Observations API
Overview
This API lets you search through all Observations, which are noteworthy activity reported by your organization’s sensors, to find one or more specific Observations that match the search criteria. You can:
- See tactics, techniques and procedures (TTPs) and the MITRE CVEs associated with potentially malicious activity
- Get visibility into the cyber kill chain stage at which attacks were stopped
- Identify the family and name of malware observed and stopped on your organization’s endpoints
Use Cases
- Isolate the events associated with a specific CB Analytics Alert, find all events that led up to or were initiated after malicious or unwanted actions occurred, or find the events that the sensor initiated that specifically denied or terminated unwanted behavior with an Observation Search Job
- Look for patterns and prevalence of unusual activity across all the organization’s endpoints with a Observation Facet Job
Requirements
- Endpoint Standard or Enterprise EDR product
- All API calls require an API key with appropriate permissions, see Authentication for details
Guides and Resources
- Search Fields - Investigate APIs
- Carbon Black Cloud User Guide - Investigate - Observations
- Announcing the Alerts v7 API and “Observed Alerts” Become “Observations
- Tech Zone - Identity Intelligence - Auth Event Breakdown
- Carbon Black Cloud Python SDK
- Carbon Black Postman Workspace
Authentication
Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.
Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_suggestions
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_validation
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs/{job_id}/results
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs/{job_id}/group_results
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/detail_jobs
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/detail_jobs/{job_id}/results
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/facet_jobs
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/facet_jobs/{job_id}/results
Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
- Search > Events > org.search.events, allow permission to
CREATE, READ
API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.
Cloud Services Platform Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with OAuth Access Control; API access is controlled using OAuth apps or User API Tokens. This is currently limited to the UK Point of Presence and AWS GovCloud (US).
Environment
Available on
Prod UK and AWS GovCloud (US). Full list of environments is available here; Use the Carbon Black Cloud Console URL from Cloud Services Platform, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_suggestions
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_validation
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs/{job_id}/results
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs/{job_id}/group_results
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/detail_jobs
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/detail_jobs/{job_id}/results
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/facet_jobs
- {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/facet_jobs/{job_id}/results
Access Level
Before you create your OAuth App, you need to create a custom Role with the following permissions under IDENTITY & ACCESS MANAGEMENT > Roles > VMware Carbon Black Cloud:
- _API.Search:org.Events, allow permission to
CREATE, READ
API Authentication
The Cloud Services Platform supports several authentication options, Access Token, API Token, and for backward compatibility, X-Auth-Token. To learn about the differences or how to use the authentication methods see the Authentication Guide.
Quick Start
All Observations searches follow the pattern:
1. Start a search
The request follows the structure below where job_type is specified in the request. The job_id is returned in the response from the request and used to retrieve results and status of the search.
Note: job_type is one of search_jobs, facet_jobs or detail_jobs
Request
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/{org_key}/observations/{job_type}Request Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"
2. Get the results
Results may be available immediately but will be incomplete until the job finishes. The job may take longer depending on the complexity and search space.
Request
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/{org_key}/observations/{job_type}/{job_id}/resultsRequest Headers
X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
3. Efficiently getting the results
To efficiently check for the completion of a search job fetch the results with the following query ?start=0&rows=0. Please add a time.sleep(0.5) or exponential backoff between each status check.
4. Job completion
The job will be complete when contacted == completed in the response however during high usage a searcher may fail leaving a difference of 1. To prevent an infinite loop, ensure you add a timeout of 3 mins as a job’s maximum active time is limited to 3 mins.
5. Additional details
To download or review the Carbon Black Cloud Postman collection, click here.
The results will contain a num_found and num_available field indicating how many results were found and how many of those are able to be paginated. A search matching more results than will be returned through pagination will report num_found greater than num_available; note that this limitation occurs to prevent performance degradation with searches matching a large number of events or processes. In order to return more of the matching results, you can apply a smaller time range to your search request, or use additional or more specific criteria, then make as many additional of these subset searches as needed to fetch the entire num_found from your original search.
API Calls
Search Suggestions for Observations
Returns suggestions for the observations search based on fields in the organization’s system. Will return field names if the “suggest.q” parameter does not yet contain a colon and will return no suggestion otherwise.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_suggestions
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| suggest.q | Yes | String | The query to generate suggestions for |
| suggest.count | No | Integer | The number of suggestions to return |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got event suggestions | application/json | See sample response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_suggestions?suggest.q=device_idX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"suggestions": [
{
"required_skus_all": [],
"required_skus_some": [
"threathunter",
"defense"
],
"term": "device_id",
"weight": 100
},
{
"required_skus_all": [
"xdr"
],
"required_skus_some": [],
"term": "netconn_remote_device_id",
"weight": 70
}
]
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_suggestions?suggest.q=device_id \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"suggestions": [
{
"required_skus_all": [],
"required_skus_some": [
"threathunter",
"defense"
],
"term": "device_id",
"weight": 100
},
{
"required_skus_all": [
"xdr"
],
"required_skus_some": [],
"term": "netconn_remote_device_id",
"weight": 70
}
]
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import Observation
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile='example_profile')
result = Observation.search_suggestions(api, "device_id", 10)
print(result)[{'term': 'device_id', 'weight': 300, 'required_skus_all': [], 'required_skus_some': ['threathunter', 'defense']}]Validate Observation Search
Returns the validation status of a given observations query and potentially gives validation on how to fix invalid queries.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_validation
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| q | Yes | string | The query to validate |
| cb.min_backend_timestamp | No | Integer | The start time for the query - unix timestamp in milliseconds |
| cb.max_backend_timestamp | No | Integer | The end time for the query - unix timestamp in milliseconds |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got search validation | application/json | See sample response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_validation?q=*:*&cb.min_backend_timestamp=1641469642000&cb.max_backend_timestamp=1678103242000X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"valid": true,
"value_search_query": false
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_validation?q=*:*&cb.min_backend_timestamp=1641469642000&cb.max_backend_timestamp=1678103242000 \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"valid": true,
"value_search_query": false
}Observation Search Job
Create Search Job
Creates an observations search job. The results for the search job may be requested using the query ID returned. This route will not request facets.
