Getting Started with the Carbon Black APIs

Posted on December 28, 2015

CbAPI and Open APIs

Carbon Black believes the key to an effective security strategy is to provide open APIs so customers, partners and other vendors can tightly integrate with our solutions. This commitment to open APIs means that Carbon Black can unify all layers of your organization’s security stack so as to build an effective defense against the advanced adversary.

Regardless of what Cb product you have in your security stack, the CbAPI works. We have worked hard to handle all of the hard things, so you don’t have to. Select your product use case and check out our getting started pages for our products to start developing with the CbAPI. We think you’ll find it easy and fun.

Getting Started with Cb Response

Check out our resources and tutorials on Cb Response!

Getting Started with Cb Protection

Check out the Cb Protection API documentation!

Getting Started with Cb Defense

Check out the Cb Defense API documentation!

Customer Use Case Examples

  • Send all process execution and endpoint network connection events to Splunk through the real-time Event Forwarder
  • Send all Carbon Black data to another storage mechanism (Hive/Hadoop)
  • Scan all collected binaries against Yara signatures
  • On alert, automatically go ask Carbon Black which process is related to that alert and grab entire process tree, binary information, event information, etc; (Enrichment)
  • Receive alerts from BroIDS
  • Automatically isolate a machine from the network when a particular threat feed matches
  • Watch for outbound port 443 connections, go grab the certificate and do analysis on that certificate
  • Perform typical carbon black queries but process the data in a script to output it in a certain way (reporting, period queries, enriched process trees, etc)
  • Consume threat indicators from CRITS
  • Watchlist sharing framework
  • Subscribe to network connections and plot them on a world map
  • Receive network connections, pull out DNS, figure out if binary making DNS query is signed or unsigned, store all this information
  • Watch for creation of files with particular extension, then go grab the files and store them centrally (all .bat scripts, .vbs scripts, etc)
  • Watch events and try to look for anomalies (obviously this is complicated)