This guide covers the steps required for accessing Carbon Black Cloud APIs:
Carbon Black Cloud APIs and Services are authenticated via API Keys. This means that in order to access the data in Carbon Black Cloud via API, you must set up Access Levels and API Keys in the Carbon Black Cloud Console.
The first step of Authentication is determining the appropriate access level for the API. The table below provides the Access Levels permitted for each Service Category of APIs. The service category maps to the Carbon Black Cloud product you use, and some products have multiple service categories. If your API is “Custom”, you will need to create a Custom Access Level in the Carbon Black Cloud console before you create an API Key.
Product | API | Service Category | API Key Access Level(s) Permitted |
---|---|---|---|
Carbon Black Cloud Platform (PSC) | Alerts API, Devices API | /appservices/ |
Custom (must add an access level with appropriate permissions) |
Carbon Black Cloud Platform (PSC) | Event Forwarder Configuration API | /event-forwarder/config/ |
Custom (for full access, use Create, Read, Update, & Delete permissions for the category Event Forwarding Settings ) |
Carbon Black Cloud Platform (PSC) | Platform Search API for Processes | /investigate/ |
Custom (must add an access level with appropriate permissions) |
Carbon Black Cloud Platform (PSC) | Platform Search API for Enriched Events | /investigate/ |
Custom (must add an access level with appropriate permissions) |
Carbon Black Cloud Platform (PSC) | Sensor Update Service | /sus/ |
Custom (must add an access level with appropriate permissions) |
Carbon Black Cloud Platform (PSC) | Jobs Service | /jobs/ |
Custom (must add an access level with appropriate permissions) |
Endpoint Standard | REST API, LiveResponse API | /integrationServices/ |
API or Live Response.
Note: If you are using Live Response APIs, then you need to add a Live Response Access Level each for Platform, Enterprise EDR, or Endpoint Standard API that uses the Access Level Type of “API”. Where either API or Live Response are listed, if Live Response APIs are in use (/integrationServices/v3/cblr), then the Live Response Access level should be used. Otherwise use the Access Level of API to prevent the key being used for live response operations. |
Endpoint Standard | Notifications | /integrationServices/v3/notification |
SIEM.
Note: Connecting a SIEM may require both API and SIEM Access Level Type. The SIEM API Key can be added as a subscriber to Notifications, and then the API Key can be used to script calls to collect specific information (like getting all Events tied to a given AlertID). |
Endpoint Standard | Device Control | /device_control/ |
Custom (must add an access level with appropriate permissions) |
Enterprise EDR | Feed Search API, Feed Manager API, Watchlist API | /threathunter/* |
Custom (must add an access level with appropriate permissions). |
Enterprise EDR | Process Search API V1 & V2 | /investigate/ |
Custom (must add an access level with appropriate permissions) |
Enterprise EDR | Unified Binary System API | /ubs/ |
Custom (must add an access level with appropriate permissions) |
Audit and Remediation | LiveQuery REST API | /livequery/ |
Custom (must add an access level with appropriate permissions) |
Workload | Appliance Service | /applianceservice/ |
Custom (must add an access level with appropriate permissions) |
Workload | Vulnerability Assessment | /vulnerability/assessment/api/ |
Custom (must add an access level with appropriate permissions) |
Workload | VM Workloads Search | /lcm/view/ |
Custom (must add an access level with appropriate permissions) |
Workload | Sensor Lifecycle Management | /lcm/ |
Custom (must add an access level with appropriate permissions) |
This example shows the permissions “Create”, “Read”, “Update”, and “Delete” are granted for the Settings permissions in the Event Forwarding category.
For more information about Role-Based Access, see the RBAC Guide.
This is like adding a user to a system and setting their access level, except you are granting access to your application or script instead of a user.
X-Auth-Token: [API Secret Key]/[API ID]
Example: If Adam from Company Q has the API Secret Key ABCDEFGHIJKLMNOPQRSTUVWX
and the API ID of 12345678
, his corresponding X-Auth-Token HTTP header is:
X-Auth-Token: ABCDEFGHIJKLMNOPQRSTUVWX/12345678
You will need to construct your base URL in order to run the API calls.
First you need to determine which environment, or product URL you use. You can find this by looking at the web address of your Carbon Black Cloud console. Select your URL to view a table with the base URL for each product and API.
Read on for instructions on how to construct a base URL for the prod05 environment.