An alternative to execute searches and get the results in a zipped csv file is the
Event Export functionality
with api_resource = OBSERVATIONS
which leverages the Job Service API.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs
Request Body - application/json
{
"collapse_field": [ "<string>" ],
"criteria": "<object>",
"exclusions": "<object>",
"fields": ["<string>", "<string>"],
"query": "<string>",
"rows": <long>,
"sort": [
{
"field": "<string>",
"order": "<string>"
},
{
"field": "<string>",
"order": "<string>"
}
],
"start": <long>,
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
collapse_field |
The field(s) to collapse the results by when searching. The search will only return one result per value for the specified field. | Array | Supported: device_id |
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
fields |
A list of fields to include in the results, specify * to return all the default fields. If additional fields are required, consider using the Details Job which is more performant. If needed by the use case, additional fields can be named in this list. |
String | ["*"] |
query |
Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | N/A |
rows |
Number of rows to request, can be paginated | Long | Default: 500
Max: 10k |
sort |
Sort is a collection of sort parameters that specify a field and order to sort the results. |
Array | order supports asc or desc |
start |
First row to use for pagination | Long | Default: 0 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 UTC timestamp
end: ISO 8601 UTC timestamp |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully submitted search for observations | application/json | See example response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_jobsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"fields": ["*", "process_start_time"],
"sort": [
{
"field": "device_timestamp",
"order": "asc"
}
],
"rows": 10000,
"start": 0,
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}{
"job_id": "442f48e8-a4ce-4574-986f-5695b9e52dcc"
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"fields": ["*", "process_start_time"],
"sort": [
{
"field": "device_timestamp",
"order": "asc"
}
],
"rows": 10000,
"start": 0,
"time_range": {
"end": "2020-01-27T18:34:04Z",
"start": "2020-01-18T18:34:04Z"
}
}'
{
"job_id": "442f48e8-a4ce-4574-986f-5695b9e52dcc"
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import Observation
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
observations = api.select(Observation).where("process_name:svchost.exe")
print(*observations)Observation object, bound to https://defense.conferdeploy.net.
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
backend_timestamp: 2023-05-31T17:32:38.959Z
device_group_id: 0
device_id: 17497436
device_name: cis12r1\win2012r1x64
device_policy_id: 19888416
device_timestamp: 2023-05-31T17:29:41.010Z
enriched: True
enriched_event_type: [list:1 item]:
[0]: CREATE_PROCESS
event_description: The application share link hash=1d35014d937...
event_id: f1af2716ffd811ed992d5782cf8f8308
event_type: childproc
ingress_time: 1685554288501
legacy: True
observation_description: The application share link hash="1d35014d937...
observation_id: f1af2716ffd811ed992d5782cf8f8308
observation_type: CONTEXTUAL_ACTIVITY
org_id: ABCD1234
parent_guid: ABCD1234-010afd5c-00000204-00000000-1d8cdbe70...
parent_pid: 516
process_guid: ABCD1234-010afd5c-0000039c-00000000-1d8cdbe72...
process_hash: [list:1 item]:
[0]: 1d35014d937e02ee090a0cfc903ee6e6b1b65c832694519...
process_name: c:\windows\system32\svchost.exe
process_pid: [list:1 item]:
[0]: 924
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEMGet Results
Retrieves the observations search results for a given job ID. Results will be sorted based on the sort parameter used when starting the search.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs/{job_id}/results
Query Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| start | No | Integer | Starting rows of events, used for pagination |
| rows | No | Integer | Number of events to get, used for pagination |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got observations search results | application/json | See below sample response |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_jobs/7484eb31-666c-40b1-8dd7-5d5de0909169-sqs/resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"224b4281-ccc5-faf2-47a2-e8b07621dfc3",
"5f071f02-4325-9bd0-2df4-5d430957b6da",
"a14fd205-916a-d11b-b9d9-c7cdad975cd5",
"fc6dfbf3-c264-3dba-6a06-1d009929308b"
],
"backend_timestamp": "2023-05-31T09:52:57.975Z",
"childproc_count": 0,
"crossproc_count": 158,
"device_external_ip": "10.10.10.10",
"device_group_id": 0,
"device_id": 6685063,
"device_installed_by": "tester",
"device_internal_ip": "10.243.93.126",
"device_location": "UNKNOWN",
"device_name": "desktop",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": 6525,
"device_sensor_version": "3.9.0.2357",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-05-31T09:47:55.264Z",
"document_guid": "1JUvWe9RSX6jvio0IC0BMQ",
"enriched": true,
"enriched_event_type": [
"NETWORK"
],
"event_threat_score": [
0,
3
],
"filemod_count": 97,
"ingress_time": 1685526632142,
"legacy": true,
"modload_count": 47,
"netconn_count": 1244,
"observation_description": "The application share link hash=1d35014d937",
"observation_id": "f1af2716ffd811ed992d5782cf8f8308",
"observation_type": "CONTEXTUAL_ACTIVITY",
"org_id": "ABCD1234",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_cmdline_length": 32,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "APPROVED_DATABASE",
"parent_guid": "ABCD1234-00660187-00000264-00000000-1d9677f88c1cc0f",
"parent_hash": [
"d8e577bf078c45954f4531885478d5a9",
"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
],
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": 612,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\System32\\svchost.exe -k utcsvc -p"
],
"process_cmdline_length": [
44
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_elevated": true,
"process_file_description": "Host Process for Windows Services",
"process_guid": "ABCD1234-00660187-00000a28-00000000-1d9677f8cc708f0",
"process_hash": [
"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"b7f884c1b74a263f746ee12a5f7c9f6a"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "svchost.exe",
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_original_filename": "svchost.exe",
"process_pid": [
2600
],
"process_privileges": [
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeTcbPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.1806",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_service_name": [
"diagtrack"
],
