Carbon Black Cloud Enterprise EDR (Endpoint Detection and Response) is the new name for the product formerly called CB ThreatHunter.
The Feed Manager API enables you to manage third-party threat intelligence Watchlists (here called “Feeds”), including the ability to convert Carbon Black EDR queries for use in Carbon Black Cloud Enterprise EDR.
On the Carbon Black Cloud, a Feed is a collection of actionable threat intelligence, organized into Reports which are collections of one or more Indicators of Compromise (IOCs).
Feeds can be published to all organizations in an environment (public) or to a selection of managed organizations in an environment (reserved). It is also possible to publish a Feed to only one organization (private), but in practice this is unnecessary overhead for most organizations:
In the Carbon Black Cloud console, Feeds are those Watchlists whose Type is “F” (Feed Subscription).
On the Carbon Black Cloud, a Watchlist is a specific set of subscribed Reports and their IOCs that are evaluated against incoming sensor data to enrich your search results with “hits” where the Watchlists found a match in your endpoint fleet’s events data.
Watchlists can be subscribed from a Feed, or can be created directly from a selection of existing Reports. Once created, a Watchlist can be edited in one of three ways:
Feeds are in effect “potentially-subscribable Watchlists”. A Feed has no effect on your organization until you have subscribed to it - at which point a related Watchlist is enabled in the organization. Once subscribed (and until it’s disabled or unsubscribed), a Watchlist will generate Hits (and Alerts if you have enabled them) for any matches against any of the IOCs in any of that Watchlist’s enabled Reports.
Successful response indicates service reachability.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
No Permissions Required | N/A |
Request
GET {cbc-hostname}/threathunter/feedmgr/healthcheck
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | service is available | *.* |
None |
Retrieve all feeds owned by the caller. Provide include_public=true
parameter to also include public community feeds.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Query Schema
Field | Definition | Data Type | Values |
---|---|---|---|
include_public |
Whether to include public community feeds in the response | Boolean | true , false |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Array of Feeds | application/json | View example response below |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds?include_public=true
Response
{
"results": [
{
"name": "My Feed",
"owner": "ABCD1234",
"provider_url": "https://example.com",
"summary": "Example Feed",
"category": "None",
"source_label": null,
"access": "private",
"id": "ABCDEFGHIJKLMNOPQRSTUVWX"
},
{
"name": "Carbon Black AlienVault",
"owner": "AlienVault",
"provider_url": "https://www.alienvault.com/",
"summary": "This watchlist contains intelligence provided by AlienVault's Open Threat Exchange (OTX). It leverages insights into attacks across the community and will show you hostile scanning hosts, malware hosts, and other targeting and security event information.",
"category": "Partner",
"source_label": "AlienVault",
"access": "public",
"id": "wuDcrLFVRUOBIn1g3er9tQ"
}
]
}
Retrieve feed with feed_id
. This feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Feed | application/json | View example request below |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX
Response
{
"feedinfo": {
"name": "My Feed",
"owner": "ABCD1234",
"provider_url": "https://example.com",
"summary": "Example Feed",
"category": "None",
"source_label": null,
"access": "private",
"id": "ABCDEFGHIJKLMNOPQRSTUVWX"
},
"reports": [
{
"id": "1",
"timestamp": 1571083459,
"title": "yara",
"description": "microsoft:microsoft",
"severity": 5,
"link": null,
"tags": null,
"iocs": null,
"iocs_v2": [
{
"id": "1",
"match_type": "equality",
"values": [
"TQBpAGMAcgBvAHMAbwBmAHQA"
],
"field": "$microsoft",
"link": null
}
],
"visibility": null
}
]
}
Create new private feed. Unique feed ID will be assigned by the service. All IOCs will be converted to IOCv2. This feed will be owned by the caller. The feed will be available to only the org that created it.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
CREATE |
Request
POST {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds
Request Body
{
"feedinfo": {
"name": "<string>",
"provider_url": "<string>",
"summary": "<string>",
"category": "<string>",
"source_label": "<string>",
},
"reports": [{
"id": "<string>",
"timestamp": "<integer>",
"title": "<string>",
"description": "<string>",
"severity": "<integer>",
"link": "<string>",
"tags": ["<string>"],
"iocs": "<IOCv1>",
"iocs_v2": ["<IOCv2>"],
"visibility": "<string>"
}]
