Carbon Black Cloud API Access

Introduction

This guide covers the steps required for accessing Carbon Black Cloud APIs:

  1. Authenticating your request
  2. Constructing your Request
  3. Index of Base URLs
  4. Troubleshooting

Authenticating your Request

Carbon Black Cloud APIs and Services are authenticated via API Keys. This means that in order to access the date in Carbon Black Cloud via API, you must set up Access Levels and API Keys in the Carbon Black Cloud Console.

The first step of Authentication is determining the appropriate access level for the API. The table below provides the Access Levels permitted for each Service Category of APIs. The service category maps to the Carbon Black Cloud product you use, and some products have multiple service categories. If your API is “Custom”, you will need to create a Custom Access Level in the Carbon Black Cloud console before you create an API Key.

Product API Service Category API Key Access Level(s) Permitted
Carbon Black Cloud Platform (PSC) Alerts API, Devices API /appservices/* Custom (must add an access level with appropriate permissions)
Carbon Black Cloud Platform (PSC) Event Forwarder Configuration API /event-forwarder/config/ Custom (for full access, use Create, Read, Update, & Delete permissions for the category Event Forwarding Settings)
Endpoint Standard REST API, LiveResponse API /integrationServices/* API or Live Response.
Note: If you are using Live Response APIs, then you need to add a Live Response Access Level each for Platform, Enterprise EDR, or Endpoint Standard API that uses the Access Level Type of “API”. Where either API or Live Response are listed, if Live Response APIs are in use (/integrationServices/v3/cblr), then the Live Response Access level should be used. Otherwise use the Access Level of API to prevent the key being used for live response operations.
Endpoint Standard Notifications /integrationServices/v3/notification SIEM.
Note: Connecting a SIEM may require both API and SIEM Access Level Type. The SIEM API Key can be added as a subscriber to Notifications, and then the API Key can be used to script calls to collect specific information (like getting all Events tied to a given AlertID).
Enterprise EDR Feed Search API, Feed Manager API, Watchlist API /threathunter/* Custom (must add an access level with appropriate permissions).
Enterprise EDR Process Search API V1 & V2 /investigate/ Custom (must add an access level with appropriate permissions)
Enterprise EDR Unified Binary System API /ubs/ Custom (must add an access level with appropriate permissions)
Audit and Remediation LiveQuery REST API /livequery/* Custom (must add an access level with appropriate permissions)

Creating a Custom Access Level

  1. If your service category requires Custom Access Level, go to your Carbon Black Cloud console, and open the “Add Access Level” panel from Settings > API Access > Access Levels tab.
  2. Give the access level a unique name (you will need this for creating your API Key) and give it a description.
  3. From the table below, scroll down until you see your API Service Category. Some Service Categories have multiple permissions that can be configured. The API documentation will indicate which permissions are required for each call.

This example shows the permissions “Create”, “Read”, “Update”, and “Delete” are granted for the Settings permissions in the Event Forwarding category.

For more information about Role-Based Access, see the RBAC Guide.

Creating an API Key

This is like adding a user to a system and setting their access level, except you are granting access to your application or script instead of a user.

  1. To create an API Key, go to Settings > API Access > API Keys tab in the Carbon Black Cloud console.
  2. Select “Add API Key” from the far right.
  3. Give the API Key a unique name, and select the appropriate access level provided in the table above. If you select “Custom”, you will need to choose the Access Level you created in the prior section.
    • Choose a name to clearly distinguish the API from your organization’s other API keys.
      Example: Event_Forwarder_Test_Key
    • You can also add Authorized IP addresses and a description to differentiate among your APIs. Administrators can restrict use of an API key to a specific set of IP addresses for security reasons.


  1. Hit save, and you will be provided with your API Key Credentials:
    • API Secret Key
    • API ID
  2. If your API Key already exists, you can view your credentials opening the Actions dropdown and selecting API Credentials. This will reveal your API Secret Key and API ID.
    • If your system becomes compromised, you can generate a new secret key here (this is like changing the password for your application or script).


