Carbon Black Cloud API Access

Introduction

This guide covers the steps required for accessing Carbon Black Cloud APIs:

  1. Determine whether you are using Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization
  2. Authenticate your request
  3. Construct your Request
  4. Structure of Base URLs
  5. Make the Request
  6. Troubleshooting

Make a Call

As either a quick start or to know where we are going, this a sample request to get all devices with a specific id. Follow the information on this page for info on how to create them.

The X-Auth-Token authentication method uses the API Id and Secret directly in the call to the Carbon Black Cloud APIs.

This is a valid cURL request - some values need to be replaced with yours.

curl https://defense.conferdeploy.net/appservices/v6/orgs/ABCD1234/devices/_search \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{"criteria": {"id": [ "1234567" ]}}'
This is the same request with the variables named. Follow the information on this page for info on how to create them.
$ curl {cbc-hostname}/{API Service Category}/{API path} \
-X POST \
-H 'X-Auth-Token: {API Secret}/{API ID}' \
-H 'Content-Type: application/json' \
-d '{{request body}}'
First use the OAuth App Id and Secret (obfuscated with base64 encoding) to get an Access Token.
curl --request POST '{csp-hostname}/csp/gateway/am/api/auth/token' \
--header 'Authorization: Basic {base64(App ID:App Secret)}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials'
Then use the Access Token to call Carbon Black Cloud APIs.
curl --request GET '{cbc-hosthame}/appservices/v6/orgs/{org_key}/devices/{device_id}' \
--header 'Authorization: Bearer {csp-generated-access-token}' \
--header 'Content-Type: application/json'
First use the API Token to get an Access Token
curl --location -g --request POST '{csp-hostname}/csp/gateway/am/api/auth/api-tokens/authorize' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'api_token={api_token}'
Then use the Access Token to call Carbon Black Cloud APIs.
curl --location --request GET '{cbc-hostname}/{API Service Category}/{API path}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {csp-generated-access-token}'

If you are using VMware Cloud Services Platform, the X-Auth-Token method continues to be supported for backwards compatibility of existing integrations; enter your OAuth App Id and App Secret where the integration asks for API Id and API Key respectively. New integrations should be developed to support both X-Auth-Token authentication as well as OAuth Apps using a bearer and then access token.

For a tutorial on how to make API calls and some commonly used tools, see the series of videos for Getting Started with APIs on Tech Zone.

Determine the Identity Manager

There are two identity management solutions. In the UK Point of Presence (UK PoP or Prod UK) VMware Cloud Services Platform is deployed. Over time this will become an option in other environments.

You know you use Carbon Black Cloud to manage identities and authentication in your environment if:

1. You log in through the Carbon Black Cloud Console:


2. On the top right menu you see a list which products are enabled and not

You know you use VMware Cloud Services Platform to manage identities and authentication in your environment if:

1. You log in through the VMware Cloud Services Platform portal:


2. Within Carbon Black Cloud, from the top right hand corner a menu opens with VMware Cloud Services options.


Authenticate your Request

Carbon Black Cloud APIs and Services are authenticated via API Keys. In order to access the data in Carbon Black Cloud via API, you must set up keys with the correct permissions for the calls you want to make.

The first step of Authentication is determining the appropriate access level for the API. The majority of APIs use an API Key type of Custom. The exceptions are two APIs in Endpoint Standard:

  • integrationServices/v3/auditlogs requires an API Key of type API
  • integrationServices/v3/notification requires an API Key of type SIEM

(Some deprecated APIs, also in integrationServices, also have special permissions.)

For more information about Role-Based Access, see the RBAC Guide.

Carbon Black Cloud Manages identities and roles

If your service category uses an API Key of type Custom, an Access Level with minimal permissions should be created to follow the practice of least privilege.

1. Go to your Carbon Black Cloud console, and open the Add Access Level panel from Settings > API Access > Access Levels tab.

2. Give the access level a unique name (you will need this for creating your API Key) and give it a description.

3. From the table below, scroll down until you see your API Service Category. Some Service Categories have multiple permissions that can be configured. The API documentation will indicate which permissions are required for each call.

