Reputation Override

Overview

The Reputation Override API provides an organization with the ability to create a list of approved or banned applications using a SHA-256 hash, a certificate signer, or a path to a known IT tool application. The overridden reputation allows for Endpoint Standard to trigger deny or terminate actions based on policy configurations of known banned application or ignore applications that are approved. This provides ease of mind for an organization knowing that their infrastructure is secured against known bad actors and that their known good applications will not be interrupted by Carbon Black Cloud.

Use Cases

Override the reputation of an application by adding a SHA-256 hash, a certificate signer or a path to a known IT tool application or directory of IT tools to an Approved or Banned list
Search or export existing reputation overrides that have already been configured
Delete reputation overrides that are no longer relevant to your security posture

Requirements

Carbon Black Cloud Endpoint Standard
All API calls require an API key with appropriate permissions see Authentication

Authentication

Access Level: Before you create your API Key, you need to create a “Custom” Access Level:
- for the category Application > Reputation > “org.reputations” allow permissions for “CREATE”, “READ”, and “DELETE”
API Key: When you create your API Key, use the Access Level Type of “Custom”, then select the Access Level you created.
Environment: use the URL of your Carbon Black Cloud console (this is the Dashboard URL)
API Route: {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides/{id}

Note: when you insert your org_key, you must also remove the { } brackets.

API calls

Configure Reputation Override

Configure a new reputation override for a SHA-256, cert or IT tool

RBAC Permissions Required

Permission (.notation name)	Operation(s)
`org.reputations`	`CREATE`

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides

Request Body

{
  "description": "<string>",
  "override_list": "<string>",
  "override_type": "<string>"
}

Body Schema

Field	Definition	Data Type	Values
`override_list` REQUIRED	The override list to add a new reputation (BLACK_LIST only valid for SHA256)	String	`BLACK_LIST`, `WHITE_LIST`
`override_type` REQUIRED	Process property match when applying override	String	`SHA256`, `CERT`, `IT_TOOL`
`description`	Justification for override	String	N/A

Additional fields when override_type is SHA256

Field	Definition	Data Type	Values
`sha256_hash` REQUIRED	A hexadecimal string of length 64 characters representing the SHA-256 hash of the application	String	N/A
`filename`	An application name for the hash	String	N/A

Additional fields when override_type is CERT

Field	Definition	Data Type	Values
`signed_by` REQUIRED	Name of the signer for the application	String	N/A
`certificate_authority`	Certificate authority that authorizes the validity of the certificate	String	N/A

Additional fields when override_type is IT_TOOL

Field	Definition	Data Type	Values
`path` REQUIRED	Path to the file or directory where the IT tool(s) exist on disk. Path may include wildcards, see here for more information	String	N/A
`include_child_processes`	Include tool’s child processes on approved list	Boolean	N/A

Response

Code	Description	Content-Type	Content
200	Successfully create reputation override	application/json	View example response below
400	The JSON body was malformed, or some part of the JSON body included an invalid value	application/json	N/A
409	The reputation override already exists with matching properties	application/json	N/A
500	Internal Server Error	N/A	N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/reputations/overrides

Request_Body

{
  "description": "An override for a sha256 hash",
  "override_list": "BLACK_LIST",
  "override_type": "SHA256",
  "sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a",
  "filename": "foo.exe"
}

Response

{
  "id": "e9410b754ea011ebbfd0db2585a41b07",
  "created_by": "example@example.com",
  "create_time": "2021-01-04T15:24:18.002Z",
  "description": "An override for a foo.exe",
  "override_list": "BLACK_LIST",
  "override_type": "SHA256",
  "sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a",
  "filename": "foo.exe"
}

Get Reputation Override

Retrieve a reputation override by id

RBAC Permissions Required

Permission (.notation name)	Operation(s)
`org.reputations`	`READ`

Request

GET {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides/{id}

Response

Code	Description	Content-Type	Content
200	Successfully retrieved resource override	application/json	View example response below
404	The resource override could not be found	N/A	N/A
500	Internal Server Error	N/A	N/A

Example

Request

GET https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/reputations/overrides/e9410b754ea011ebbfd0db2585a41b07

Response

{
  "id": "e9410b754ea011ebbfd0db2585a41b07",
  "created_by": "example@example.com",
  "create_time": "2021-01-04T15:24:18.002Z",
  "description": "An override for a foo.exe",
  "override_list": "BLACK_LIST",
  "override_type": "SHA256",
  "sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a",
  "filename": "foo.exe"
}

Delete Reputation Override

Delete a reputation override by id

RBAC Permissions Required

Permission (.notation name)	Operation(s)
`org.reputations`	`DELETE`

Request

DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides/{id}

Response

Code	Description	Content-Type	Content
204	Successfully deleted resource override	No Content	View example response below
404	The resource override could not be found	N/A	N/A
500	Internal Server Error	N/A	N/A

Example

Request

DELETE https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/reputations/overrides/e9410b754ea011ebbfd0db2585a41b07

Response

No Content

Search Reputation Overrides

Search existing reputation overrides by a search criteria

RBAC Permissions Required

Permission (.notation name)	Operation(s)
`org.reputations`	`READ`

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides/_search

Request Body

[
  {
    "query": "<string>",
    "criteria": {
      "override_list": "<string>",
      "override_type": "<string>"
    },
    "start": <integer>,
    "rows": <integer>,
    "sort_field": "<string>",
    "sort_order": "<string>"
  }
]