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
name REQUIRED
|
Name for the Feed | String | N/A |
provider_url REQUIRED
|
URL for where the Feed information will come from | String | N/A |
summary REQUIRED
|
Summary for the Feed | String | N/A |
category REQUIRED
|
Category for the Feed | String | N/A |
source_label |
Label for where the Feed information will come from | String | N/A |
id REQUIRED
|
Report ID | String | N/A |
title REQUIRED
|
Report title | String | N/A |
description REQUIRED
|
Report description | String | N/A |
timestamp REQUIRED
|
UNIX Epoch timestamp to associate with the report | Integer | N/A |
severity REQUIRED
|
Report severity | Integer | Between 1 and 10, inclusive |
link |
A URL to associate with the report | String | N/A |
tags |
List of report tags | [String] | N/A |
iocs |
IOCs to associate with the report. IOCs will be converted to IOCv2 format. | IOCv1 | IOCv1 |
iocs_v2 |
IOCv2’s to associate with the report. Preferred over IOCs. | Array | IOCv2 |
visibility |
Report visibility | String | N/A |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully created the Feed | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds
Request Body
{
"feedinfo": {
"name": "My Feed",
"provider_url": "https://example.com",
"summary": "Summary for my feed",
"category": "external_threat_intel",
"source_label": "Label for threat intel source"
},
"reports": [
{
"id": "Report_ID_1",
"timestamp": 1571083459,
"title": "YARA",
"description": "microsoft:microsoft",
"severity": 1,
"link": "https://microsoft.com/en-us/",
"tags": ["safe", "website"],
"iocs_v2": [
{
"id": "IOC_ID_1",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}
]
}
Response
{
"name": "My Feed",
"owner": "ABCD1234",
"provider_url": "https://example.com",
"summary": "Summary for my feed",
"category": "external_threat_intel",
"source_label": "Label for threat intel source",
"access": "private",
"id": "ABCDEFGHIJKLMNOPQRSTUVWX"
}
Create new reserved feed. Unique feed ID will be assigned by the service. This feed will be owned by org_key
and available to org_key
’s delegates at the time of creation.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
CREATE |
Request
POST {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/reserved
Request Body
{
"feedinfo": {
"name": "<string>",
"provider_url": "<string>",
"summary": "<string>",
"category": "<string>",
"source_label": "<string>",
},
"reports": [{
"id": "<string>",
"timestamp": "<integer>",
"title": "<string>",
"description": "<string>",
"severity": "<integer>",
"link": "<string>",
"tags": ["<string>"],
"iocs": "<IOCv1>",
"iocs_v2": ["<IOCv2>"],
"visibility": "<string>"
}],
"delegates_auth_token": "ABCDEFGHIJKLMNOPQRSTU/123456789"
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
name REQUIRED
|
Name for the Feed | String | N/A |
provider_url REQUIRED
|
URL for where the Feed information will come from | String | N/A |
summary REQUIRED
|
Summary for the Feed | String | N/A |
category REQUIRED
|
Category for the Feed | String | N/A |
source_label |
Label for where the Feed information will come from | String | N/A |
id REQUIRED
|
Report ID | String | N/A |
title REQUIRED
|
Report title | String | N/A |
description REQUIRED
|
Report description | String | N/A |
timestamp REQUIRED
|
UNIX Epoch timestamp to associate with the report | Integer | N/A |
severity REQUIRED
|
Report severity | Integer | Between 1 and 10, inclusive |
link |
A URL to associate with the report | String | N/A |
tags |
List of report tags | [String] | N/A |
iocs |
IOCs to associate with the report. IOCs will be converted to IOCv2 format. | IOCv1 | IOCv1 |
iocs_v2 |
IOCv2’s to associate with the report. Preferred over IOCs. | Array | [IOCv2] |
visibility |
Report visibility | String | N/A |
delegates_auth_token |
X-Auth-Token to verify which delegates the caller has access to. Overrides the X-Auth-Token sent with request headers. | String | N/A |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully created the Feed | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/reserved
Request Body
{
"feedinfo": {
"name": "My Reserved Feed",
"provider_url": "https://example.com",
"summary": "Summary for my feed",
"category": "external_threat_intel",
"source_label": "Label for threat intel source"
},
"reports": [
{
"id": "Report_ID_1",
"timestamp": 1571083459,
"title": "YARA",
"description": "microsoft:microsoft",
"severity": 1,
"link": "https://microsoft.com/en-us/",
"tags": ["safe", "website"],
"iocs_v2": [
{
"id": "IOC_ID_1",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}
]
}
Response
{
"name": "My Reserved Feed",
"owner": "ABCD1234",
"provider_url": "https://example.com",
"summary": "Summary for my feed",
"category": "external_threat_intel",
"source_label": "Label for threat intel source",