  1. Next, pass your credentials into the API via the X-Auth-Token HTTP header.
    • To generate the appropriate header, concatenate the API Secret Key with the API ID with a forward slash in between: X-Auth-Token: [API Secret Key]/[API ID]

Example: If Adam from Company Q has the API Secret Key ABCDEFGHIJKLMNOPQRSTUVWX and the API ID of 12345678, his corresponding X-Auth-Token HTTP header is:

X-Auth-Token: ABCDEFGHIJKLMNOPQRSTUVWX/12345678

Constructing your Request

You will need to construct your base URL in order to run the API calls.

First you need to determine which environment, or product URL you use. You can find this by looking at the web address of your Carbon Black Cloud console. Select your URL to view a table with the base URL for each product and API.

Read on for instructions on how to construct a base URL for the prod05 environment.

Building your Base URLs

The base URL is comprised of the following:

  • Hostname + Environment (based on your organization’s product instance)
  • Service Category (based on which Carbon Black Cloud product the API is for)
  • API route (based on the API version you choose)
  • Org key (found in your product console under Settings > API Access > API Keys)

If your organization uses the prod05 environment (i.e., your product URL is https://defense-prod05.conferdeploy.net/), you may use the following format to construct your base URL:

Hostname / API Service Category / API Path / Org Key

Explaining the URL Parts

Hostname

There is currently one hostname used for Carbon Black Cloud products:

API Service Category

The API Service Category corresponds to the Carbon Black Cloud product and API you use

  • Platform APIs use one of the following API Service Categories:
    • /appservices/ for Alerts and Devices APIs
    • /event-forwarder-config/ for the Event Forwarder Configuration API
  • Enterprise EDR APIs use one of three API Service Categories:
    • /threathunter/ for the Feed Search and Feed Manager APIs
    • /investigate/ for the Process Search APIs
    • /ubs/ for the Unified Binary Store REST API
  • Audit and Remediation APIs use /livequery/
  • Endpoint Standard APIs use /integrationServices/

Org Key

Many Carbon Black Cloud APIs or Services require an org_key in the API request path to support customers who manage multiple organizations.

  • You can find your org_key in the Carbon Black Cloud Console under Settings > API Access.
  • When inserting your Org Key, do not include any < > or { } brackets around the value.

Index of Base URLs

Base URLs for EAP01


Product & API Name Service Category API Key Access Level Type Base URL for https://defense-eap01.conferdeploy.net
Platform (Any Carbon Black Cloud Product)
Platform Alerts API /appservices/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts
Platform Devices API /appservices/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/appservices/v6/orgs/{org_key}/devices
Platform Event Forwarder Configuration API /event-forwarder-config/ Custom (with C R U D, or appropriate permissions) https://defense-eap01.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs
Endpoint Standard
REST API /integrationServices/ API or Live Response https://defense-eap01.conferdeploy.net/integrationServices/v3/
Live Response API /integrationServices/ Live Response https://defense-eap01.conferdeploy.net/integrationServices/v3/cblr
Notifications /integrationServices/ API and SIEM https://defense-eap01.conferdeploy.net/integrationServices/v3/notification
Enterprise EDR
Feed Search API /threathunter/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search
Feed Manager API /threathunter/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Process Search V1 API /threathunter/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/{org_key}
Process Search V2 API /threathunter/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/{org_key}
Unified Binary Store API /ubs/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/ubs/v1/orgs/{org_key}
Watchlist API /threathunter/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
LiveQuery REST API /livequery/ Custom (with appropriate permissions) https://defense-eap01.conferdeploy.net/livequery/v1/orgs/{org_key}

