being used.

    Read More >>

    Carbon Black Cloud API Enhancements

    Posted on Sep 30, 2019

    We have exposed new enhancements to the Alerts and Devices Platform APIs, giving you more efficent control over the devices and data in your organizations. The most current documentation on these APIs is available at the Platform APIs page. Enhanced Alerts API & Use Case Workflows We have extended the capabilities of the Alerts API by improving the methods of retrieving alerts and adding functionality to manage the workflows. With the addition of the Search Request pathway in the Alerts API, you can now filter on dozens of fields, including creation time, category, type, status, tag, and more, allowing you to more efficiently call the API.

    Read More >>

    The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Enterprise EDR. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now on Splunkbase under CB Response App for Splunk. The Enterprise EDR App for Splunk allows a Splunk Administrator to connect to and pull Enterprise EDR notifications from the Carbon Black Cloud. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk.

    Read More >>

    Calling all API Developers!

    Posted on Jan 22, 2019

    Research Study for API Developers We want to learn more about you! Share about your process creating API integrations. Tell us about your background, daily duties, biggest contributions, and greatest challenges. These insights will enhance our ability to align our product development with what you need. Please fill in your email and availability in the following form and you will be contacted shortly. Loading... {{ /rawhtml}} **Note:** If the Google form failed to load, please follow this link: [form](https://docs.

    Read More >>

    CbAPI 1.4.0 Released

    Posted on Jan 10, 2019

    We are proud to announce that CbAPI 1.4.0 is now available for installation via Python’s PyPI. This release includes compatibility with Carbon Black Cloud Enterprise EDR and the new APIs available in Carbon Black Cloud’s Enterprise EDR. Currently, the Process Search API is exposed. As of version 1.4.0, there are three available model objects: Process Event Tree Install The Python CbAPI works with Python 2.x and 3.x, however we do recommend using Python 3.

    Read More >>

    Featuring Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense This year at CB Connect 2018, we had our first ever Developer Day to recognize our vibrant partner and developer ecosystem. We had an amazing group of 100 developers attend, culminating in a hackathon. Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense, was an attendee and speaker at Developer Day and submitted his own project, cbinterface, to the hackathon.

    Read More >>

    Highlights from Developer Day

    Posted on Oct 22, 2018

    Cb Connect Day 0: Carbon Black hosted over a hundred developers at the first ever Developer Day. This community of developers is the engine that extends our platform to integrate with other products/tools/services to build a stronger security stack for organizations. Our attendees flew in from all over the world - Australia, Norway, Turkey, and many other locations with the objective of learning more about our APIs, use cases around extensibility of our platform, watching live technical demonstrations, and to see where we’re going with the Carbon Black Cloud.

    Read More >>

    CB Connect 2018 Developer Day

    Posted on Sep 24, 2018

    SOLD OUT – Developer Day Due to high demand Developer Day at CB Connect is now sold out. Join the waitlist today to secure a spot should spaces open up. The waitlist is on a first-come first-serve basis, and you will be notified via email if you are selected to participate. CB Connect is Carbon Black’s premier customer and partner event of the year. CB Connect heads to New York City this fall for an action-packed, two-day conference about the future of endpoint security.

    Read More >>

    The Endpoint Standard REST API provides a RESTful API for CbDefense, which means that it can be consumed by practically any language. Postman is a REST API Development Environment that allows users to interact with a REST API in a quick & easy way. This is a quick tutorial on how to use Postman to interact with the CbDefense REST API. Requirements Access to your Endpoint Standard instance. A connector configured on CbDefense or the ability to create a connector.

    Read More >>

    The Carbon Black Developer Network is proud to announce the second major public release of our Endpoint Standard Add-On for splunk. This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. var player; var time_update_interval; function onYouTubeIframeAPIReady() { player = new YT.

    Read More >>

    The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Endpoint Standard. This app is available for download now from Splunkbase under CB Defense Add-On for Splunk. This first release includes pre-built visualizations from Cb, that provide an overview of Endpoint Standard environments as well as dashboards to search through threat and policy notifications, view and manipulate device status, etc. Endpoint Standard Overview Dashboard Comprehensive Overview of your Endpoint Standard data in Splunk view total detections, policy actions, rare applications triage threats by severity Threat Search geoip map of threats based on severity additional table of threat information searchable (SPL) to isolate threat events of interest Policy Action Search geoip map of Policy Actions by reputation tabular display of policy activities searchable (SPL) to isolate policy events of interest Login Map (Splunk) geoip map and table of Logins (attempted and successful) to Splunk instances Device Search powered by the devicesearch custom search command uses the Endpoint Standard REST API to retrieve device status information geoip map of devices by external IPs + table of the same enter a device query to filter results like ‘hostname:WIN-1984VBRULES’ or ‘ipAddress:172.