"access": "private",
"id": "ABCDEFGHIJKLMNOPQRSTUVWX"
}
Delete feed with feed_id
. This feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
DELETE |
Request
DELETE {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | Successfully deleted Feed | application/json | None |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX
Response
204 No Content
Retrieve feed info metadata for feed with feed_id
. This feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully retrieved Feed Info | application/json | View example request below |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/feedinfo
Response
{
"name": "My Feed",
"owner": "ABCD1234",
"provider_url": "https://example.com",
"summary": "Example Feed",
"category": "None",
"source_label": null,
"access": "private",
"id": "ABCDEFGHIJKLMNOPQRSTUVWX"
}
Update feed info metadata for feed with feed_id
. This feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
UPDATE |
Request
PUT {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/feedinfo
Request Body
{
"name": "<string>",
"provider_url": "<string>",
"summary": "<string>",
"category": "<string>",
"source_label": "<string>",
"access": "<string>"
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
name |
Name for the Feed | String | N/A |
provider_url |
URL for where the Feed information will come from | String | N/A |
summary |
Summary for the Feed | String | N/A |
category |
Category for the Feed | String | N/A |
source_label |
Label for where the Feed information will come from | String | N/A |
access REQUIRED
|
Access level for the Feed | String | private |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully updated the Feed Info | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
PUT https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/feedinfo
Request Body
{
"name": "New Name",
"provider_url": "https://example.com",
"summary": "New Summary",
"category": "New Category",
"source_label": "New Source",
"access": "private"
}
Response
{
"name": "New Name",
"owner": "ABCD1234",
"provider_url": "https://example.com",
"summary": "New Summary",
"category": "New Category",
"source_label": "New Source",
"access": "private",
"id": "ABCDEFGHIJKLMNOPQRSTUVWX"
}
Retrieve the delegated orgs for a reserved feed. These orgs do not own the feed but have read access to it’s contents. Feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/reserved/{feed_id}/delegates
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully retrieved delegates | application/json | View example response below |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/reserved/ABCDEFGHIJKLMNOPQRSTUVWX/delegates
Response
{
"delegates": [
"ABCD1234"
]
}
Update the list of organizations that can access a reserved feed.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
UPDATE |
Request
PUT {cbc-hostname}/threathunter/feedmgr/v2/orgs/(org_key)/feeds/reserved/(feed_id)/delegates
Request Body
{
"delegates": [
"<string>",
"<string>"
],
"delegates_auth_token": "<string>"
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
delegates REQUIRED
|
List of delegates to assign to the feed. | [String] | N/A |
delegates_auth_token |
X-Auth-Token to verify which delegates the caller has access to. Overrides the X-Auth-Token sent with request headers. | String | N/A |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successful Request | application/json | View example response below |
400 | Invalid request | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
PUT {cbc-hostname}/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/reserved/V0nmzJsjSPaZq5XHWEkDQ/delegates
Request Body
{
"delegates": [
"ABCD1234",
"EFGH5678"
],
"delegates_auth_token": "ABCDEFGHIJKLMNOPQRSTUVWX/12345678"
}
Response
{
"delegates": [
"ABCD1234",
"EFGH5678"
]
}
Retrieve all the reports for feed with feed_id
. Feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully retrieved reports | application/json | View example response below |
400 | Invalid request | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/reports
Response
{
"results": [
{
"id": "customID",
"timestamp": 1571083459,
"title": "yara",
"description": "microsoft:microsoft",
"severity": 5,
"link": "mycustomlink",
"tags": [
"mycustomtag"
],
"iocs": null,
"iocs_v2": [
{
"id": "myCustomID",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}
]
}
Replace reports for feed ID. All IOCs will be converted to IOCv2. Any existing reports not in the payload will be deleted. Feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
CREATE |
Request
POST {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports
Request Body
{
"reports": [{
"id": "<string>",
"timestamp": "<integer>",
"title": "<string>",
"description": "<string>",
"severity": "<integer>",
"link": "<string>",