The base URL is comprised of the following:
If your organization uses the prod05
environment (i.e., your product URL is https://defense-prod05.conferdeploy.net/
), you may use the following format to construct your base URL:
Hostname / API Service Category / API Path / Org Key
There is currently one hostname used for Carbon Black Cloud products:
The API Service Category corresponds to the Carbon Black Cloud product and API you use
/appservices/
for Alerts and Devices APIs/event-forwarder-config/
for the Event Forwarder Configuration APIs/investigate/
for the Platform Search APIs (Processes or Enriched Events)/sus/
for the Sensor Update Service APIs/jobs/
for the Jobs Service APIs/threathunter/
for the Feed Search and Feed Manager APIs/investigate/
for the Process Search APIs/ubs/
for the Unified Binary Store REST API/livequery/
/integrationServices/
for the Integration Service APIs/device_control/
for the Device Control APIs/applianceservice/
for the Appliance Service APIs/vulnerability/assessment/api/
for the Vulnerability Assessment APIs/lcm/view/
for the VM Workloads Search APIs/lcm/
for the Sensor Lifecycle Management APIsMany Carbon Black Cloud APIs or Services require an org_key
in the API request path to support customers who manage multiple organizations.
org_key
in the Carbon Black Cloud Console under Settings > API Access.Product & API Name | Service Category | API Key Access Level Type | Base URL for https://defense-eap01.conferdeploy.net |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | https://defense-eap01.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs |
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-eap01.conferdeploy.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-eap01.conferdeploy.net/investigate/v2/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense-eap01.conferdeploy.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense-eap01.conferdeploy.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense-eap01.conferdeploy.net/integrationServices/v3/notification |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/ubs/v1/orgs/{org_key} |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://defense-eap01.conferdeploy.net/livequery/v1/orgs/{org_key} |
Product & API Name | Service Category | API Key Access Level Type | Base URL for https://dashboard.confer.net/ |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | https://dashboard.confer.net/event_forwarder_config/v1/orgs/{org_key}/configs |
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://dashboard.confer.net/investigate/v1/orgs/{org_key} or https://dashboard.confer.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://dashboard.confer.net/investigate/v1/orgs/{org_key} or https://dashboard.confer.net/investigate/v2/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense.confer.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense.confer.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense.confer.net/integrationServices/v3/notification |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/ubs/v1/orgs/{org_key} |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/livequery/v1/orgs/{org_key} |
Product & API Name | Service Category | API Key Access Level Type | Base URL for https://defense.conferdeploy.net/ |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | https://defense.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs |
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense.conferdeploy.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense.conferdeploy.net/investigate/v2/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense.conferdeploy.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense.conferdeploy.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense.conferdeploy.net/integrationServices/v3/notification |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/ubs/v1/orgs/{org_key} |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://defense.conferdeploy.net/livequery/v1/orgs/{org_key} |
Product & API Name | Service Category | API Key Access Level Type | Base URL for https://defense-prod05.conferdeploy.net/ |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | |
https://defense-prod05.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs | |||
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-prod05.conferdeploy.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-prod05.conferdeploy.net/investigate/v2/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense-prod05.conferdeploy.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense-prod05.conferdeploy.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense-prod05.conferdeploy.net/integrationServices/v3/notification |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/ubs/v1/orgs/{org_key} |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://defense-prod05.conferdeploy.net/livequery/v1/orgs/{org_key} |
Product & API Name | Service Category | API Key Access Level Type | Base URL for https://defense-eu.conferdeploy.net/ |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | https://defense-eu.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs |
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-eu.conferdeploy.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-eu.conferdeploy.net/investigate/v2/orgs/{org_key} |
Sensor Update Service | /sus/ |
Custom (with C R U D, or appropriate permissions) | https://defense-eu.conferdeploy.net/sus/v2/orgs/{org_key} |
Jobs Service | /jobs/ |