    Read More >>

    We have discovered a critical issue with certain versions of the EDR Binary Detonation integrations released in the last month. A patch that was rolled out to the Binary Detonation integrations in September erroneously submitted corrupt files to the binary detonation providers, potentially resulting in invalid responses from the analysis platform. No sensitive information was leaked as part of this bug. Specifically, the first five bytes of the file were missing on every submission of a file to a binary detonation appliance.

    Read More >>

    Cb Reporting released

    Posted on Aug 8, 2017

    We are pleased to announce the release of an updated Cb Reporting script. https://github.com/carbonblack/cb-reporting/blob/master/incident_report.py The incident report script is an example python program that demonstrates how to build a basic incident report using the Cb API bindings for python. The incident report uses the Cb API to trace information about the lifetime of a process of interest: Target process event information: module loads, cross process interactions, file modifications, registry modifications (windows) as well as intelligence feed hits, and the hosts/paths on which the target was seen The tree of execution that lead to the target process - binary information about each A list of processes that have written to the target process/binary, details about each The child processes of the target process + corresponding binaries The only dependencies are on the Jinja2 templating engine module for python (2.

    Read More >>

    The Carbon Black Developer Network is proud to announce the first public release of our new Splunk Add-On for Endpoint Standard (formerly CB Response). This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. Requirements This app requires Endpoint Standard and Splunk version 6.

    Read More >>

    The latest Syslog Connector can be found here. The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Endpoint Standard. This connector allows you to forward alert notifications from your Endpoint Standard cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Endpoint Standard streaming prevention system.

    Read More >>

    The latest Syslog Connector can be found here. The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Endpoint Standard. This connector allows you to forward alert notifications from your Endpoint Standard cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Endpoint Standard streaming prevention system.

    Read More >>

    CbAPI 1.2.0 Released

    Posted on Jun 22, 2017

    We are proud to announce that CbAPI 1.2 is now available for installation via Python’s PyPI. This release includes compatibility with Endpoint Standard and the new APIs available in Carbon Black App Control 8.0. Documentation is available on https://cbapi.readthedocs.io and you can install it now via pip: pip install --upgrade cbapi Happy hunting!

    Read More >>

    Changelog Fixed issue where ip addresses and hashes weren’t being validated for single entries This version of the TAXII Connector was built with libtaxii version 1.1.110 and STIX version 1.2.0.2

    Read More >>

    Changelog New Features Added support for observables within a list Added support for DATA_SET collection types Added ability to configure default risk score per feed Added support for indicator observables Source code and RPM can be found on GitHub This version of the TAXII connector was built on the EclecticIQ client cabby STIX parsing is done by python-stix version 1.2.0.2 Cybox parsing is performed using cybox-python version 2.1.0.13

    Read More >>

    EDR App for Splunk 2.0.5 Released

    Posted on Apr 7, 2017

    Changelog Bug Fixes Added clearer error message when unable to connect to EDR Fix bug when installed in a distributed search head environment Download the Splunk app on Splunkbase under CB Response App for Splunk

    Read More >>

    CbAPI 1.0.1 Released

    Posted on Jan 11, 2017

    We are proud to announce that CbAPI 1.0 is now available for installation via Python’s PyPI. cbapi provides a straightforward interface to the App Control and EDR REST APIs. This library provides a Pythonic layer to access the raw power of the REST APIs of both products, making it trivial to do the easy stuff and handling all of the “sharp corners” behind the scenes for you. If you haven’t seen or worked with cbapi since its 0.

    Read More >>

    Cb Event Forwarder 3.3.2 Released

    Posted on Jan 4, 2017

    Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.2 New Features report_title is now retrieved via the EDR REST API for feed hits performance increases all around updated UI Added tests for RabbitMQ stressing #64 Added process_path for all events if one exists. TLS RabbitMQ Support (thanks to Red Canary) Post Processing With the addition of feed_title, post processing needs to be enabled by supplying cb_server_url, api_verify_ssl and api_token # # Post Processing Options # # Supported post processing: # # 1) report_title in feed hits # # Post processing requires cb_server_url, api_verify_ssl, and api_token to be set.

    Read More >>

    CB Event Forwarder 3.3.0 Released

    Posted on Oct 19, 2016

    Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.0 New Features HTTP output plugin output (thanks to eSentire) Output Changes In addition, new fields were added to the output (thanks to Red Canary): Process start message (procstart or process): parent_path: Path to the parent process parent_create_time: Parent process creation time parent_md5: Parent process binary MD5 hash expect_followon_w_md5: In certain cases, the MD5 for the new process isn’t available at the time the message is generated.

