Cb Connect 2018 Developer Day | Power of You | Register Now

Cb Defense REST API Reference

API Basics

The Cb Defense API is accessible through a special hostname assigned to your organization. To find your organization’s API hostname, please refer to this KB article. Once you receive the API hostname, the following API routes are accessible through the integrationServices path on your API host.

Authentication is handled by an API key and Connector ID, which is generated from the Connectors page of the Cb Defense console. The API key and Connector ID are concatenated together to form the X-Auth-Token HTTP header, which is used to control access to the Cb Defense API. For more information on generating the API token and the HTTP header, see the Cb Defense API authentication reference.

For example, to use the “Device” endpoint assuming that your API hostname is api.confer.net, you would use the following curl command:

$ curl -H X-Auth-Token:ABCD/1234 \
https://api.confer.net/integrationServices/v3/device

Pagination

Most APIs are paginated so that large result sets can be returned back to your API client in chunks. Every paginated API has the same standard request and response template.

When using a paginated API, the request includes two optional query parameters: start and rows. The start query parameter indicates the first row number that the API client expects from the result, and rows indicates the maximum number of rows that the API client expects in the response. Note that the maximum value of the rows parameter can be limited on the Cb Defense server side. The start value is based on a one-index. To retrieve the first 10 results of a result set, use start=1&rows=10.

The response payload also includes a totalResults value that indicates the total number of objects that matched the query.

Response Codes

  • HTTP 200: Successful response
  • HTTP 400: Bad request. Check the messages response for more information on errors encountered parsing the incoming payload.
  • HTTP 401: Unauthorized. Double check the X-Auth-Token authentication HTTP header to make sure that the Connector ID and API key are valid.
  • HTTP 404: Object not found. The requested object could not be found in the backend data store or it may have expired (over 30 days old, etc.)
  • HTTP 429: Rate limiting encountered. Try again in a minute.
  • HTTP 500: Internal server error. Check the messages response for more information.
  • In addition, each message returns a boolean success indicator that indicates whether the operation was successful. The response contents should be further examined or processed only if the success indicator is true.

Devices

Devices API allows consumers to query enrollment data to view status & details of devices in their organization. Only API keys of type “API” can call the devices API.

Bulk Sensor Data Retrieval

GET /integrationServices/v3/device/all?fileFormat=<option>

This single request will retrieve all Cb Defense Sensor Details in either CSV or JSON format. There is currently a limitation of 100k records even using this new API call. Without using the above API calls there is a hard limit of 5k rows per call built into the API even using pagination parameters, and a maximum of 15k records can be returned.

This request has one mandatory parameter:

  • fileFormat: This can be set to ‘csv’ or ‘json’ for the corresponding format type.

Example Request & Response:

  • Request (application/json)

    $ curl -H X-Auth-Token:<apikey>/<connectorid> https://api.conferdeploy.net/integrationServices/v3/device/all?fileFormat=json
    
  • Response 200 (application/json)

