Feed Manager API for Enterprise EDR
Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
Feed API Definition
Note: <cbc-hostname> is the parent URL for your Carbon Black Cloud instance.
Healthcheck
Successful response indicates service reachability.
Request
GET <cbc-hostname>/threathunter/feedmgr/healthcheck
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | service is available | *.* |
None |
Create a new feed
Create new feed. Unique feed ID will be assigned by the service.
All IOCs will be converted to IOC_V2. This feed will be owned by the caller. If feedinfo.access is public the feed will be available to all organizations.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/feed
| Content-Type | Content |
|---|---|
| application/json | Feed Object |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Feed created | application/json | FeedInfo |
| 400 | Invalid Feed Request | *:* |
None |
Get all feeds
Retrieve all feeds owned by the caller. Provide include_public=true parameter to also include public community feeds.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Array of Feeds | application/json | {“results”: [Feed]} |
Get Specific Feed
Retrieve feed with feed_id. This feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Feed | application/json | Feed |
Delete Feed
Delete feed with feed_id. This feed must be owned by the caller.
Request
DELETE <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Feed Deleted | *:* |
None |
| 400 | Unknown feed | *:* |
None |
Get Feed Info
Retrieve feed info metadata for feed with feed_id. This feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Feed Info | application/json | FeedInfo |
Update Feed Info
Update feed info metadata for feed with feed_id. This feed must be owned by the caller.
Request
PUT <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
| Content-Type | Content |
|---|---|
| application/json | FeedInfo |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Feed Info Updated | application/json | FeedInfo |
| 400 | Invalid Feed Request | *:* |
None |
Get Threat Reports
Retrieve all the reports for feed with feed_id. Feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Reports array | application/json | {“results”: [Report]} |
Replace Reports
Replace reports for feed ID. All IOCs will be converted to IOC_V2. Any existing reports not in the payload will be deleted. Feed must be owned by the caller.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
| Content-Type | Content |
|---|---|
| application/json | {“reports”: [Report]} |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Success | application/json | {“success”: boolean*} |
Get Report
Return report with report_id for feed. Feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Report | application/json | [Report] |
Update Report
Update report with report_id for feed. All IOCs will be converted to IOC_V2. Feed must be owned by the caller.
Request
PUT <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
| Content-Type | Content |
|---|---|
| application/json | [Report] |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Report | application/json | Report |
Delete report
Delete report with report_id for feed . Feed must be owned by the caller.
Request
DELETE <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | report deleted | *:* |
None |
Convert Legacy Query
Convert EDR query to Enterprise EDR query. This will adjust field names and other syntax to match Enterprise EDR Solr requirements.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/query/translate
| content-type | content |
|---|---|
| application/json | {"query": str*} |
Responses
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Translated query | application/json | {“query”: str*} |
| 400 | Unable to convert query due to incompatible fields | *:* |
None |
Definitions
NOTE: fields with a * are required
FeedInfo
{"name": str*,
"owner": str*,
"provider_url": str*,
"summary": str*,
"category": str*,
"access": str*,
"id": str}
QueryIOC
{"index_type": str,
"search_query": str*}
IOCs
{"md5": [str],
"ipv4": [str],
"ipv6": [str],
"dns": [str],
"query": [QueryIOC]}
IOC_V2
{"id": str*,
"match_type": str*,
"values": [str]*,
"field": str,
"link": str}
Report
{"id": str*,
"timestamp": int*,
"title": str*,
"description": str*,
"severity": int*,
"link": str,
"tags": [str],
"iocs": IOCs,
"iocs_v2": [IOC_V2],
"visibility": str}
Feed
{"feedinfo": FeedInfo*,
"reports": [Report]*}
Last modified on January 18, 2022