Base URLs for Prod 01


Product & API Name Service Category API Key Access Level Type Base URL for https://dashboard.confer.net/
Platform (Any Carbon Black Cloud Product)
Platform Alerts API /appservices/ Custom (with appropriate permissions) https://dashboard.confer.net/appservices/v6/orgs/{org_key}/alerts
Platform Devices API /appservices/ Custom (with appropriate permissions) https://dashboard.confer.net/appservices/v6/orgs/{org_key}/devices
Platform Event Forwarder Configuration API /event-forwarder-config/ Custom (with C R U D, or appropriate permissions) https://dashboard.confer.net/event_forwarder_config/v1/orgs/{org_key}/configs
Endpoint Standard
REST API /integrationServices/ API or Live Response https://defense.confer.net/integrationServices/v3/
Live Response API /integrationServices/ Live Response https://defense.confer.net/integrationServices/v3/cblr
Notifications /integrationServices/ API and SIEM https://defense.confer.net/integrationServices/v3/notification
Enterprise EDR
Feed Search API /threathunter/ Custom (with appropriate permissions) https://dashboard.confer.net/threathunter/feedsearch/v1/orgs/{org_key}/search
Feed Manager API /threathunter/ Custom (with appropriate permissions) https://dashboard.confer.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Process Search V1 API /threathunter/ Custom (with appropriate permissions) https://dashboard.confer.net/api/investigate/v1/orgs/{org_key}
Process Search V2 API /threathunter/ Custom (with appropriate permissions) https://dashboard.confer.net/api/investigate/v2/orgs/{org_key}
Unified Binary Store API /ubs/ Custom (with appropriate permissions) https://dashboard.confer.net/ubs/v1/orgs/{org_key}
Watchlist API /threathunter/ Custom (with appropriate permissions) https://dashboard.confer.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
LiveQuery REST API /livequery/ Custom (with appropriate permissions) https://dashboard.confer.net/livequery/v1/orgs/{org_key}

Base URLs for Prod 02


Product & API Name Service Category API Key Access Level Type Base URL for https://defense.conferdeploy.net/
Platform (Any Carbon Black Cloud Product)
Platform Alerts API /appservices/ Custom (with appropriate permissions) https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts
Platform Devices API /appservices/ Custom (with appropriate permissions) https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/devices
Platform Event Forwarder Configuration API /event-forwarder-config/ Custom (with C R U D, or appropriate permissions) https://defense.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs
Endpoint Standard
REST API /integrationServices/ API or Live Response https://defense.conferdeploy.net/integrationServices/v3/
Live Response API /integrationServices/ Live Response https://defense.conferdeploy.net/integrationServices/v3/cblr
Notifications /integrationServices/ API and SIEM https://defense.conferdeploy.net/integrationServices/v3/notification
Enterprise EDR
Feed Search API /threathunter/ Custom (with appropriate permissions) https://defense.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search
Feed Manager API /threathunter/ Custom (with appropriate permissions) https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Process Search V1 API /threathunter/ Custom (with appropriate permissions) https://defense.conferdeploy.net/api/investigate/v1/orgs/{org_key}
Process Search V2 API /threathunter/ Custom (with appropriate permissions) https://defense.conferdeploy.net/api/investigate/v2/orgs/{org_key}
Unified Binary Store API /ubs/ Custom (with appropriate permissions) https://defense.conferdeploy.net/ubs/v1/orgs/{org_key}
Watchlist API /threathunter/ Custom (with appropriate permissions) https://defense.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
LiveQuery REST API /livequery/ Custom (with appropriate permissions) https://defense.conferdeploy.net/livequery/v1/orgs/{org_key}

Base URLs for Prod 05


Product & API Name Service Category API Key Access Level Type Base URL for https://defense-prod05.conferdeploy.net/
Platform (Any Carbon Black Cloud Product)
Platform Alerts API /appservices/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts
Platform Devices API /appservices/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/appservices/v6/orgs/{org_key}/devices
Platform Event Forwarder Configuration API /event-forwarder-config/ Custom (with C R U D, or appropriate permissions) https://defense-prod05.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs
Endpoint Standard
REST API /integrationServices/ API or Live Response https://defense-prod05.conferdeploy.net/integrationServices/v3/
Live Response API /integrationServices/ Live Response https://defense-prod05.conferdeploy.net/integrationServices/v3/cblr
Notifications /integrationServices/ API and SIEM https://defense-prod05.conferdeploy.net/integrationServices/v3/notification
Enterprise EDR
Feed Search API /threathunter/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search
Feed Manager API /threathunter/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Process Search V1 API /threathunter/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/{org_key}
Process Search V2 API /threathunter/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/api/investigate/v2/orgs/{org_key}
Unified Binary Store API /ubs/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/ubs/v1/orgs/{org_key}
Watchlist API /threathunter/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
LiveQuery REST API /livequery/ Custom (with appropriate permissions) https://defense-prod05.conferdeploy.net/livequery/v1/orgs/{org_key}