"process_sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"process_start_time": "2023-04-05T05:29:10.450Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 1417,
"scriptload_count": 0,
"sensor_action": [
"BLOCK",
"DENY"
],
"ttp": [
"INTERNATIONAL_SITE",
"POLICY_DENY"
],
"watchlist_hit": [
"uB0MoTEMQNygtNX7iDlmmg:wclPcB3cQ3akRa6GnrrQzA:5"
]
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 13262,
"num_aggregated": 13262,
"contacted": 47,
"completed": 47
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_jobs/7484eb31-666c-40b1-8dd7-5d5de0909169-sqs/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"224b4281-ccc5-faf2-47a2-e8b07621dfc3",
"5f071f02-4325-9bd0-2df4-5d430957b6da",
"a14fd205-916a-d11b-b9d9-c7cdad975cd5",
"fc6dfbf3-c264-3dba-6a06-1d009929308b"
],
"backend_timestamp": "2023-05-31T09:52:57.975Z",
"childproc_count": 0,
"crossproc_count": 158,
"device_external_ip": "10.10.10.10",
"device_group_id": 0,
"device_id": 6685063,
"device_installed_by": "tester",
"device_internal_ip": "10.243.93.126",
"device_location": "UNKNOWN",
"device_name": "desktop",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": 6525,
"device_sensor_version": "3.9.0.2357",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-05-31T09:47:55.264Z",
"document_guid": "1JUvWe9RSX6jvio0IC0BMQ",
"enriched": true,
"enriched_event_type": [
"NETWORK"
],
"event_threat_score": [
0,
3
],
"filemod_count": 97,
"ingress_time": 1685526632142,
"legacy": true,
"modload_count": 47,
"netconn_count": 1244,
"observation_description": "The application share link hash=1d35014d937",
"observation_id": "f1af2716ffd811ed992d5782cf8f8308",
"observation_type": "CONTEXTUAL_ACTIVITY",
"org_id": "ABCD1234",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_cmdline_length": 32,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "APPROVED_DATABASE",
"parent_guid": "ABCD1234-00660187-00000264-00000000-1d9677f88c1cc0f",
"parent_hash": [
"d8e577bf078c45954f4531885478d5a9",
"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
],
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": 612,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\System32\\svchost.exe -k utcsvc -p"
],
"process_cmdline_length": [
44
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_elevated": true,
"process_file_description": "Host Process for Windows Services",
"process_guid": "ABCD1234-00660187-00000a28-00000000-1d9677f8cc708f0",
"process_hash": [
"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"b7f884c1b74a263f746ee12a5f7c9f6a"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "svchost.exe",
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_original_filename": "svchost.exe",
"process_pid": [
2600
],
"process_privileges": [
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeTcbPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.1806",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_service_name": [
"diagtrack"
],
"process_sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"process_start_time": "2023-04-05T05:29:10.450Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 1417,
"scriptload_count": 0,
"sensor_action": [
"BLOCK",
"DENY"
],
"ttp": [
"INTERNATIONAL_SITE",
"POLICY_DENY"
],
"watchlist_hit": [
"uB0MoTEMQNygtNX7iDlmmg:wclPcB3cQ3akRa6GnrrQzA:5"
]
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 13262,
"num_aggregated": 13262,
"contacted": 47,
"completed": 47
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import Observation
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
observations = api.select(Observation).where("process_name:svchost.exe")
print(*observations)Observation object, bound to https://defense.conferdeploy.net.
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
backend_timestamp: 2023-05-31T17:32:38.959Z
device_group_id: 0
device_id: 17497436
device_name: cis12r1\win2012r1x64
device_policy_id: 19888416
device_timestamp: 2023-05-31T17:29:41.010Z
enriched: True
enriched_event_type: [list:1 item]:
[0]: CREATE_PROCESS
event_description: The application share link hash=1d35014d937...
event_id: f1af2716ffd811ed992d5782cf8f8308
event_type: childproc
ingress_time: 1685554288501
legacy: True
observation_description: The application share link hash="1d35014d937...
observation_id: f1af2716ffd811ed992d5782cf8f8308
observation_type: CONTEXTUAL_ACTIVITY
org_id: ABCD1234
parent_guid: ABCD1234-010afd5c-00000204-00000000-1d8cdbe70...
parent_pid: 516
process_guid: ABCD1234-010afd5c-0000039c-00000000-1d8cdbe72...
process_hash: [list:1 item]:
[0]: 1d35014d937e02ee090a0cfc903ee6e6b1b65c832694519...
process_name: c:\windows\system32\svchost.exe
process_pid: [list:1 item]:
[0]: 924
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEMGet Grouped Results
Retrieves the observations search group results for a given job ID. Results will be grouped based on the fields provided and/or by timestamp field duration.
There are 2 different methods of grouping available when timestamp field is specified:
interval(default) groups the documents when the timestamp difference between two consecutive sorted documents is less than the duration requested.- e.g. input {doc1 = 10:00:00, doc2 = 10:07:00, doc3 = 10:13:00, doc4 = 10:27:00, duration = 10m}, doc1, doc2 and doc3 will be grouped into one since the time difference between sorted consecutive documents is less than duration.
bucketwhich groups the documents in buckets of duration length meaning the max time difference between the min and max within a group can be up to the duration.- e.g. input {doc1 = 10:00:00, doc2 = 10:07:00, doc3 = 10:13:00, doc4 = 10:21:00, duration = 10m}, doc1 and doc2 will be grouped into first group since the time difference between them is less than duration, doc3 will not be added to the first group it exceeds max capacity of bucket.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/search_jobs/{job_id}/group_results
Request Body - application/json
{
"fields": ["string"],
"max_events_per_group": integer,
"range": {
"duration": "string",
"field": "string",
"method": "string"
},
"rows": integer,
"start": integer
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
fields |
Fields to group the results | Array | Valid fields observation_type, device_name, process_username, attack_tactic |
max_events_per_group |
Maximum number of events in a group, if not provided, all events will be returned | Integer | |
range |
Describes a time window to restrict the search | Object | method: Method of grouping either interval or bucket
field: Timestamp field is used to group the range of results e.g. device_timestamp
duration: Duration for grouping in hours, minutes or seconds like 3h, 5m, 100s |
rows |
Number of rows to request, can be paginated | Long | If not provided, no records will be returned.