    {
      "latestTime" : 0,
      "success" : true,
      "message" : "Success",
      "totalResults" : 8,
      "elapsed" : 0,
      "results" : [ {
        "emailAddress" : "bs@carbonblack.com",
        "quarantined" : null,
        "policyName" : "default",
        "deregistered" : "deregistered",
        "wrapperAsCsvString" : "BSTURK-WIN7-X86,bs@carbonblack.com,default,WINDOWS,2.0.1.8,null,20170313,114037,deregistered,20170313,null,null,null,null",
        "deviceName" : "BSTURK-WIN7-X86",
        "sensorVersion" : "2.0.1.8",
        "deregisteredDate" : "20170313",
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20170313",
        "lastCheckInTime" : "114037"
      }, {
        "emailAddress" : "MarketingVP2-PC\\MarketingVP2",
        "quarantined" : null,
        "policyName" : "Restrictive_Windows_Workstation",
        "deregistered" : null,
        "wrapperAsCsvString" : "MarketingVP2-PC,MarketingVP2-PC\\MarketingVP2,Restrictive_Windows_Workstation,WINDOWS,2.0.1.6,null,20161206,221058,null,null,null,null,null,null",
        "deviceName" : "MarketingVP2-PC",
        "sensorVersion" : "2.0.1.6",
        "deregisteredDate" : null,
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20161206",
        "lastCheckInTime" : "221058"
      }, {
        "emailAddress" : "MarketingVP2-PC\\MarketingVP2",
        "quarantined" : null,
        "policyName" : "Restrictive_Windows_Workstation",
        "deregistered" : "deregistered",
        "wrapperAsCsvString" : "MarketingVP2-PC,MarketingVP2-PC\\MarketingVP2,Restrictive_Windows_Workstation,WINDOWS,null,null,20161205,205658,deregistered,20161205,null,null,null,null",
        "deviceName" : "MarketingVP2-PC",
        "sensorVersion" : null,
        "deregisteredDate" : "20161205",
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20161205",
        "lastCheckInTime" : "205658"
      }, {
        "emailAddress" : "em@carbonblack.com",
        "quarantined" : null,
        "policyName" : "Restrictive_Windows_Workstation",
        "deregistered" : null,
        "wrapperAsCsvString" : "WIN-1PU82PIDOO6,em@carbonblack.com,Restrictive_Windows_Workstation,WINDOWS,2.0.1.2,out_of_date,20170627,162925,null,null,null,null,null,null",
        "deviceName" : "WIN-1PU82PIDOO6",
        "sensorVersion" : "2.0.1.2",
        "deregisteredDate" : null,
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : "out_of_date",
        "lastCheckInDate" : "20170627",
        "lastCheckInTime" : "162925"
      }, {
        "emailAddress" : "WIN-4G298B12C5D\\Trusting Tom",
        "quarantined" : null,
        "policyName" : "default",
        "deregistered" : "deregistered",
        "wrapperAsCsvString" : "WIN-4G298B12C5D,WIN-4G298B12C5D\\Trusting Tom,default,WINDOWS,2.0.4.9,null,20170630,172520,deregistered,20170714,null,null,null,null",
        "deviceName" : "WIN-4G298B12C5D",
        "sensorVersion" : "2.0.4.9",
        "deregisteredDate" : "20170714",
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20170630",
        "lastCheckInTime" : "172520"
      }, {
        "emailAddress" : "WIN-4G298B12C5D\\Trusting Tom",
        "quarantined" : null,
        "policyName" : "Live Response Enabled",
        "deregistered" : null,
        "wrapperAsCsvString" : "WIN-4G298B12C5D,WIN-4G298B12C5D\\Trusting Tom,Live Response Enabled,WINDOWS,3.0.0.28,null,20170714,181814,null,null,null,null,null,null",
        "deviceName" : "WIN-4G298B12C5D",
        "sensorVersion" : "3.0.0.28",
        "deregisteredDate" : null,
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20170714",
        "lastCheckInTime" : "181814"
      }, {
        "emailAddress" : "sq@carbonblack.com",
        "quarantined" : null,
        "policyName" : "SE Demo",
        "deregistered" : "deregistered",
        "wrapperAsCsvString" : "WIN-559J1NQVFGJ,sq@carbonblack.com,SE Demo,WINDOWS,null,null,20171012,161758,deregistered,20171012,null,null,null,null",
        "deviceName" : "WIN-559J1NQVFGJ",
        "sensorVersion" : null,
        "deregisteredDate" : "20171012",
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20171012",
        "lastCheckInTime" : "161758"
      }, {
        "emailAddress" : "EDTESTING\\Trusting Tom",
        "quarantined" : null,
        "policyName" : "Live Response Enabled",
        "deregistered" : null,
        "wrapperAsCsvString" : "EDTESTING,EDTESTING\\Trusting Tom,Live Response Enabled,WINDOWS,3.0.2.2,null,20180117,133018,null,null,null,null,null,null",
        "deviceName" : "EDTESTING",
        "sensorVersion" : "3.0.2.2",
        "deregisteredDate" : null,
        "bypassed" : null,
        "quarantinedDate" : null,
        "bypassedDate" : null,
        "os" : "WINDOWS",
        "outofDate" : null,
        "lastCheckInDate" : "20180117",
        "lastCheckInTime" : "133018"
      } ]
    }
    

Device Status

GET /integrationServices/v3/device

Get a status of all devices. The response will be in json format.