Body Schema

Field	Definition	Data Type	Values
`criteria`	Criteria is an object that represents values that must be in the results.	Object	`{ "override_type": "SHA256" }` Supported fields: `override_list`,`override_type`
`query`	Query in lucene syntax and/or including value searches.	String	N/A
`rows`	For pagination, how many results to return	Integer	Default: 20
`start`	For pagination, where to start retrieving results from	Integer	Default: 0
`sort_field`	The field to sort on	String	`create_time`, `override_list`, `override_type`
`sort_order`	The direction to sort by	String	`asc`, `desc`

Response

Code	Description	Content-Type	Content
200	Successfully found reputation overrides	application/json	View example response below
400	The JSON body was malformed, or some part of the JSON body included an invalid value	application/json	N/A
500	Internal Server Error	N/A	N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/reputations/overrides/_search

Request_Body

{
  "criteria": {
    "override_list": "BLACK_LIST",
    "override_type": "SHA256"
  },
  "start": 0,
  "rows": 10,
  "sort_field": "create_time",
  "sort_order": "asc"
}

Response

{
  "num_found": 1,
  "results": [
    {
      "id": "e9410b754ea011ebbfd0db2585a41b07",
      "created_by": "example@example.com",
      "create_time": "2021-01-04T15:24:18.002Z",
      "description": "An override for a foo.exe",
      "override_list": "BLACK_LIST",
      "override_type": "SHA256",
      "sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a",
      "filename": "foo.exe"
    }
  ]
}

Export Reputation Overrides

Export existing reputation overrides by a search criteria

RBAC Permissions Required

Permission (.notation name)	Operation(s)
`org.reputations`	`READ`

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides/_export

Request Body

[
  {
    "query": "<string>",
    "criteria": {
      "override_list": "<string>",
      "override_type": "<string>"
    },
    "start": <integer>,
    "rows": <integer>,
    "sort_field": "<string>",
    "sort_order": "<string>"
  }
]

Body Schema

Field	Definition	Data Type	Values
`criteria`	Criteria is an object that represents values that must be in the results.	Object	`{ "override_type": "SHA256" }` Supported fields: `override_list`,`override_type`
`query`	Query in lucene syntax and/or including value searches.	String	N/A
`rows`	For pagination, how many results to return	Integer	Default: 20
`start`	For pagination, where to start retrieving results from	Integer	Default: 0
`sort_field`	The field to sort on	String	`create_time`, `override_list`, `override_type`
`sort_order`	The direction to sort by	String	`asc`, `desc`

Response

Code	Description	Content-Type	Content
200	Successfully found reputation overrides	text/csv	View example response below
400	The JSON body was malformed, or some part of the JSON body included an invalid value	application/json	N/A
500	Internal Server Error	N/A	N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/reputations/overrides/_export

Request_Body

{
  "criteria": {
    "override_list": "BLACK_LIST",
    "override_type": "SHA256"
  },
  "query": "foo*",
  "start": 0,
  "rows": 10,
  "sort_field": "create_time",
  "sort_order": "asc"
}

Response

"Date Updated","Changed By","List Type","Indicator Type","Indicator Value","Description","Extra Settings"
"2021-01-04T15:24:18.002Z","example@example.com","BLACK_LIST","SHA256","af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a","An override for a foo.exe","foo.exe"

Bulk Delete Reputation Overrides

Bulk delete reputation overrides by id

RBAC Permissions Required

Permission (.notation name)	Operation(s)
`org.reputations`	`DELETE`

Request

POST {cbc-hostname}/appservices/v6/orgs/{org_key}/reputations/overrides/_delete

Request Body

[
  "<string>"
]

Body Schema

Field	Definition	Data Type	Values
N/A	List of reputation override ids	Array	`[ "e9410b754ea011ebbfd0db2585a41b07" ]`

Response

Code	Description	Content-Type	Content
200	Successfully deleted reputation overrides	application/json	View example response below
400	The JSON body was malformed, or some part of the JSON body included an invalid value	application/json	N/A
500	Internal Server Error	N/A	N/A

Example

Request

POST https://defense-eap01.conferdeploy.net/appservices/v6/orgs/ABCD1234/reputations/overrides/_delete

Request_Body

[
  "e9410b754ea011ebbfd0db2585a41b07"
]

Response

{
  "results": [
    "e9410b754ea011ebbfd0db2585a41b07"
  ]
}

Endpoint Standard: Reputation Priority

Carbon Black Cloud: How to Utilize IT Tools Allow list Feature

Last modified on January 14, 2021

Carbon Black Cloud

API Reference

Page Contents

Reputation Override

Overview

Use Cases

Requirements

Authentication

API calls

Configure Reputation Override

Get Reputation Override

Delete Reputation Override

Search Reputation Overrides

Export Reputation Overrides

Bulk Delete Reputation Overrides

Carbon Black Cloud

API Reference

Page Contents

Reputation Override

Overview

Use Cases

Requirements

Authentication

API calls

Configure Reputation Override

Get Reputation Override

Delete Reputation Override

Search Reputation Overrides

Export Reputation Overrides

Bulk Delete Reputation Overrides

Related Resources