Custom (with C R U D, or appropriate permissions) | https://defense-eu.conferdeploy.net/jobs/v1/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense-prod06.conferdeploy.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense-prod06.conferdeploy.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense-prod06.conferdeploy.net/integrationServices/v3/notification |
Device Control | /device_control/ |
Custom (with C R U D, or appropriate permissions) | |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://dashboard.confer.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/livequery/v1/orgs/{org_key} |
Workload | |||
Appliance Service | /applianceservice/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/applianceservice/v1/orgs/{org_key} |
Vulnerability Assessment | /vulnerability/assessment/api/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/vulnerability/assessment/api/v1/orgs/{org_key} |
VM Workloads Search | /lcm/view/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/lcm/view/v1/orgs/{org_key} |
Sensor Lifecycle Management | /lcm/ |
Custom (with appropriate permissions) | https://defense-eu.conferdeploy.net/lcm/v1/orgs/{org_key} |
Product & API Name | Service Category | API Key Access Level Type | Base URL for https://defense-prodnrt.conferdeploy.net/ |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | https://defense-prodnrt.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs |
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-prodnrt.conferdeploy.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-prodnrt.conferdeploy.net/investigate/v2/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense-prodnrt.conferdeploy.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense-prodnrt.conferdeploy.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense-prodnrt.conferdeploy.net/integrationServices/v3/notification |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/ubs/v1/orgs/{org_key} |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://defense-prodnrt.conferdeploy.net/livequery/v1/orgs/{org_key} |
Product & API Name | Service Category | API Key Access Level Type | Base URL for https://defense-prodsyd.conferdeploy.net/ |
---|---|---|---|
Platform (Any Carbon Black Cloud Product) | |||
Platform Alerts API | /appservices/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/appservices/v6/orgs/{org_key}/alerts |
Platform Devices API | /appservices/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/appservices/v6/orgs/{org_key}/devices |
Platform Event Forwarder Configuration API | /event-forwarder-config/ |
Custom (with C R U D, or appropriate permissions) | https://defense-prodsyd.conferdeploy.net/event_forwarder_config/v1/orgs/{org_key}/configs |
Platform Search API - Processes | /investigate/* |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-prodsyd.conferdeploy.net/investigate/v2/orgs/{org_key} |
Platform Search API - Enriched Events | /investigate/* |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/investigate/v1/orgs/{org_key} or https://defense-prodsyd.conferdeploy.net/investigate/v2/orgs/{org_key} |
Endpoint Standard | |||
REST API | /integrationServices/ |
API or Live Response | https://defense-prodsyd.conferdeploy.net/integrationServices/v3/ |
Live Response API | /integrationServices/ |
Live Response | https://defense-prodsyd.conferdeploy.net/integrationServices/v3/cblr |
Notifications | /integrationServices/ |
API and SIEM | https://defense-prodsyd.conferdeploy.net/integrationServices/v3/notification |
Enterprise EDR | |||
Feed Search API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/threathunter/feedsearch/v1/orgs/{org_key}/search |
Feed Manager API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/threathunter/feedmgr/v2/orgs/{org_key}/feeds |
Process Search V1 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/api/investigate/v1/orgs/{org_key} |
Process Search V2 API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/api/investigate/v2/orgs/{org_key} |
Unified Binary Store API | /ubs/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/ubs/v1/orgs/{org_key} |
Watchlist API | /threathunter/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/threathunter/watchlistmgr/v3/orgs/{org_key}/watchlists |
Audit and Remediation | |||
LiveQuery REST API | /livequery/ |
Custom (with appropriate permissions) | https://defense-prodsyd.conferdeploy.net/livequery/v1/orgs/{org_key} |
Error Code | Reason for Error | Suggested Fix |
---|---|---|
HTTP 400 Bad request |
Usually means that request contains unexpected parameters. | Verify that your request adheres to API documentation. |
HTTP 401 Unauthorized |
Either authentication (invalid token) or access control (missing RBAC) error. | Check that your X-Auth-Token matches the format secret_key/api_id and that the values are correct. |
HTTP 403 Forbidden |
The specified object cannot be accessed or changed. | If it has a Custom access level, check it has been assigned the correct RBAC permissions. If it is an API, SIEM or LIVE_RESPONSE type key, verify it is the right key type for the API in use. |
HTTP 404 Not found |
The object referenced in the request cannot be found. | Verify that your request contains objects that haven’t been deleted. Verify that theorg_key in the path is correct. |
HTTP 409 Conflict |
Either the name you chose already exists, or there is an unacceptable character used. | Change any spaces in the name to underscores. Look through your list of API Keys and see if there is an existing key with the same name. |
HTTP 503 Service unavailable |
Cannot return object at this moment because service is unavailable. | This can happen if too many file downloads are happening at the same time. You can try later. |