Optionally you can include a query parameter to filter the results. Combining these query parameters is an implicit “AND”. So, for example, querying for ipAddress=1.2.3.4 and hostName=ABCD will only return devices that match both the IP address and hostname query.

  • hostName: filter on hostnames based on a case insensitive token search. Cb Defense separates hostnames into parts or “tokens” defined by hyphens. So, for example, a hostname of WIN-IA9NQ1GN8OI will be parsed into two tokens: WIN and IA9NQ1GN8OI. Searching for hostName=IA9NQ1GN8OI and hostname=win will both match the hostname WIN-IA9NQ1GN8OI.
  • hostNameExact: filter on the exact hostname. For example hostName=WIN-IA9NQ1GN8OI will only return devices with the exact hostname WIN-IA9NQ1GN8OI but not a host named win-IA9NQ1GN8OI
  • ownerName: filter on owner name case insensitively.
  • ownerNameExact: same as ownerName but with case sensitivity
  • ipAddress: filter on devices with a given external or internal IP address

Example Request & Response:

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/device
    
  • Response 200 (application/json)

    {
      "latestTime" : 0,
      "success" : true,
      "message" : "Success",
      "totalResults" : 10,
      "elapsed" : 2,
      "results" : [ {
        "createTime" : null,
        "lastReportedTime" : 1490119807460,
        "deviceId" : 218616,
        "email" : "Administrator",
        "deviceType" : "WINDOWS",
        "targetPriorityType" : "HIGH",
        "organizationId" : 423,
        "avUpdateServers" : null,
        "avMaster" : false,
        "lastContact" : 1490128179664,
        "lastInternalIpAddress" : null,
        "lastExternalIpAddress" : "1.2.3.4",
        "lastLocation" : "OFFSITE",
        "quarantined" : false,
        "rootedBySensor" : false,
        "rootedBySensorTime" : null,
        "rootedByAnalytics" : false,
        "rootedByAnalyticsTime" : null,
        "firstVirusActivityTime" : 0,
        "lastVirusActivityTime" : 0,
        "organizationName" : "orgname.com",
        "osVersion" : "Server 2012 R2 x64 ",
        "sensorVersion" : "1.0.6.301",
        "deviceGuid" : null,
        "deviceOwnerId" : 58306,
        "deviceSessionId" : null,
        "assignedToId" : null,
        "assignedToName" : null,
        "messages" : null,
        "windowsPlatform" : null,
        "deregisteredTime" : null,
        "uninstalledTime" : null,
        "registeredTime" : 1489172152964,
        "firstName" : null,
        "lastName" : null,
        "middleName" : null,
        "policyName" : "Restrictive_Windows_Workstation",
        "policyId" : 2145,
        "activationCode" : null,
        "activationCodeExpiryTime" : 1489776952672,
        "lastShutdownTime" : 0,
        "lastResetTime" : 0,
        "sensorStates" : [ "ACTIVE" ],
        "vdiBaseDevice" : null,
        "passiveMode" : false,
        "testId" : -1,
        "scanStatus" : null,
        "scanLastActionTime" : 0,
        "scanLastCompleteTime" : 0,
        "linuxKernelVersion" : null,
        "avEngine" : "",
        "avStatus" : [ "AV_NOT_REGISTERED" ],
        "avLastScanTime" : 0,
        "name" : "WIN-EK5MJ5DQC3Q",
        "status" : "REGISTERED"
      }, 
    ...
    }
    

Get Status of Individual Device

GET /integrationServices/v3/device/{id}

Retrieve details for an individual device given the device ID (deviceId)

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/device/218616
    
  • Response 200 (application/json)