Max: 10k |
start |
First row to use for pagination | Long | Default: 0 |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got observations search group results | application/json | See sample response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_jobs/123456/group_resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"fields": [
"device_name"
],
"rows": 1
}{
"group_results": [
{
"group_key": "device_name",
"group_value": "desktop",
"group_start_timestamp": "2023-05-31T09:47:55.264Z",
"group_end_timestamp": "2023-05-31T09:47:55.264Z",
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"224b4281-ccc5-faf2-47a2-e8b07621dfc3",
"5f071f02-4325-9bd0-2df4-5d430957b6da",
"a14fd205-916a-d11b-b9d9-c7cdad975cd5",
"fc6dfbf3-c264-3dba-6a06-1d009929308b"
],
"backend_timestamp": "2023-05-31T09:52:57.975Z",
"childproc_count": 0,
"crossproc_count": 158,
"device_external_ip": "10.10.10.10",
"device_group_id": 0,
"device_id": 6685063,
"device_installed_by": "tester",
"device_internal_ip": "10.243.93.126",
"device_location": "UNKNOWN",
"device_name": "desktop",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": 6525,
"device_sensor_version": "3.9.0.2357",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-05-31T09:47:55.264Z",
"document_guid": "1JUvWe9RSX6jvio0IC0BMQ",
"enriched": true,
"enriched_event_type": [
"NETWORK"
],
"event_threat_score": [
0,
3
],
"filemod_count": 97,
"ingress_time": 1685526632142,
"legacy": true,
"modload_count": 47,
"netconn_count": 1244,
"observation_description": "The application share link hash=1d35014d937",
"observation_id": "f1af2716ffd811ed992d5782cf8f8308",
"observation_type": "CONTEXTUAL_ACTIVITY",
"org_id": "ABCD1234",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_cmdline_length": 32,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "APPROVED_DATABASE",
"parent_guid": "ABCD1234-00660187-00000264-00000000-1d9677f88c1cc0f",
"parent_hash": [
"d8e577bf078c45954f4531885478d5a9",
"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
],
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": 612,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\System32\\svchost.exe -k utcsvc -p"
],
"process_cmdline_length": [
44
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_elevated": true,
"process_file_description": "Host Process for Windows Services",
"process_guid": "ABCD1234-00660187-00000a28-00000000-1d9677f8cc708f0",
"process_hash": [
"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"b7f884c1b74a263f746ee12a5f7c9f6a"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "svchost.exe",
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_original_filename": "svchost.exe",
"process_pid": [
2600
],
"process_privileges": [
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeTcbPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.1806",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_service_name": [
"diagtrack"
],
"process_sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"process_start_time": "2023-04-05T05:29:10.450Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 1417,
"scriptload_count": 0,
"sensor_action": [
"BLOCK",
"DENY"
],
"ttp": [
"INTERNATIONAL_SITE",
"POLICY_DENY"
],
"watchlist_hit": [
"uB0MoTEMQNygtNX7iDlmmg:wclPcB3cQ3akRa6GnrrQzA:5"
]
}
],
"total_events": 1
}
],
"num_found": 1,
"num_available": 1,
"groups_num_available": 1,
"approximate_unaggregated": 13262,
"num_aggregated": 13262,
"contacted": 47,
"completed": 47
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/search_jobs/123456/group_results \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"fields": [
"device_name"
],
"rows": 1
}'
{
"group_results": [
{
"group_key": "device_name",
"group_value": "desktop",
"group_start_timestamp": "2023-05-31T09:47:55.264Z",
"group_end_timestamp": "2023-05-31T09:47:55.264Z",
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"224b4281-ccc5-faf2-47a2-e8b07621dfc3",
"5f071f02-4325-9bd0-2df4-5d430957b6da",
"a14fd205-916a-d11b-b9d9-c7cdad975cd5",
"fc6dfbf3-c264-3dba-6a06-1d009929308b"
],
"backend_timestamp": "2023-05-31T09:52:57.975Z",
"childproc_count": 0,
"crossproc_count": 158,
"device_external_ip": "10.10.10.10",
"device_group_id": 0,
"device_id": 6685063,
"device_installed_by": "tester",
"device_internal_ip": "10.243.93.126",
"device_location": "UNKNOWN",
"device_name": "desktop",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": 6525,
"device_sensor_version": "3.9.0.2357",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-05-31T09:47:55.264Z",
"document_guid": "1JUvWe9RSX6jvio0IC0BMQ",
"enriched": true,
"enriched_event_type": [
"NETWORK"
],
"event_threat_score": [
0,
3
],
"filemod_count": 97,
"ingress_time": 1685526632142,
"legacy": true,
"modload_count": 47,
"netconn_count": 1244,
"observation_description": "The application share link hash=1d35014d937",
"observation_id": "f1af2716ffd811ed992d5782cf8f8308",
"observation_type": "CONTEXTUAL_ACTIVITY",
"org_id": "ABCD1234",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_cmdline_length": 32,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "APPROVED_DATABASE",
"parent_guid": "ABCD1234-00660187-00000264-00000000-1d9677f88c1cc0f",
"parent_hash": [
"d8e577bf078c45954f4531885478d5a9",
"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
],
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": 612,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\System32\\svchost.exe -k utcsvc -p"
],
"process_cmdline_length": [
44
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_elevated": true,
"process_file_description": "Host Process for Windows Services",
"process_guid": "ABCD1234-00660187-00000a28-00000000-1d9677f8cc708f0",
"process_hash": [
"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"b7f884c1b74a263f746ee12a5f7c9f6a"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "svchost.exe",
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_original_filename": "svchost.exe",
"process_pid": [
2600
],
"process_privileges": [
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeTcbPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.1806",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_service_name": [
"diagtrack"
],
"process_sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"process_start_time": "2023-04-05T05:29:10.450Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 1417,
"scriptload_count": 0,
"sensor_action": [
"BLOCK",
"DENY"
],
"ttp": [
"INTERNATIONAL_SITE",
"POLICY_DENY"
],
"watchlist_hit": [
"uB0MoTEMQNygtNX7iDlmmg:wclPcB3cQ3akRa6GnrrQzA:5"
]
}
],
"total_events": 1
}
],
"num_found": 1,
"num_available": 1,
"groups_num_available": 1,
"approximate_unaggregated": 13262,
"num_aggregated": 13262,
"contacted": 47,
"completed": 47
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import Observation
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
observation_groups = api.select(Observation).where("process_name:svchost.exe").get_group_results("device_name")
for group in observation_groups:
for obs in group.observations:
print(obs._info){'backend_timestamp': '2023-05-31T18:11:20.950Z', 'device_group_id': 0, 'device_id': 18458193, 'device_name': 'cnauto\\確認2019', 'device_policy_id': 19888416, 'device_timestamp': '2023-05-31T18:09:29.988Z', 'enriched': True, 'enriched_event_type': ['CREATE_PROCESS'], 'event_description': 'The application "<share><link hash="7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6">C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc</link></share" invoked the application "share link hash="ff4d515cdcbe9ce053d9cc4d3412f962875098ac87133019eeb12a0f9494bb91">c:\\windows\\system32\\pacjsworker.exe/link/share". The operation was successful.', 'event_id': '597b5206ffde11ed8aba57c9a698d109', 'event_type': 'childproc', 'ingress_time': 1685556618924, 'legacy': True, 'observation_description': 'The application "<share><link hash="7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6">C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc</link></share>" invoked the application "<share><link hash="ff4d515cdcbe9ce053d9cc4d3412f962875098ac87133019eeb12a0f9494bb91">c:\\windows\\system32\\pacjsworker.exe</link></share>". The operation was successful.', 'observation_id': '597b5206ffde11ed8aba57c9a698d109', 'observation_type': 'CONTEXTUAL_ACTIVITY', 'org_id': 'ABCD1234', 'parent_guid': 'ABCD1234-0119a651-00000284-00000000-1d9735d0985e31b', 'parent_pid': 644, 'process_guid': 'ABCD1234-0119a651-00000660-00000000-1d993e6d9b2f03e', 'process_hash': ['7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6'], 'process_name': 'c:\\windows\\system32\\svchost.exe', 'process_pid': [1632], 'process_username': ['NT AUTHORITY\\LOCAL SERVICE']}Observation Detail Job
Create Detail Job
Creates an Observations details job. The details will include information about the given event that’s not normally accessible during a search. The results for the search job may be requested using the job ID returned.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/detail_jobs
Request Body - application/json
{
"alert_id": "<string>",
"observation_ids": ["<string>"],
"process_hash": "<string>",
"device_id": <integer>,
"count_unique_devices": <boolean>,
"max_rows": <integer>
}Note: Either observation_ids or alert_id is required however only one can be specified.