"tags": ["<string>"],
"iocs": "<IOCv1>",
"iocs_v2": ["<IOCv2>"],
"visibility": "<string>"
}]
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
id REQUIRED
|
Report ID | String | N/A |
title REQUIRED
|
Report title | String | N/A |
description REQUIRED
|
Report description | String | N/A |
timestamp REQUIRED
|
UNIX Epoch timestamp to associate with the report | Integer | N/A |
severity REQUIRED
|
Report severity | Integer | Between 1 and 10, inclusive |
link |
A URL to associate with the report | String | N/A |
tags |
List of report tags | [String] | N/A |
iocs |
IOCs to associate with the report. IOCs will be converted to IOCv2 format. | IOCv1 | IOCv1 |
iocs_v2 |
IOCv2’s to associate with the report. Preferred over IOCs. | Array | [IOCv2] |
visibility |
Report visibility | String | N/A |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully replaced reports | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/reports
Request Body
{
"reports": [{
"id": "Report_ID_1",
"timestamp": 1604950037,
"title": "Report Title",
"description": "Report Description",
"severity": 2,
"link": "https://google.com",
"tags": ["false_positive"],
"iocs": null,
"iocs_v2": [
{
"id": "IOC_ID_1",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}]
}
Response
{
"success": true
}
Return report with report_id
. Feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
GET {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports/{report_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully retrieved report | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/reports/Report_ID_1
Response
{
"report": {
"id": "Report_ID_1",
"timestamp": 1604950037,
"title": "Report Title",
"description": "Report Description",
"severity": 2,
"link": "https://google.com",
"tags": [
"false_positive"
],
"iocs": null,
"iocs_v2": [
{
"id": "IOC_ID_1",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}
}
Update report with report_id
. All IOCs
will be converted to IOCv2
. Currently, there are three types for IOCv2
: query
, equality
, and regex
. Feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
CREATE / UPDATE |
Request
PUT {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports/{report_id}
Request Body
{
"id": "<string>",
"timestamp": "<integer>",
"title": "<string>",
"description": "<string>",
"severity": "<integer>",
"link": "<string>",
"tags": ["<string>"],
"iocs": "<IOCv1>",
"iocs_v2": ["<IOCv2>"],
"visibility": "<string>"
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
id REQUIRED
|
Report ID | String | N/A |
title REQUIRED
|
Report title | String | N/A |
description REQUIRED
|
Report description | String | N/A |
timestamp REQUIRED
|
UNIX Epoch timestamp to associate with the report | Integer | Must be the current UNIX timestamp |
severity REQUIRED
|
Report severity | Integer | Between 1 and 10, inclusive |
link |
A URL to associate with the report | String | N/A |
tags |
List of report tags | [String] | N/A |
iocs |
IOCs to associate with the report. IOCs will be converted to IOCv2 format. | IOCv1 | IOCv1 |
iocs_v2 |
IOCv2’s to associate with the report. Preferred over IOCs. | Array | [IOCv2] |
visibility |
Report visibility | String | N/A |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully updated report | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
PUT https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/reports/Report_ID_1
Request Body
{
"id": "Report_ID_1",
"timestamp": 1604950037,
"title": "New Report Title",
"description": "Report Description",
"severity": 2,
"link": "https://google.com",
"tags": ["false_positive"],
"iocs": null,
"iocs_v2": [
{
"id": "New_IOC_ID_1",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}
Response
{
"id": "Report_ID_1",
"timestamp": 1604950476,
"title": "New Report Title",
"description": "Report Description",
"severity": 2,
"link": "https://google.com",
"tags": [
"false_positive"
],
"iocs": null,
"iocs_v2": [
{
"id": "New_IOC_ID_1",
"match_type": "equality",
"values": [
"SHA256HashOfAProcess"
],
"field": "process_sha256",
"link": null
}
],
"visibility": "visible"
}
Delete report with report_id
. Feed must be owned by the caller.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
DELETE |
Request
DELETE {cbc-hostname}/threathunter/feedmgr/v2/orgs/{org_key}/feeds/{feed_id}/reports/{report_id}
Response
Code | Description | Content-Type | Content |
---|---|---|---|
204 | Successfully deleted report | application/json | None |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
DELETE https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/orgs/ABCD1234/feeds/ABCDEFGHIJKLMNOPQRSTUVWX/reports/Report_ID_1
Response
204 No Content
Convert EDR query to Enterprise EDR query. This will adjust field names and other syntax to match Enterprise EDR Solr requirements.