    {"deviceInfo": {
        "createTime" : null,
        "lastReportedTime" : 1490119807460,
        "deviceId" : 218616,
        "email" : "Administrator",
        "deviceType" : "WINDOWS",
        "targetPriorityType" : "HIGH",
        "organizationId" : 423,
        "avUpdateServers" : null,
        "avMaster" : false,
        "lastContact" : 1490128179664,
        "lastInternalIpAddress" : null,
        "lastExternalIpAddress" : "1.2.3.4",
        "lastLocation" : "OFFSITE",
        "quarantined" : false,
        "rootedBySensor" : false,
        "rootedBySensorTime" : null,
        "rootedByAnalytics" : false,
        "rootedByAnalyticsTime" : null,
        "firstVirusActivityTime" : 0,
        "lastVirusActivityTime" : 0,
        "organizationName" : "orgname.com",
        "osVersion" : "Server 2012 R2 x64 ",
        "sensorVersion" : "1.0.6.301",
        "deviceGuid" : null,
        "deviceOwnerId" : 58306,
        "deviceSessionId" : null,
        "assignedToId" : null,
        "assignedToName" : null,
        "messages" : null,
        "windowsPlatform" : null,
        "deregisteredTime" : null,
        "uninstalledTime" : null,
        "registeredTime" : 1489172152964,
        "firstName" : null,
        "lastName" : null,
        "middleName" : null,
        "policyName" : "Restrictive_Windows_Workstation",
        "policyId" : 2145,
        "activationCode" : null,
        "activationCodeExpiryTime" : 1489776952672,
        "lastShutdownTime" : 0,
        "lastResetTime" : 0,
        "sensorStates" : [ "ACTIVE" ],
        "vdiBaseDevice" : null,
        "passiveMode" : false,
        "testId" : -1,
        "scanStatus" : null,
        "scanLastActionTime" : 0,
        "scanLastCompleteTime" : 0,
        "linuxKernelVersion" : null,
        "avEngine" : "",
        "avStatus" : [ "AV_NOT_REGISTERED" ],
        "avLastScanTime" : 0,
        "name" : "WIN-EK5MJ5DQC3Q",
        "status" : "REGISTERED",
      }
    }
    

Change Status of an Individual Device

PATCH /integrationServices/v3/device/{id}

Change status of an individual device by its device ID (deviceId). The current revision of the Cb Defense backend only allows one element to be changed with this call: the security policy assigned to the device.

The requested security policy can be indicated either as a policy ID (policyId) or policy name (policyName).

  • Request (application/json)

    $ curl -X PATCH -H Content-Type:application/json \
    -H X-Auth-Token:ABCD/1234 \
    -d '{"policyName": "Restrictive_Windows_Workstation"}' \
    https://api.confer.net/integrationServices/v3/device/4211
    
  • Response 200

     
    {
      "deviceInfo" : {
        "avUpdateServers" : null,
        "avMaster" : false,
        "lastReportedTime" : 1497383068962,
        "lastContact" : 1497387645372,
        "lastInternalIpAddress" : "192.168.215.150",
        "lastExternalIpAddress" : "1.2.3.4",
        "lastLocation" : "OFFSITE",
        "quarantined" : false,
        "rootedBySensor" : false,
        "rootedBySensorTime" : null,
        "rootedByAnalytics" : false,
        "rootedByAnalyticsTime" : null,
        "firstVirusActivityTime" : 0,
        "lastVirusActivityTime" : 0,
        "organizationName" : "orgname.org",
        "osVersion" : "Windows 8 x64",
        "deviceType" : "WINDOWS",
        "sensorVersion" : "2.0.4.9",
        "email" : "jgarman@carbonblack.com",
        "deviceGuid" : null,
        "deviceOwnerId" : 70668,
        "deviceSessionId" : null,
        "assignedToId" : null,
        "assignedToName" : null,
        "messages" : null,
        "createTime" : null,
        "deviceId" : 4211,
        "targetPriorityType" : "LOW",
        "organizationId" : 428,
        "windowsPlatform" : null,
        "registeredTime" : 1493752696879,
        "firstName" : "Jason",
        "lastName" : "Garman",
        "middleName" : "",
        "activationCode" : "xxxxx",
        "lastShutdownTime" : 0,
        "lastResetTime" : 0,
        "sensorStates" : [ "ACTIVE" ],
        "vdiBaseDevice" : null,
        "passiveMode" : false,
        "testId" : -1,
        "scanStatus" : null,
        "scanLastActionTime" : 0,
        "scanLastCompleteTime" : 0,
        "linuxKernelVersion" : null,
        "avEngine" : "4.5.2.234-ave.8.3.44.86:avpack.8.4.2.64:vdf.8.14.11.240",
        "avStatus" : [ "AV_ACTIVE", "ONDEMAND_SCAN_DISABLED" ],
        "avLastScanTime" : 0,
        "sensorOutOfDate" : false,
        "name" : "WIN-IA9NQ1GN8OI",
        "status" : "REGISTERED",
        "id" : -1,
        "updateVersion" : 1322,
        "policyId" : 2202,
        "policyName" : "Restrictive_Windows_Workstation",
        "uninstalledTime" : null
      },
      "success" : true,
      "message" : "Success"
    }
    