Note: Four new search payloads have been introduced: “process_hash”, “device_id”, “count_unique_devices”, and “max_rows.” The various combinations of these payloads yield distinct search outcomes:
- process_hash
- Finds the oldest event with this process hash.
- process_hash + device_id
- Finds the oldest event with this process hash on the given device_id.
- process_hash + count_unique_devices
- Returns how many unique devices have executed this process hash. It is recommended to set max_rows to 10,000 to ensure valid results from the endpoint.
- max_rows
- An optional parameter that can only be combined with process_hash. It filters the number of results the endpoint returns, with a maximum value of 10,000. Therefore, the following cases are valid:
- process_hash + max_rows
- process_hash + count_unique_devices + max_rows (recommended to be 10,000)
- process_hash + device_id + max_rows - Returns the top max_rows events, sorted from the oldest to the newest.
- An optional parameter that can only be combined with process_hash. It filters the number of results the endpoint returns, with a maximum value of 10,000. Therefore, the following cases are valid:
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
alert_id |
An alert id to fetch associated observations | String | N/A |
observation_ids |
A list of observation ids to fetch | Array | |
process_hash |
A unique identifier for a specific process or event | String | N/A |
device_id |
An identifier for the device where the event occurred | Integer | N/A |
count_unique_devices |
Boolean | ||
max_rows |
Filters the number of results the endpoint returns | Integer | N/A |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully submitted detail_job | application/json | See example response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/detail_jobsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"alert_id": "038894832709076d63111e99466f73575fcf3ca"
}{
"job_id": "3a74e29f-5bad-4d0f-a489-f62a37f7b927"
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/detail_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"alert_id": "038894832709076d63111e99466f73575fcf3ca"
}'
{
"job_id": "3a74e29f-5bad-4d0f-a489-f62a37f7b927"
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import Observation
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
obs_list = api.select(Observation).where("process_name:svchost.exe")
print(obs_list[0].get_details())Observation object, bound to https://defense.conferdeploy.net.
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
backend_timestamp: 2023-05-31T18:27:23.735Z
childproc_cmdline: "C:\Windows\system32\devicecensus.exe" SystemCxt
childproc_cmdline_length: 48
childproc_effective_reputation: LOCAL_WHITE
childproc_effective_reputation_source: CERT
childproc_guid: ABCD1234-0119a4da-0000077c-00000000-1d993ed6b...
childproc_hash: [list:1 item]:
[0]: 72f8fe48ec36570ff9a65cf472624eb64a9e480904e9b9f...
childproc_name: c:\windows\system32\devicecensus.exe
childproc_pid: 1916
childproc_reputation: NOT_LISTED
device_external_ip: 10.10.10.10
device_group_id: 0
device_id: 18457818
device_installed_by: Administrator
device_internal_ip: 10.193.5.12
device_location: OFFSITE
device_name: notassess\体験win10
device_os: WINDOWS
device_os_version: Windows 10 x64
device_policy: standard
device_policy_id: 19888416
device_target_priority: MEDIUM
device_timestamp: 2023-05-31T18:26:30.425Z
document_guid: Sz8It3csQr-U6CylIgSz_A
enriched: True
enriched_event_type: CREATE_PROCESS
event_description: The application "share link hash="add683a6910...
event_id: aaba81c2ffe011ed992d5782cf8f8308
event_type: childproc
ingress_time: 1685557605981
legacy: True
observation_description: The application "share link hash="add683a6910...
observation_id: aaba81c2ffe011ed992d5782cf8f8308
observation_type: CONTEXTUAL_ACTIVITY
org_id: ABCD1234
parent_effective_reputation: LOCAL_WHITE
parent_effective_reputation_source: CERT
parent_guid: ABCD1234-0119a4da-000002e4-00000000-1d9835e27...
parent_hash: [list:1 item]:
[0]: e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d...
parent_name: c:\windows\system32\services.exe
parent_pid: 740
parent_reputation: ADAPTIVE_WHITE_LIST
process_cmdline: [list:1 item]:
[0]: C:\Windows\system32\svchost.exe -k netsvcs -p -...
process_cmdline_length: [list:1 item]:
[0]: 57
process_effective_reputation: TRUSTED_WHITE_LIST
process_effective_reputation_source: CLOUD
process_guid: ABCD1234-0119a4da-000006cc-00000000-1d9835e29...
process_hash: [list:2 items]:
[0]: b7f884c1b74a263f746ee12a5f7c9f6a
[1]: add683a6910abbbf0e28b557fad0ba998166394932ae2ac...
