Threat Hunt API
Overview
Use this API to get descriptive information about a threat hunt - targeted investigation - conducted by the MDR team.
Requirements
- Enterprise EDR
- Managed Threat Hunting
Key Features
- If an alert has the threat_hunt_id populated, use this API get information about the Threat Hunt that generated the alert.
- The threat_hunt_id and threat_hunt_name can also be used to search for alerts that were found in that threat hunt.
Resources
- Carbon Black Cloud User Guide - Managed Threat Hunting
- Alerts v7 API
- Alerts Fields
- Carbon Black Postman Workspace
Authentication
Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.
Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- {cbc-hostname}/mdr/threathuntingview/v1/orgs/{org_key}/threathunts/{id}
Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
- Alerts > ThreatHunt > org.mdr.threathunts, allow permission to
READ
API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.
API Calls
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.mdr.threathunts |
READ |
Majority of environments |
Get Threat Hunt by ID
Get Threat Hunt by ID
Request
GET {cbc-hostname}/mdr/threathuntingview/v1/orgs/{org_key}/threathunts/{id}
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | OK | application/json | Example response below |
| 400 | Bad Request | application/json | N/A |
| 403 | Forbidden | application/json | N/A |
| 429 | Too Many Requests | application/json | N/A |
| 500 | Internal Server Error | application/json | N/A |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/mdr/threathuntingview/v1/orgs/ABCD1234/threathunts/aa11-bb22-cc33-dd44X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"id": "aa11-bb22-cc33-dd44",
"name": "GroutLoader Test",
"description": "GroutLoader was discovered by security researches today; it leverages a previously undiscovered 0-day in Microsoft Excel to download & remotely execute malicious powershell. While details of the threat are still emerging, actors appear to be establishing persistence on assets through scheduled tasks.",
"threat_hunt_status": "COMPLETED",
"created_timestamp": "2023-09-20T03:03:13.540Z",
"time_range": {
"start": "2023-08-20T00:00:00Z",
"end": "2023-09-20T03:03:13.540Z",
"range": "-1M"
}
}Last modified on October 25, 2023