WARNING: This is a legacy document, please view the latest version
here.
Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
Feed API Definition
Note: <cbc-hostname>
is the parent URL for your Carbon Black Cloud instance.
Healthcheck
Successful response indicates service reachability.
Request
GET <cbc-hostname>/threathunter/feedmgr/healthcheck
Responses
Code |
Description |
Content-Type |
Content |
204 |
service is available |
*.* |
None |
Create a new feed
Create new feed. Unique feed ID will be assigned by the service.
All IOCs will be converted to IOC_V2. This feed will be owned by the caller. If feedinfo.access
is public
the feed will be available to all organizations.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/feed
Content-Type |
Content |
application/json |
Feed Object |
Responses
Code |
Description |
Content-Type |
Content |
200 |
Feed created |
application/json |
FeedInfo |
400 |
Invalid Feed Request |
*:* |
None |
Get all feeds
Retrieve all feeds owned by the caller. Provide include_public=true
parameter to also include public community feeds.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed
Responses
Code |
Description |
Content-Type |
Content |
200 |
Array of Feeds |
application/json |
{“results”: [Feed]} |
Get Specific Feed
Retrieve feed with feed_id
. This feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)
Responses
Code |
Description |
Content-Type |
Content |
200 |
Feed |
application/json |
Feed |
Delete Feed
Delete feed with feed_id
. This feed must be owned by the caller.
Request
DELETE <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)
Responses
Code |
Description |
Content-Type |
Content |
204 |
Feed Deleted |
*:* |
None |
400 |
Unknown feed |
*:* |
None |
Get Feed Info
Retrieve feed info metadata for feed with feed_id
. This feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
Responses
Code |
Description |
Content-Type |
Content |
200 |
Feed Info |
application/json |
FeedInfo |
Update Feed Info
Update feed info metadata for feed with feed_id
. This feed must be owned by the caller.
Request
PUT <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
Content-Type |
Content |
application/json |
FeedInfo |
Responses
Code |
Description |
Content-Type |
Content |
200 |
Feed Info Updated |
application/json |
FeedInfo |
400 |
Invalid Feed Request |
*:* |
None |
Get Threat Reports
Retrieve all the reports for feed with feed_id
. Feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
Responses
Code |
Description |
Content-Type |
Content |
200 |
Reports array |
application/json |
{“results”: [Report]} |
Replace Reports
Replace reports for feed ID. All IOCs will be converted to IOC_V2. Any existing reports not in the payload will be deleted. Feed must be owned by the caller.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
Content-Type |
Content |
application/json |
{“reports”: [Report]} |
Responses
Code |
Description |
Content-Type |
Content |
200 |
Success |
application/json |
{“success”: boolean*} |
Get Report
Return report with report_id
for feed. Feed must be owned by the caller.
Request
GET <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Responses
Code |
Description |
Content-Type |
Content |
200 |
Report |
application/json |
[Report] |
Update Report
Update report with report_id
for feed. All IOCs will be converted to IOC_V2. Feed must be owned by the caller.
Request
PUT <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Content-Type |
Content |
application/json |
[Report] |
Responses
Code |
Description |
Content-Type |
Content |
200 |
Report |
application/json |
Report |
Delete report
Delete report with report_id
for feed . Feed must be owned by the caller.
Request
DELETE <cbc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Responses
Code |
Description |
Content-Type |
Content |
204 |
report deleted |
*:* |
None |
Convert Legacy Query
Convert EDR query to Enterprise EDR query. This will adjust field names and other syntax to match Enterprise EDR Solr requirements.
Request
POST <cbc-hostname>/threathunter/feedmgr/v1/query/translate
Legacy query
content-type |
content |
application/json |
{"query": str*}
|
Responses
Code |
Description |
Content-Type |
Content |
200 |
Translated query |
application/json |
{“query”: str*} |
400 |
Unable to convert query due to incompatible fields |
*:* |
None |
Definitions
NOTE: fields with a *
are required
FeedInfo
{"name": str*,
"owner": str*,
"provider_url": str*,
"summary": str*,
"category": str*,
"access": str*,
"id": str}
QueryIOC
{"index_type": str,
"search_query": str*}
IOCs
{"md5": [str],
"ipv4": [str],
"ipv6": [str],
"dns": [str],
"query": [QueryIOC]}
IOC_V2
{"id": str*,
"match_type": str*,
"values": [str]*,
"field": str,
"link": str}
Report
{"id": str*,
"timestamp": int*,
"title": str*,
"description": str*,
"severity": int*,
"link": str,
"tags": [str],
"iocs": IOCs,
"iocs_v2": [IOC_V2],
"visibility": str}
Feed
{"feedinfo": FeedInfo*,
"reports": [Report]*}