Base URLs for Prod 06


Product & API Name Service Category API Key Access Level Type Base URL for https://defense-eu.conferdeploy.net/
Platform (Any Carbon Black Cloud Product)
Platform Alerts API /appservices/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts
Platform Devices API /appservices/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/appservices/v6/orgs/{org_key}/devices
Platform Event Forwarder Configuration API /event-forwarder-config/ Custom (with C R U D, or appropriate permissions) https://defense-eu.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs
Endpoint Standard
REST API /integrationServices/ API or Live Response https://defense-prod06.conferdeploy.net/integrationServices/v3/
Live Response API /integrationServices/ Live Response https://defense-prod06.conferdeploy.net/integrationServices/v3/cblr
Notifications /integrationServices/ API and SIEM https://defense-prod06.conferdeploy.net/integrationServices/v3/notification
Enterprise EDR
Feed Search API /threathunter/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search
Feed Manager API /threathunter/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Process Search V1 API /threathunter/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/api/investigate/v1/orgs/{org_key}
Process Search V2 API /threathunter/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/api/investigate/v2/orgs/{org_key}
Unified Binary Store API /ubs/ Custom (with appropriate permissions) https://dashboard.confer.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Watchlist API /threathunter/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
LiveQuery REST API /livequery/ Custom (with appropriate permissions) https://defense-eu.conferdeploy.net/livequery/v1/orgs/{org_key}

Base URLs for Prod NRT


Product & API Name Service Category API Key Access Level Type Base URL for https://defense-prodnrt.conferdeploy.net/
Platform (Any Carbon Black Cloud Product)
Platform Alerts API /appservices/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts
Platform Devices API /appservices/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/appservices/v6/orgs/{org_key}/devices
Platform Event Forwarder Configuration API /event-forwarder-config/ Custom (with C R U D, or appropriate permissions) https://defense-prodnrt.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs
Endpoint Standard
REST API /integrationServices/ API or Live Response https://defense-prodnrt.conferdeploy.net/integrationServices/v3/
Live Response API /integrationServices/ Live Response https://defense-prodnrt.conferdeploy.net/integrationServices/v3/cblr
Notifications /integrationServices/ API and SIEM https://defense-prodnrt.conferdeploy.net/integrationServices/v3/notification
Enterprise EDR
Feed Search API /threathunter/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search
Feed Manager API /threathunter/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Process Search V1 API /threathunter/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/api/investigate/v1/orgs/{org_key}
Process Search V2 API /threathunter/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/api/investigate/v2/orgs/{org_key}
Unified Binary Store API /ubs/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/ubs/v1/orgs/{org_key}
Watchlist API /threathunter/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists
Audit and Remediation
LiveQuery REST API /livequery/ Custom (with appropriate permissions) https://defense-prodnrt.conferdeploy.net/livequery/v1/orgs/{org_key}

Troubleshooting

Troubleshooting REST API Errors

Error Code Reason for Error Suggested Fix
HTTP 400 Bad request Usually means that request contains unexpected parameters. Verify that your request adheres to API documentation.
HTTP 401 Unauthorized Either authentication (invalid token) or access control (missing RBAC) error. Check that your X-Auth-Token matches the format secret_key/api_id and that the values are correct.
HTTP 403 Forbidden The specified object cannot be accessed or changed. If it has a Custom access level, check it has been assigned the correct RBAC permissions. If it is an API, SIEM or LIVE_RESPONSE type key, verify it is the right key type for the API in use.
HTTP 404 Not found The object referenced in the request cannot be found. Verify that your request contains objects that haven’t been deleted. Verify that theorg_keyin the path is correct.
HTTP 409 Conflict Either the name you chose already exists, or there is an unacceptable character used. Change any spaces in the name to underscores. Look through your list of API Keys and see if there is an existing key with the same name.
HTTP 503 Service unavailable Cannot return object at this moment because service is unavailable. This can happen if too many file downloads are happening at the same time. You can try later.

Other Troubleshooting Tips

  • When passing your auth token in the header, make sure the API Secret Key is first and the API ID is second.
  • Make sure you are using your own API Secret key from the product console and not ABCDEFGHIJKLMNOPQRSTUVWX.
  • When inserting your Org Key, do not include any < > or { } brackets between the backslashes.
  • An HTTP 401 Unauthorized error can occur if you attempt to access an API that is not allowed by a given API Key Access Level.
  • If you have issues, try testing in Postman so you can evaluate your request in a raw format before scripting.
Last modified on May 6, 2020