RBAC Permissions Required
Permission (.notation name) | Operation(s) |
---|---|
org.feeds |
READ |
Request
POST {cbc-hostname}/threathunter/feedmgr/v2/query/translate
Request Body
{
"query": "<string>"
}
Body Schema
Field | Definition | Data Type | Values |
---|---|---|---|
query |
EDR query to convert to Enterprise EDR syntax | String | N/A |
Response
Code | Description | Content-Type | Content |
---|---|---|---|
200 | Successfully converted query | application/json | View example response below |
400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
403 | Forbidden | N/A | N/A |
500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense-eap01.conferdeploy.net/threathunter/feedmgr/v2/query/translate
Request Body
{
"query": "path:\"microsoft office\\office15\\powerpnt.exe\""
}
Response
{
"query": "(process_name:\"microsoft\\ office\\\\office15\\\\powerpnt.exe\") -enriched:true"
}
NOTE: fields with ‘*’ are required
Field | Definition | Data Type | Values |
---|---|---|---|
name REQUIRED
|
Name for the Feed | String | N/A |
provider_url REQUIRED
|
URL for where the Feed information will come from | String | N/A |
summary REQUIRED
|
Summary for the Feed | String | N/A |
category REQUIRED
|
Category for the Feed | String | N/A |
source_label |
Label for where the Feed information will come from | String | N/A |
owner |
What organization owns the Feed | String | N/A |
access |
Type of access to the Feed. Only private Feeds can be created. Carbon Black provides public Feeds. |
String | private , public |
id |
ID for the Feed | String | N/A |
Field | Definition | Data Type | Values |
---|---|---|---|
index_type |
What type of data to search for | String | events , processes |
search_query REQUIRED
|
The Enterprise EDR search query | String | N/A |
You can continue to leverage the documentation below until the IOCs v1 structure is deprecated. The most up to date IOC structure is available directly below in IOCv2, or click here.
Field | Definition | Data Type | Values |
---|---|---|---|
md5 |
List of MD5 hashes | [String] | N/A |
ipv4 |
List of IPv4 addresses | [String] | N/A |
ipv6 |
List of IPv6 addresses | [String] | N/A |
dns |
List of DNS addresses | [String] | N/A |
query |
List of queries | [QueryIOC] | N/A |
Field | Definition | Data Type | Values |
---|---|---|---|
id REQUIRED
|
IOC ID | String | N/A |
match_type REQUIRED
|
IOC match type | String | equality , regex , query |
values REQUIRED
|
List of values to match on | [String] | N/A |
field |
Search field to match on | String | N/A |
link |
Link to where the information came from | String | N/A |
Field | Definition | Data Type | Values |
---|---|---|---|
id REQUIRED
|
Report ID | String | N/A |
title REQUIRED
|
Report title | String | N/A |
description REQUIRED
|
Report description | String | N/A |
timestamp REQUIRED
|
UNIX Epoch timestamp to associate with the report | Integer | N/A |
severity REQUIRED
|
Report severity | Integer | Between 1 and 10, inclusive |
link |
A URL to associate with the report | String | N/A |
tags |
List of report tags | [String] | N/A |
iocs |
IOCs to associate with the report. IOCs will be converted to IOCv2 format. | IOCv1 | IOCv1 |
iocs_v2 |
IOCv2’s to associate with the report. Preferred over IOCs. | Array | [IOCv2] |
visibility |
Report visibility | String | N/A |
Field | Definition | Data Type | Values |
---|---|---|---|
feedinfo REQUIRED
|
Information about the Feed | FeedInfo | N/A |
reports REQUIRED
|
List of Reports in the Feed | [Report] | N/A |
IOCs can be written in three different ways: equality, regex, or query. The equality and regex IOCs are run on ingress, whereas the query IOC is run using a rolling window once the data reaches the data store. Because the equality and regex IOCs happen on ingress and do not need any part of the query language, these IOC match types perform better than the query IOC.
{
"id": "1af4e5ff584a",
"match_type": "equality",
"field": "process_sha256",
"values": ["68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728"],
"link": "https://carbonblack.com"
}
This regular expression looks for double file extensions.
{
"id": "1af4e5ff584a",
"match_type": "regex",
"field": "process_name",
"values": ["/\\\\..{3}\\\\..{3}/"],
"link": "https://carbonblack.com"
}
{
"id": "1af4e5ff584a",
"match_type": "query",
"values": ["process_name:malware.exe"],
"link": "https://carbonblack.com"
}