Feed Manager API for Enterprise EDR

WARNING: This is a legacy document, please view the latest version here.

Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.

Feed API Definition

Note: <psc-hostname> is the parent URL for your Carbon Black Cloud instance.

Healthcheck

Successful response indicates service reachability.

Request

GET <psc-hostname>/threathunter/feedmgr/healthcheck

Responses

Code Description Content-Type Content
204 service is available *.* None

Create a new feed

Create new feed. Unique feed ID will be assigned by the service.
All IOCs will be converted to IOC_V2. This feed will be owned by the caller. If feedinfo.access is public the feed will be available to all organizations.

Request

POST <psc-hostname>/threathunter/feedmgr/v1/feed
Content-Type Content
application/json Feed Object

Responses

Code Description Content-Type Content
200 Feed created application/json FeedInfo
400 Invalid Feed Request *:* None

Get all feeds

Retrieve all feeds owned by the caller. Provide include_public=true parameter to also include public community feeds.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed

Responses

Code Description Content-Type Content
200 Array of Feeds application/json {“results”: [Feed]}

Get Specific Feed

Retrieve feed with feed_id. This feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)

Responses

Code Description Content-Type Content
200 Feed application/json Feed

Delete Feed

Delete feed with feed_id. This feed must be owned by the caller.

Request

DELETE <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)

Responses

Code Description Content-Type Content
204 Feed Deleted *:* None
400 Unknown feed *:* None

Get Feed Info

Retrieve feed info metadata for feed with feed_id. This feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo

Responses

Code Description Content-Type Content
200 Feed Info application/json FeedInfo

Update Feed Info

Update feed info metadata for feed with feed_id. This feed must be owned by the caller.

Request

PUT <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/feedinfo
Content-Type Content
application/json FeedInfo

Responses

Code Description Content-Type Content
200 Feed Info Updated application/json FeedInfo
400 Invalid Feed Request *:* None

Get Threat Reports

Retrieve all the reports for feed with feed_id. Feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report

Responses

Code Description Content-Type Content
200 Reports array application/json {“results”: [Report]}

Replace Reports

Replace reports for feed ID. All IOCs will be converted to IOC_V2. Any existing reports not in the payload will be deleted. Feed must be owned by the caller.

Request

POST <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report
Content-Type Content
application/json {“reports”: [Report]}

Responses

Code Description Content-Type Content
200 Success application/json {“success”: boolean*}

Get Report

Return report with report_id for feed. Feed must be owned by the caller.

Request

GET <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)

Responses

Code Description Content-Type Content
200 Report application/json [Report]

Update Report

Update report with report_id for feed. All IOCs will be converted to IOC_V2. Feed must be owned by the caller.

Request

PUT <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)
Content-Type Content
application/json [Report]

Responses

Code Description Content-Type Content
200 Report application/json Report

Delete report

Delete report with report_id for feed . Feed must be owned by the caller.

Request

DELETE <psc-hostname>/threathunter/feedmgr/v1/feed/(feed_id)/report/(report_id)

Responses

Code Description Content-Type Content
204 report deleted *:* None

Convert Legacy Query

Convert CB Reponse query to ThreatHunter query. This will adjust field names and other syntax to match ThreatHunter Solr requirements.

Request

POST <psc-hostname>/threathunter/feedmgr/v1/query/translate
Legacy query
content-type content
application/json {"query": str*}

Responses

Code Description Content-Type Content
200 Translated query application/json {“query”: str*}
400 Unable to convert query due to incompatible fields *:* None

Definitions

NOTE: fields with a * are required

FeedInfo

{"name": str*,
 "owner": str*,
 "provider_url": str*,
 "summary": str*,
 "category": str*,
 "access": str*,
 "id": str}

QueryIOC

{"index_type": str,
 "search_query": str*}

IOCs

{"md5": [str],
 "ipv4": [str],
 "ipv6": [str],
 "dns": [str],
 "query": [QueryIOC]}

IOC_V2

{"id": str*,
 "match_type": str*,
 "values": [str]*,
 "field": str,
 "link": str}

Report

{"id": str*,
 "timestamp": int*,
 "title": str*,
 "description": str*,
 "severity": int*,
 "link": str,
 "tags": [str],
 "iocs": IOCs,
 "iocs_v2": [IOC_V2],
 "visibility": str}

Feed

{"feedinfo": FeedInfo*,
 "reports": [Report]*}
Last modified on May 5, 2020