process_name: c:\windows\system32\svchost.exe
process_pid: [list:1 item]:
[0]: 1740
process_reputation: TRUSTED_WHITE_LIST
process_sha256: add683a6910abbbf0e28b557fad0ba998166394932ae2ac...
process_start_time: 2023-05-10T16:40:42.569Z
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEM
ttp: [list:1 item]:
[0]: RUN_UNKNOWN_APPGet Results
Retrieves the observations detail results for a given job ID.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/detail_jobs/{job_id}/resultsQuery Parameters
| Parameter | Required | Type | Description |
|---|---|---|---|
| start | No | Integer | Starting rows of events, used for pagination |
| rows | No | Integer | Number of events to get, used for pagination |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got results | application/json | See example response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/detail_jobs/3a74e29f-5bad-4d0f-a489-f62a37f7b927/resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"224b4281-ccc5-faf2-47a2-e8b07621dfc3",
"5f071f02-4325-9bd0-2df4-5d430957b6da",
"a14fd205-916a-d11b-b9d9-c7cdad975cd5",
"fc6dfbf3-c264-3dba-6a06-1d009929308b"
],
"backend_timestamp": "2023-05-31T09:52:57.975Z",
"childproc_count": 0,
"crossproc_count": 158,
"device_external_ip": "10.10.10.10",
"device_group_id": 0,
"device_id": 6685063,
"device_installed_by": "suraj",
"device_internal_ip": "10.243.93.126",
"device_location": "UNKNOWN",
"device_name": "desktop-ua4omu0",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": 6525,
"device_sensor_version": "3.9.0.2357",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-05-31T09:47:55.264Z",
"document_guid": "1JUvWe9RSX6jvio0IC0BMQ",
"enriched": true,
"enriched_event_type": [
"NETWORK"
],
"event_threat_score": [
0,
3
],
"filemod_count": 97,
"ingress_time": 1685526632142,
"legacy": true,
"modload_count": 47,
"netconn_count": 1244,
"observation_description": "The application share link hash=1d35014d937",
"observation_id": "f1af2716ffd811ed992d5782cf8f8308",
"observation_type": "CONTEXTUAL_ACTIVITY",
"org_id": "ABCD1234",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_cmdline_length": 32,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "APPROVED_DATABASE",
"parent_guid": "ABCD1234-00660187-00000264-00000000-1d9677f88c1cc0f",
"parent_hash": [
"d8e577bf078c45954f4531885478d5a9",
"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
],
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": 612,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\System32\\svchost.exe -k utcsvc -p"
],
"process_cmdline_length": [
44
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_elevated": true,
"process_file_description": "Host Process for Windows Services",
"process_guid": "ABCD1234-00660187-00000a28-00000000-1d9677f8cc708f0",
"process_hash": [
"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"b7f884c1b74a263f746ee12a5f7c9f6a"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "svchost.exe",
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_original_filename": "svchost.exe",
"process_pid": [
2600
],
"process_privileges": [
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeTcbPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.1806",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_service_name": [
"diagtrack"
],
"process_sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"process_start_time": "2023-04-05T05:29:10.450Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 1417,
"scriptload_count": 0,
"sensor_action": [
"BLOCK",
"DENY"
],
"ttp": [
"INTERNATIONAL_SITE",
"POLICY_DENY"
],
"watchlist_hit": [
"uB0MoTEMQNygtNX7iDlmmg:wclPcB3cQ3akRa6GnrrQzA:5"
]
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 13262,
"num_aggregated": 13262,
"contacted": 47,
"completed": 47
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/detail_jobs/3a74e29f-5bad-4d0f-a489-f62a37f7b927/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' {
"results": [
{
"alert_category": [
"THREAT"
],
"alert_id": [
"224b4281-ccc5-faf2-47a2-e8b07621dfc3",
"5f071f02-4325-9bd0-2df4-5d430957b6da",
"a14fd205-916a-d11b-b9d9-c7cdad975cd5",
"fc6dfbf3-c264-3dba-6a06-1d009929308b"
],
"backend_timestamp": "2023-05-31T09:52:57.975Z",
"childproc_count": 0,
"crossproc_count": 158,
"device_external_ip": "10.10.10.10",
"device_group_id": 0,
"device_id": 6685063,
"device_installed_by": "suraj",
"device_internal_ip": "10.243.93.126",
"device_location": "UNKNOWN",
"device_name": "desktop-ua4omu0",
"device_os": "WINDOWS",
"device_os_version": "Windows 10 x64",
"device_policy": "default",
"device_policy_id": 6525,
"device_sensor_version": "3.9.0.2357",
"device_target_priority": "MEDIUM",
"device_timestamp": "2023-05-31T09:47:55.264Z",
"document_guid": "1JUvWe9RSX6jvio0IC0BMQ",
"enriched": true,
"enriched_event_type": [
"NETWORK"
],
"event_threat_score": [
0,
3
],
"filemod_count": 97,
"ingress_time": 1685526632142,
"legacy": true,
"modload_count": 47,
"netconn_count": 1244,
"observation_description": "The application share link hash=1d35014d937",
"observation_id": "f1af2716ffd811ed992d5782cf8f8308",
"observation_type": "CONTEXTUAL_ACTIVITY",
"org_id": "ABCD1234",