This example shows the permissions “Create”, “Read”, “Update”, and “Delete” are granted for the Settings permissions in the Data Forwarding category.*

For more information about Role-Based Access, see the RBAC Guide.
This is like adding a user to a system and setting their access level, except you are granting access to your application or script instead of a user.

1. To create an API Key, go to Settings > API Access > API Keys tab in the Carbon Black Cloud console.

2. Select Add API Key from the far right.

3. Give the API Key a unique name, and select the appropriate access level provided in the table above. If you select Custom, you will need to choose the Access Level you created in the prior section.
• Choose a name to clearly distinguish the API from your organization’s other API Keys.
Example: Event_Forwarder_Test_Key

• For keys of type API and SIEM, you can also add Authorized IP addresses and a description to differentiate among your APIs. Administrators can restrict use of an API Key to a specific set of IP addresses for security reasons.


5. Hit save, and you will be provided with your API Key Credentials:
• API Secret Key
• API ID
6. If your API Key already exists, you can view your credentials by opening the Actions dropdown and selecting API Credentials. This will reveal your API Secret Key and API ID.
• If your system becomes compromised, you can generate a new secret key here (this is like changing the password for your application or script).


VMware Cloud Services Manages identities and roles

See OAuth Access Control for steps to create a custom role and an OAuth app with those permissions.

Detail of managing roles and permissions using the Cloud Services Platform is in the Carbon Black Cloud User Guide.

Construct your Request

You will need to construct your base URL in order to run the API calls.

Build the Base URLs

The base URL is comprised of the following:

  • Hostname + Environment (based on your organization’s product instance)
  • API Service Category (based on which Carbon Black Cloud product the API is for)
  • API path (based on the API version you choose)
  • Org key (found in your product console under Settings > API Access > API Keys)

These components are put together in the following structure:

Hostname / API Service Category / API Path / Org Key

The URL Parts

Hostname

First you need to determine which environment, or product URL you use. You can find this by looking at the web address of your Carbon Black Cloud console. Select your URL to view a table with the base URL for each product and API.

Environment hostname
EAP01 https://defense-eap01.conferdeploy.net
Prod 01 https://dashboard.confer.net
Prod 02 https://defense.conferdeploy.net
Prod 05 https://defense-prod05.conferdeploy.net
Prod 06 https://defense-eu.conferdeploy.net
Prod NRT https://defense-prodnrt.conferdeploy.net
Prod Syd https://defense-prodsyd.conferdeploy.net
Prod UK https://ew2.carbonblackcloud.vmware.com

If you are using VMware Cloud Platform Services, this URL is the Carbon Black Cloud Console URL used after opening it via Services -> VMware Carbon Black Cloud > Launch Service.

• The URL for VMware Cloud Services is probably https://console.cloud.vmware.com.
• In VMware Cloud Services Console go to the Services menu on the left.
• Launch VMware Carbon Black Cloud.

• Get the URL when Carbon Black Cloud opens.

API Service Category

The API Service Category corresponds to the Carbon Black Cloud product and API you use

  • Platform APIs use one of the following API Service Categories:
    • /appservices/ for Alerts, Devices, Live Response and Reputation Override APIs v6
    • /data_forwarder/ for the Data Forwarder Configuration APIs (previously Event Forwarder)
    • /investigate/ for the Platform Search APIs (Processes or Enriched Events)
    • /jobs/ for the Jobs Service APIs
    • /policyservice/ for policy management APIs
    • /sus/ for the Sensor Update Service APIs
    • /vulnerability/assessment/api/ for the Vulnerability Assessment APIs
  • Enterprise EDR APIs use one of the following API Service Categories:
    • /threathunter/ for the Feed Search and Feed Manager APIs
    • /ubs/ for the Unified Binary Store REST API
  • Audit and Remediation APIs use /livequery/
  • Endpoint Standard APIs use one of the following API Service Categories:
    • /device_control/ for the Device Control APIs
    • /integrationServices/ for the Integration Service APIs for Audit Logs and Notification APIs
    • /investigate/ for the Enriched Events Search APIs
  • Workload APIs use one of the following API Service Categories:
    • /applianceservice/ for the Appliance Service APIs
    • /lcm/view/ for the VM Workloads Search APIs
    • /lcm/ for the Sensor Lifecycle Management APIs
    • /public-cloud/account-management/ for Public Cloud Account Management

API Path

The API Path is specific to the API call you’re using. Usually it is the API version, e.g. v1.

