WARNING: This is a legacy document, please view the latest version
here.
Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
Feed API Definition
Note: <cbc-hostname> is the parent URL for your Carbon Black Cloud instance.
Healthcheck
Successful response indicates service reachability.
Request
GET <cbc-hostname>/threathunter/feedmgr/healthcheck
Responses
| Code |
Description |
Content-Type |
Content |
| 204 |
service is available |
*.* |
None |
Create a new feed
Create new feed. Unique feed ID will be assigned by the service.
All IOCs will be converted to IOC_V2. This feed will be owned by the caller. If feedinfo.access is public the feed will be available to all organizations.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/feed
| Content-Type |
Content |
| application/json |
Feed Object |
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Feed created |
application/json |
FeedInfo |
| 400 |
Invalid Feed Request |
*:* |
None |
Get all feeds
Retrieve all feeds owned by the caller. Provide include_public=true parameter to also include public community feeds.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Array of Feeds |
application/json |
{“results”: [Feed]} |
Get Specific Feed
Retrieve feed with feed_id. This feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Feed |
application/json |
Feed |
Delete Feed
Delete feed with feed_id. This feed must be owned by the caller.
Request
DELETE <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)
Responses
| Code |
Description |
Content-Type |
Content |
| 204 |
Feed Deleted |
*:* |
None |
| 400 |
Unknown feed |
*:* |
None |
Get Feed Info
Retrieve feed info metadata for feed with feed_id. This feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Feed Info |
application/json |
FeedInfo |
Update Feed Info
Update feed info metadata for feed with feed_id. This feed must be owned by the caller.
Request
PUT <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
| Content-Type |
Content |
| application/json |
FeedInfo |
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Feed Info Updated |
application/json |
FeedInfo |
| 400 |
Invalid Feed Request |
*:* |
None |
Get Threat Reports
Retrieve all the reports for feed with feed_id. Feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Reports array |
application/json |
{“results”: [Report]} |
Replace Reports
Replace reports for feed ID. All IOCs will be converted to IOC_V2. Any existing reports not in the payload will be deleted. Feed must be owned by the caller.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
| Content-Type |
Content |
| application/json |
{“reports”: [Report]} |
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Success |
application/json |
{“success”: boolean*} |
Get Report
Return report with report_id for feed. Feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Report |
application/json |
[Report] |
Update Report
Update report with report_id for feed. All IOCs will be converted to IOC_V2. Feed must be owned by the caller.
Request
PUT <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
| Content-Type |
Content |
| application/json |
[Report] |
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Report |
application/json |
Report |
Delete report
Delete report with report_id for feed . Feed must be owned by the caller.
Request
DELETE <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Responses
| Code |
Description |
Content-Type |
Content |
| 204 |
report deleted |
*:* |
None |
Convert Legacy Query
Convert EDR query to Enterprise EDR query. This will adjust field names and other syntax to match Enterprise EDR Solr requirements.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/query/translate
Legacy query
| content-type |
content |
| application/json |
{"query": str*}
|
Responses
| Code |
Description |
Content-Type |
Content |
| 200 |
Translated query |
application/json |
{“query”: str*} |
| 400 |
Unable to convert query due to incompatible fields |
*:* |
None |
Definitions
NOTE: fields with a * are required
FeedInfo
{"name": str*,
"owner": str*,
"provider_url": str*,
"summary": str*,
"category": str*,
"access": str*,
"id": str}
QueryIOC
{"index_type": str,
"search_query": str*}
IOCs
{"md5": [str],
"ipv4": [str],
"ipv6": [str],
"dns": [str],
"query": [QueryIOC]}
IOC_V2
{"id": str*,
"match_type": str*,
"values": [str]*,
"field": str,
"link": str}
Report
{"id": str*,
"timestamp": int*,
"title": str*,
"description": str*,
"severity": int*,
"link": str,
"tags": [str],
"iocs": IOCs,
"iocs_v2": [IOC_V2],
"visibility": str}
Feed
{"feedinfo": FeedInfo*,
"reports": [Report]*}