"parent_cmdline": "C:\\Windows\\system32\\services.exe",
"parent_cmdline_length": 32,
"parent_effective_reputation": "TRUSTED_WHITE_LIST",
"parent_effective_reputation_source": "APPROVED_DATABASE",
"parent_guid": "ABCD1234-00660187-00000264-00000000-1d9677f88c1cc0f",
"parent_hash": [
"d8e577bf078c45954f4531885478d5a9",
"dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674"
],
"parent_name": "c:\\windows\\system32\\services.exe",
"parent_pid": 612,
"parent_publisher": [
"Microsoft Windows Publisher"
],
"parent_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"parent_reputation": "TRUSTED_WHITE_LIST",
"process_cmdline": [
"C:\\Windows\\System32\\svchost.exe -k utcsvc -p"
],
"process_cmdline_length": [
44
],
"process_company_name": "Microsoft Corporation",
"process_effective_reputation": "TRUSTED_WHITE_LIST",
"process_effective_reputation_source": "CLOUD",
"process_elevated": true,
"process_file_description": "Host Process for Windows Services",
"process_guid": "ABCD1234-00660187-00000a28-00000000-1d9677f8cc708f0",
"process_hash": [
"add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"b7f884c1b74a263f746ee12a5f7c9f6a"
],
"process_integrity_level": "SYSTEM",
"process_internal_name": "svchost.exe",
"process_name": "c:\\windows\\system32\\svchost.exe",
"process_original_filename": "svchost.exe",
"process_pid": [
2600
],
"process_privileges": [
"SeChangeNotifyPrivilege",
"SeCreateGlobalPrivilege",
"SeDebugPrivilege",
"SeImpersonatePrivilege",
"SeSystemProfilePrivilege",
"SeTcbPrivilege"
],
"process_product_name": "Microsoft® Windows® Operating System",
"process_product_version": "10.0.19041.1806",
"process_publisher": [
"Microsoft Windows Publisher"
],
"process_publisher_state": [
"FILE_SIGNATURE_STATE_OS",
"FILE_SIGNATURE_STATE_SIGNED",
"FILE_SIGNATURE_STATE_TRUSTED",
"FILE_SIGNATURE_STATE_VERIFIED"
],
"process_reputation": "TRUSTED_WHITE_LIST",
"process_service_name": [
"diagtrack"
],
"process_sha256": "add683a6910abbbf0e28b557fad0ba998166394932ae2aca069d9aa19ea8fe88",
"process_start_time": "2023-04-05T05:29:10.450Z",
"process_username": [
"NT AUTHORITY\\SYSTEM"
],
"regmod_count": 1417,
"scriptload_count": 0,
"sensor_action": [
"BLOCK",
"DENY"
],
"ttp": [
"INTERNATIONAL_SITE",
"POLICY_DENY"
],
"watchlist_hit": [
"uB0MoTEMQNygtNX7iDlmmg:wclPcB3cQ3akRa6GnrrQzA:5"
]
}
],
"num_found": 1,
"num_available": 1,
"approximate_unaggregated": 13262,
"num_aggregated": 13262,
"contacted": 47,
"completed": 47
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import Observation
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
obs_list = api.select(Observation).where("process_name:svchost.exe")
print(obs_list[0].get_details())Observation object, bound to https://defense.conferdeploy.net.
Partially initialized. Use .refresh() to load all attributes
-------------------------------------------------------------------------------
backend_timestamp: 2023-05-31T18:27:23.735Z
childproc_cmdline: "C:\Windows\system32\devicecensus.exe" SystemCxt
childproc_cmdline_length: 48
childproc_effective_reputation: LOCAL_WHITE
childproc_effective_reputation_source: CERT
childproc_guid: ABCD1234-0119a4da-0000077c-00000000-1d993ed6b...
childproc_hash: [list:1 item]:
[0]: 72f8fe48ec36570ff9a65cf472624eb64a9e480904e9b9f...
childproc_name: c:\windows\system32\devicecensus.exe
childproc_pid: 1916
childproc_reputation: NOT_LISTED
device_external_ip: 10.10.10.10
device_group_id: 0
device_id: 18457818
device_installed_by: Administrator
device_internal_ip: 10.193.5.12
device_location: OFFSITE
device_name: notassess\体験win10
device_os: WINDOWS
device_os_version: Windows 10 x64
device_policy: standard
device_policy_id: 19888416
device_target_priority: MEDIUM
device_timestamp: 2023-05-31T18:26:30.425Z
document_guid: Sz8It3csQr-U6CylIgSz_A
enriched: True
enriched_event_type: CREATE_PROCESS
event_description: The application "share link hash="add683a6910...
event_id: aaba81c2ffe011ed992d5782cf8f8308
event_type: childproc
ingress_time: 1685557605981
legacy: True
observation_description: The application "share link hash="add683a6910...
observation_id: aaba81c2ffe011ed992d5782cf8f8308
observation_type: CONTEXTUAL_ACTIVITY
org_id: ABCD1234
parent_effective_reputation: LOCAL_WHITE
parent_effective_reputation_source: CERT
parent_guid: ABCD1234-0119a4da-000002e4-00000000-1d9835e27...
parent_hash: [list:1 item]:
[0]: e6fe9a94e8686e957dbcec2b89c1c1ddcf8e75d76e9200d...
parent_name: c:\windows\system32\services.exe
parent_pid: 740
parent_reputation: ADAPTIVE_WHITE_LIST
process_cmdline: [list:1 item]:
[0]: C:\Windows\system32\svchost.exe -k netsvcs -p -...
process_cmdline_length: [list:1 item]:
[0]: 57
process_effective_reputation: TRUSTED_WHITE_LIST
process_effective_reputation_source: CLOUD
process_guid: ABCD1234-0119a4da-000006cc-00000000-1d9835e29...
process_hash: [list:2 items]:
[0]: b7f884c1b74a263f746ee12a5f7c9f6a
[1]: add683a6910abbbf0e28b557fad0ba998166394932ae2ac...
process_name: c:\windows\system32\svchost.exe
process_pid: [list:1 item]:
[0]: 1740
process_reputation: TRUSTED_WHITE_LIST
process_sha256: add683a6910abbbf0e28b557fad0ba998166394932ae2ac...