    Read More >>

    EDR App for Splunk 2.0.0 Released

    Posted on Sep 27, 2016

    The EDR App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk. When used along side Splunk’s Enterprise Security, the EDR App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.

    Read More >>

    The Cb Community Repository

    Posted on Aug 4, 2016

    We encourage everyone to release their code publicly on GitHub but on the other hand understand that contributions come in all shapes and sizes. Some contributions, like Red Canary’s Surveyor or Bobby Argenbright’s Forager tool, warrant their own repository (and in some cases, their own cool icon!) However, other contributions may be a single script or a few lines of API code. To help collect these smaller contributions into one place, we’ve created the new Carbon Black Developer Community GitHub organization, available at https://github.

    Read More >>

    CB Event Forwarder 3.2.3 Released

    Posted on Aug 3, 2016

    This release is a minor bugfix release that fixed the following issues: Source and destination IP addresses are sometimes flipped in the LEEF output Unique ID for Alerts was incorrectly used to calculate the Process link (link_process) In addition, two changes were made in this release: A link_sensor is now generated for all raw endpoint events The list of Watchlist, Feed, and Binarystore events is expanded to any EDR event type that starts with watchlist.

    Read More >>

    What a difference a year makes! Almost a year ago, we released a bunch of new features in cbapi to help developers become more productive with the Carbon Black EDR REST API. Since then, we’ve changed the name of the company, created an entirely new Developer Network website, created a new, even easier-to-use and more powerful Python API, and most importantly, merged the APIs for both EDR and App Control into the same code base!

    Read More >>

    CB Event Forwarder 3.2.0 Released

    Posted on Jun 27, 2016

    The Carbon Black Developer Network is proud to announce a new major release of the Carbon Black Event Forwarder, 3.2.0. The Carbon Black Event Forwarder is a standalone service that will listen on the Carbon Black enterprise bus and export events (both watchlist/feed hits as well as raw endpoint events, if configured) in a normalized JSON or LEEF format. The events can be saved to a file, delivered to a network service or archived automatically to an Amazon AWS S3 bucket.

    Read More >>

    The 1.2.4 release of the ThreatConnect connector adds one feature: Added proxy support

    Read More >>

    The EDR product was developed as an “API-first” application. Every action in the product can be performed programmatically through the API. In fact, the entire Carbon Black EDR web user interface is implemented on top of the API — the web user interface is a JavaScript application that calls API calls straight from your web browser (check out the Chrome Developer Tools screencast if you’re interested in more details). To expose the power of this API in Python applications, the first version of the cbapi module was published on August 21, 2013 on GitHub.

    Read More >>

    CB Event Forwarder 3.1.4 Released

    Posted on Apr 25, 2016

    The 3.1.4 release of cb-event-forwarder adds two features: updated code to support go 1.6.1 The following keys within ioc_attr and netconns will now be present in the top level dictionary and normalized for QRadar. local_ip -> src, local_port -> srcPort, protocol -> proto, remote_ip -> dst, remote_port -> dstPort.

    Read More >>

    Splunk App for EDR 0.9.1 Released

    Posted on Apr 15, 2016

    The 0.9.1 release of the Splunk App for EDR adds new features New ‘Overview’ dashboard to summarize watchlist hits and feed hits New Carbon Black Data model New `cb` macro Get the app on splunkbase: https://splunkbase.splunk.com/app/3099/ Special thanks to Michael Haag for his code contribution.

    Read More >>

    CbAPI 0.8.1 Released

    Posted on Apr 14, 2016

    The latest release of CbAPI 0.8.1 fixes two incompatibilities with the Carbon Black Enterprise Response server version 5.1.1. All users are recommended to update cbapi via pip by running: pip install --upgrade cbapi

    Read More >>

    TAXII Connector 1.4 for EDR Released

    Posted on Apr 13, 2016

    Changelog CbTAXII version 1.4 now uses the Python requests library for HTTP/HTTPS connections to TAXII servers. This enhances the compatibility of the TAXII connector to a wider variety of TAXII servers. In addition, you can now optionally disable SSL certificate validation for a specific TAXII server by setting the sslverify option: # by default, we validate SSL certificates. Turn this off by setting sslverify=false sslverify=false This version of CbTAXII was built with libtaxii version 1.

    Read More >>

    Changelog This version of the WildFire connector upgrades the WildFire API to the latest version, fixing compatibility problems with both the cloud and on-premise WildFire appliances. The old API used by previous versions of the WildFire connector is no longer supported or available, so all users of the WildFire connector must upgrade for the connector to function. Also included in this release: Fixes to high CPU usage. The connector should now use a very small CPU% when running.