Org Key

Most Carbon Black Cloud APIs or Services require an org_key in the API request path to support customers who manage multiple organizations.

  • You can find your org_key in the Carbon Black Cloud Console under Settings > General, and if Carbon Black Cloud manages your identities it is also available on Settings > API Access.
  • When inserting your Org Key, do not include any < > or { } brackets around the value.

Structure of Base URLs


Get your {hostname} from the section above.

Follow the API Name for details on the request and response structure for each API call.

Product & API Name Service Category API Key Access Level Type Base URL Structure
Platform (Any Carbon Black Cloud Product)
Access Profiles and Grants /access/ Custom (with appropriate permissions) {hostname}/access/v2/orgs/{org_key}/
Alerts /appservices/ Custom (with appropriate permissions) {hostname}/appservices/v6/orgs/{org_key}/alerts
Data Forwarder Configuration /data_forwarder/ Custom (with appropriate permissions) {hostname}/data_forwarder/v2/orgs/{org_key}/configs
Devices /appservices/ Custom (with appropriate permissions) {hostname}/appservices/v6/orgs/{org_key}/devices
Jobs Service /jobs/ Custom (with appropriate permissions) {hostname}/jobs/v1/orgs/{org_key}
Live Response v6 /appservices/ Custom (with appropriate permissions) {hostname}/appservices/v6/orgs/{org_key}/liveresponse
Policy /policyservice/ Custom (with appropriate permissions) {hostname}/policyservice/v1/orgs/{org_key}/policies
Process Search /investigate/ Custom (with appropriate permissions) {hostname}/investigate/{v1 or v2}/orgs/{org_key}
Reputation Override v6 /appservices/ Custom (with appropriate permissions) {hostname}/appservices/v6/orgs/{org_key}/reputations/overrides
Sensor Update Service /sus/ Custom (with appropriate permissions) {hostname}/sus/v2/orgs/{org_key}
User Management /appservices/ Custom (with appropriate permissions) {hostname}/appservices/v6/orgs/{org_key}/users
Vulnerability Assessment /vulnerability/assessment/api/ Custom (with appropriate permissions) {hostname}/vulnerability/assessment/api/v1/orgs/{org_key}
Endpoint Standard
Audit Logs /integrationServices/ API (Live Response is deprecated) {hostname}/integrationServices/v3/auditlogs
Device Control /device_control/ Custom (with appropriate permissions) {hostname}/device_control/v3/orgs/{org_key}
Enriched Events Search /investigate/* Custom (with appropriate permissions) {hostname}/investigate/{v1 or v2}/orgs/{org_key}
Notifications /integrationServices/ SIEM {hostname}/integrationServices/v3/notification
Enterprise EDR
Feed Manager /threathunter/feedmgr Custom (with appropriate permissions) {hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Feed Search /threathunter/feedsearch Custom (with appropriate permissions) {hostname}/threathunter/feedsearch/v1/orgs/{org_key}/search
Unified Binary Store /ubs/ Custom (with appropriate permissions) {hostname}/ubs/v1/orgs/{org_key}
Watchlist /threathunter/watchlistmgr/ Custom (with appropriate permissions) {hostname}/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
Differential Analysis /livequery/ Custom (with appropriate permissions) {hostname}/livequery/v1/orgs/{org_key}/differential
Live Query /livequery/ Custom (with appropriate permissions) {hostname}/livequery/v1/orgs/{org_key}
Workload
Appliance Service /applianceservice/ Custom (with appropriate permissions) {hostname}/applianceservice/v1/orgs/{org_key}
Sensor Lifecycle Management /lcm/ Custom (with appropriate permissions) {hostname}/lcm/v1/orgs/{org_key}
NSX Remediation /applianceservice/ Custom (with appropriate permissions) {hostname}/applianceservice/v1/orgs/{org_key}
Public Cloud Account Management /public-cloud/account-management/ Custom (with appropriate permissions) {hostname}/public-cloud/account-management/v1/orgs/{org_key}
VM Workloads Search v2 /lcm/view/ Custom (with appropriate permissions) {hostname}/lcm/view/v2/orgs/{org_key}

Make the Request

Now you have all the information needed to populate the template curl request from the beginning and make your own request.