process_start_time: 2023-05-10T16:40:42.569Z
process_username: [list:1 item]:
[0]: NT AUTHORITY\SYSTEM
ttp: [list:1 item]:
[0]: RUN_UNKNOWN_APPObservation Facet Job
Start Facet Job
Creates an observations facet job. The results for the facet job may be requested using the job ID returned. This route will not request processes.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
POST {cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/facet_jobs
Request Body - application/json
{
"criteria": "<object>",
"exclusions": "<object>",
"query": "<string>",
"ranges": [
{
"bucket_size": "<object>",
"end": "<object>",
"field": "<string>",
"start": "<object>"
}
],
"terms": {
"fields": [
"<string>"
],
"rows": <long>
},
"time_range": {
"end": "<string>",
"start": "<string>",
"window": "<string>"
}
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
criteria |
Criteria is an object that represents values that must be in the results. Either query or criteria/exclusion must be included. |
Object | |
exclusions |
Exclusions is a map that represents values that must not be in the results. Either query or criteria/exclusion must be included. |
Object | |
query |
Query in lucene syntax and/or including value searches. Either query or criteria/exclusion must be included. |
String | N/A |
ranges |
Allows grouping for properties that are ISO 8601 UTC timestamps or numbers. Bucket size for ISO 8601 UTC timestamps uses SOLR DateMathParser | Array | |
terms |
The enriched events fields to facet and how many of the top entries to return. | Object | 100 |
time_range |
Describes a time window to restrict the search to match using device_timestamp as the reference. Window will take priority over start and end if provided. |
Object | window: “-2w” where y=year, w=week, d=day, h=hour, m=minute, s=second
start: ISO 8601 UTC timestamp
end: ISO 8601 UTC timestamp |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully submitted facet_job | application/json | See example response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/facet_jobsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"criteria": {
"device_name": ["Win7x64"]
},
"query": "process_name:svchost.exe",
"ranges": [
{
"bucket_size": "+12HOUR",
"end": "2020-08-05T08:01:32.077Z",
"field": "device_timestamp",
"start": "2020-08-04T08:01:32.077Z"
}
],
"terms": {
"fields": [
"process_username"
],
"rows": 100
},
"time_range": {
"end": "2020-08-05T08:01:32.077Z",
"start": "2020-08-04T08:01:32.077Z"
}
}{
"job_id": "505bf994-a335-426e-bd8c-b2e388f977f2"
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/facet_jobs \
-X POST \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456' \
-H 'Content-Type: application/json' \
-d '{
"criteria": {
"device_name": [
"Win7x64"
]
},
"query": "process_name:svchost.exe",
"ranges": [
{
"bucket_size": "+12HOUR",
"end": "2020-08-05T08:01:32.077Z",
"field": "device_timestamp",
"start": "2020-08-04T08:01:32.077Z"
}
],
"terms": {
"fields": [
"process_username"
],
"rows": 100
},
"time_range": {
"end": "2020-08-05T08:01:32.077Z",
"start": "2020-08-04T08:01:32.077Z"
}
}'
{
"job_id": "505bf994-a335-426e-bd8c-b2e388f977f2"
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import ObservationFacet
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
observations = api.select(ObservationFacet).where(process_name="chrome.exe").add_facet_field("process_name")
print(observations.results)ObservationFacet object, bound to https://defense.conferdeploy.net.
-------------------------------------------------------------------------------
completed: 8
contacted: 8
job_id: 6f8899e6-d1b4-47a5-9b32-2712c89f4569
num_found: 186
ranges: [list:0 items]
terms: [list:1 item]:
[0]: {'values': [{'total': 186, 'id': 'c:\\program f...Get Facet Results
Retrieves the observations facet results for a given job ID.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.search.events |
READ, CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Search:org.Events.READ, _API.Search:org.Events.CREATE |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Request
GET {cbc-hostname}{cbc-hostname}/api/investigate/v2/orgs/{org_key}/observations/facet_jobs/{job_id}/results
Query Parameters
| Parameter | Required | Description |
|---|---|---|
| limit | No | Maximum number of facets per category (i.e Any Process Search Fields listed in terms.fields) |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successfully got observations facets | application/json | See example response below |
| 400 | Bad Request | application/json | |
| 403 | Forbidden | application/json | |
| 429 | Too Many Requests | application/json | |
| 500 | Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/facet_jobs/505bf994-a335-426e-bd8c-b2e388f977f2/resultsX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"ranges": [
{
"start": "2020-08-04T08:01:32.077Z",
"end": "2020-08-05T08:01:32.077Z",
"bucket_size": "+1HOUR",
"field": "device_timestamp",
"values": [
{
"total": 456,
"name": "2020-08-04T08:01:32.077Z"
},
{
"total": 374,
"name": "2020-08-04T20:01:32.077Z"
}
]
}
],
"terms": [
{
"values": [
{
"total": 414,
"id": "NT AUTHORITY\\SYSTEM",
"name": "NT AUTHORITY\\SYSTEM"
},
{
"total": 323,
"id": "NT AUTHORITY\\NETWORK SERVICE",
"name": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"total": 71,
"id": "NT AUTHORITY\\LOCAL SERVICE",
"name": "NT AUTHORITY\\LOCAL SERVICE"
}
],
"field": "process_username"
}
],
"num_found": 808,
"contacted": 6,
"completed": 6
}
Request
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
curl https://defense.conferdeploy.net/api/investigate/v2/orgs/ABCD1234/observations/facet_jobs/505bf994-a335-426e-bd8c-b2e388f977f2/results \
-X GET \
-H 'X-AUTH-TOKEN: ABCDEFGHIJKLMNO123456789/ABCD123456'{
"ranges": [
{
"start": "2020-08-04T08:01:32.077Z",
"end": "2020-08-05T08:01:32.077Z",
"bucket_size": "+1HOUR",
"field": "device_timestamp",
"values": [
{
"total": 456,
"name": "2020-08-04T08:01:32.077Z"
},
{
"total": 374,
"name": "2020-08-04T20:01:32.077Z"
}
]
}
],
"terms": [
{
"values": [
{
"total": 414,
"id": "NT AUTHORITY\\SYSTEM",
"name": "NT AUTHORITY\\SYSTEM"
},
{
"total": 323,
"id": "NT AUTHORITY\\NETWORK SERVICE",
"name": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"total": 71,
"id": "NT AUTHORITY\\LOCAL SERVICE",
"name": "NT AUTHORITY\\LOCAL SERVICE"
}
],
"field": "process_username"
}
],
"num_found": 808,
"contacted": 6,
"completed": 6
}
Code
Result
To learn about credentials handling, capabilities, and more about the CBC Python SDK, click here.
from cbc_sdk.platform import ObservationFacet
from cbc_sdk import CBCloudAPI
# For more information on credential handling in the SDK, see https://carbon-black-cloud-python-sdk.readthedocs.io/en/latest/authentication/
api = CBCloudAPI(profile="example_profile")
observations = api.select(ObservationFacet).where(process_name="chrome.exe").add_facet_field("process_name")
print(observations.results)ObservationFacet object, bound to https://defense.conferdeploy.net.
-------------------------------------------------------------------------------
completed: 8
contacted: 8
job_id: 6f8899e6-d1b4-47a5-9b32-2712c89f4569
num_found: 186
ranges: [list:0 items]
terms: [list:1 item]:
[0]: {'values': [{'total': 186, 'id': 'c:\\program f...Last modified on November 17, 2023