    Read More >>

    CB Event Forwarder 3.1.3 Released

    Posted on Apr 5, 2016

    The 3.1.3 release of cb-event-forwarder adds two features: Allow S3 configuration to specificy a prefix (sub-folder) Decode the search query for feed hits where ioc_type is query and fixes the following issues LEEF output does not escape CR (Carriage Return) characters Pre start script should redirect output

    Read More >>

    Carbon Black is proud to announce the launch of our new Carbon Black Developer Network web site! Carbon Black is committed to providing open APIs and enabling all customers to integrate Carbon Black’s products into their security technology stack. As part of that commitment, Carbon Black’s Developer Relations team has created this site to provide the security community the technical documentation required to build best-in-class defenses against today’s advanced threats.

    Read More >>

    CB Event Forwarder 3.1.2 Released

    Posted on Jan 29, 2016

    The 3.1.2 release of cb-event-forwarder adds two features: You can now send arbitrary messages for debugging/testing purposes through the forwarder to the output location. This is only available when the cb-event-forwarder is started with the -debug command line switch. Messages sent via this mechanism are also logged for audit purposes. S3: You can now explicitly specify the location of the AWS credential file to use for authentication in the credential_profile option in the [s3] section of the configuration file.

    Read More >>

    CbAPI now available on PyPI

    Posted on Jan 15, 2016

    We have just published the Python EDR bindings to the central Python packaging repository, PyPI. The recommended way to install the cbapi Python module is now via the standard Python pip package: $ pip install cbapi The current version of cbapi on PyPI is 0.8.0. We will announce new releases here as they become available. Happy hunting!

    Read More >>

    CB Event Forwarder 3.1.0 Released

    Posted on Dec 24, 2015

    cb-event-forwarder 3.1.0 The 3.1.0 release of cb-event-forwarder adds the following features over 3.0.0: “Deep links” into the Cb server UI are now optionally available in the output These links allow you to directly access the relevant sensor, binary, or process context for each event output by the cb-event-forwarder. The new variable cb_server_url has been added to the configuration file to support this new feature. Set this variable to the base URL of the Carbon Black web UI.

    Read More >>

    CB Event Forwarder 3.0.0 Released

    Posted on Dec 10, 2015

    Major new features in 3.0 Vastly improved performance & reliability New monitoring infrastructure; the service has a JSON-based API to retrieve diagnostics on its processing. See the README for more details. In general, the new cb-event-forwarder 3.0 is designed to be a drop-in replacement for previous versions of the event forwarder. There are a few bug fixes, configuration changes and enhancements of note. The most important change is that the service is now managed by the “upstart” system in CentOS 6.

    Read More >>

    New cbapi release - Summer 2015

    Posted on Jul 13, 2015

    July 13, 2015 Major release with new features. New functions added to cbapi in this release include: Extended API - an easier way to use the cbapi binary_search_iter - Query the binary datastore the same as binary_search, but returns an iterator over the results… for binary in binary_search_iter(...) process_search_iter - Same as above, but for process_search process_search_and_events_iter - Provides the event data for every process returned by process_search_iter User management functions user_add_from_data - Adds a new authorized user into Cb user_enum - Enumerates Cb’s user database user_info - Retrieves information about one user from Cb output_user_activity - Retrieves login activity from the Cb server user_del - Deletes a user from Cb Feed API - see examples, such as feed_action_add.

    Read More >>

    Carbon Black SDK release

    Posted on Jan 1, 0001

    CB SDK RELEASE The Carbon Black SDK provides a framework for easilly creating arbitrary connectors and integrations with Carbon Black products. The cb-integration project provides python libraries for generic integrations, a specialized framework for binary analysis connectors. See the source code in the cb-integration repo for implementation details. The CBSDK is cross platform, and should work on any environment that has docker 1.7+ and docker-compose. At its core, the CBSDK provides a lightweight linux container, for connectors - that can be pulled from dockerhub with: $ docker pull cbdevnetwork/cbsdk .

    Read More >>

    CB Event Forwarder 4.0.0 Beta

    Posted on Jan 1, 0001

    4.0.0 BETA PRERELEASE In general, the new cb-event-forwarder 4.0 is designed to be a (nearly) drop-in replacement for previous versions of the event forwarder, supporting the same features (along with a number of oft-requested enhancements, suggestions and bugfixes) merely using a new configuration format - YAML. configuration format changed to yaml - old configurations will not work :/ architectural overhaul plugins - output new format option format: template and provide a template to format the output CbR event messages multiple-input multiple-output pipeline for events can consume events from multiple CbR mq systems in input: can output to multiple event types & formats in output: (optional) event filtering (between input and output, for all events seen by the forwarder) at the event-forwarder using golang’s templating language simply provide a filter : { template : {{return KEEP or DROP to keep or drop a message}}} output format updates and tweaks very similar to previous format , standardization of alert/feeds/watchlist.

    Read More >>