Choose how to make the request.

  1. If you use Carbon Black Cloud to manage identities then X-Auth-Token is your only option.
  2. If you use Cloud Services Platform and are building scripts that you will run personally and should run with your privileges, then create a Personal API Token.
  3. If you use Cloud Services Platform and are building an integration to connect Carbon Black Cloud with another application, use the OAuth App protocol.
  4. If you use Cloud Services Platform and require the script to also be compatible with instances of Carbon Black Cloud that use Carbon Black Cloud to manage identities then also use the X-Auth-Token. Consider implementing this and the OAuth App protocol for forward looking compatibility.

This is the only way to call APIs if Carbon Black Cloud is used to manage roles and identities. If you use VMware Cloud Services Platform, this mechanism is supported for backwards compatibility. However, for new integrations it is recommended to use the OAuth App protocol described in the next option.

$ curl {cbc-hostname}/{API Service Category}/{API path} \
-X POST \
-H 'X-Auth-Token: {API Secret}/{API ID}' \
-H 'Content-Type: application/json' \
-d '{{request body}}'
The steps required to use the OAuth protocol are:
1. Make the API call with the OAuth App credentials to VMware Cloud Services Platform.
2. Make API calls to CBC APIs using the access token to perform functions as required.
3. Refresh the access token when the TTL expires

Full details, including creating an OAuth App are on the O-Auth Access page.

1. Use the API Token to request an authentication token from the Cloud Services Platform. An authentication token will be returned in the response.
curl --location -g request POST '{csp-hostname}/csp/gateway/am/api/auth/api-tokens/authorize' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'api_token={api_token}'
2. Make the calls to Carbon Black Cloud APIs using the authorization token in the csp-auth-token header.
3. Refresh the authorization token when the TTL expires.

curl --location --request GET '{cbc-hostname}/{API Service Category}/{API path}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer {csp-generated-access-token}'
See complete instructions in the VMware Cloud Services user guide in the section How do I generate API tokens.

Troubleshooting

Troubleshooting REST API Errors

Reason: Usually means that request contains unexpected parameters.
Suggested fix: Verify that your request adheres to API documentation.
Reason: Either authentication (invalid token) or access control (missing RBAC) error.
Suggested fix: Check that your X-Auth-Token matches the format secret_key/api_id and that the values are correct.
Reason: The specified object cannot be accessed or changed.
Suggested fix: If it has a Custom access level, check it has been assigned the correct RBAC permissions. If it is an API, SIEM or LIVE_RESPONSE type key, verify it is the right key type for the API in use.
Reason: The object referenced in the request cannot be found.
Suggested fix: Verify that your request contains objects that haven’t been deleted. Verify that the`org_key`in the path is correct.
Reason: Either the name you chose already exists, or there is an unacceptable character used.
Suggested fix: Change any spaces in the name to underscores. Look through your list of API Keys and see if there is an existing key with the same name.
Reason: Access to the target resource is no longer available at the origin server and that this condition is likely to be permanent.
Suggested fix: It is likely this API was deactivated. Review the documentation to find the replacement and migration information.
Reason: Cannot return object at this moment because service is unavailable.
Suggested fix: This can happen if too many file downloads are happening at the same time. You can try later.
Reason: An unexpected error occurred on the server
Suggested fix: Something went wrong on the back end. Try the request again and if it happens consistently open a support case.

Other Troubleshooting Tips

  • When passing your auth token in the header, make sure the API Secret Key is first and the API ID is second.
  • Make sure you are using your own API Secret key from the product console and not ABCDEFGHIJKLMNOPQRSTUVWX.
  • When inserting your Org Key, do not include any < > or { } brackets between the backslashes.
  • An HTTP 401 Unauthorized error can occur if you attempt to access an API that is not allowed by a given API Key Access Level.
  • If you have issues, try testing in Postman so you can evaluate your request in a raw format before scripting.
Last modified on August 4, 2022