Audit Log Events

Retrieves all new audit log notifications matching the input search criteria. Response is a list of events in JSON format, sorted by time in ascending order (oldest notification first). Once a notification is viewed/ingested, it is cleared and will not be included in future responses to this API request.

GET /integrationServices/v3/auditlogs

The response will include various types of notifications such as:

  • Log in attempts by users
  • Updates to connectors
  • Creation of connectors
  • LiveResponse events

Example Request & Response:

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    "https://api.confer.net/integrationServices/v3/auditlogs"
    
  • Response 200 (application/json)

    {
        "notifications": [
            {
                "requestUrl": null,
                "eventTime": 1529332687006,
                "eventId": "37075c01730511e89504c9ba022c3fbf",
                "loginName": "bs@carbonblack.com",
                "orgName": "example.org",
                "flagged": false,
                "clientIp": "192.0.2.3",
                "verbose": false,
                "description": "Logged in successfully"
            },
            {
                "requestUrl": null,
                "eventTime": 1529332689528,
                "eventId": "38882fa2730511e89504c9ba022c3fbf",
                "loginName": "bs@carbonblack.com",
                "orgName": "example.org",
                "flagged": false,
                "clientIp": "192.0.2.3",
                "verbose": false,
                "description": "Logged in successfully"
            },
            {
                "requestUrl": null,
                "eventTime": 1529345346615,
                "eventId": "b0be64fd732211e89504c9ba022c3fbf",
                "loginName": "bs@carbonblack.com",
                "orgName": "example.org",
                "flagged": false,
                "clientIp": "192.0.2.1",
                "verbose": false,
                "description": "Updated connector jason-splunk-test with api key Y8JNJZFBDRUJ2ZSM"
            },
            {
                "requestUrl": null,
                "eventTime": 1529345352229,
                "eventId": "b41705e7732211e8bd7e5fdbf9c916a3",
                "loginName": "bs@carbonblack.com",
                "orgName": "example.org",
                "flagged": false,
                "clientIp": "192.0.2.2",
                "verbose": false,
                "description": "Updated connector Training with api key GRJSDHRR8YVRML3Q"
            },
            {
                "requestUrl": null,
                "eventTime": 1529345371514,
                "eventId": "bf95ae38732211e8bd7e5fdbf9c916a3",
                "loginName": "bs@carbonblack.com",
                "orgName": "example.org",
                "flagged": false,
                "clientIp": "192.0.2.2",
                "verbose": false,
                "description": "Logged in successfully"
            }
        ],
        "success": true,
        "message": "Success"
    }
    

Events

The Events API allows users to query the Cb Defense datastore for information on individual endpoint events that may have led to notifications/alerts. Individual endpoint events include network connections, process spawns, data access, and other indicators from the endpoint. These events are the raw data points fed into the streaming detection engine in Cb Defense.
Only API keys of type “API” can call the events API.

Find Events

GET /integrationServices/v3/event

Retrieves all events matching the input search criteria. Response is a list of events in JSON format. Resulting events are sorted in descending order of time.

Query parameters can be used to filter the list of events:

  • hostName: filter on hostnames case insensitive. For example hostName=win-IA9NQ1GN8OI will match the hostname WIN-IA9NQ1GN8OI
  • hostNameExact: filter on the exact hostname. For example hostName=WIN-IA9NQ1GN8OI will only return devices with the exact hostname WIN-IA9NQ1GN8OI but not a host named win-IA9NQ1GN8OI
  • ownerName: filter on owner name case insensitive.
  • ownerNameExact: same as ownerName but with case sensitivity
  • ipAddress: filter on events generated by a device with a given external or internal IP address
  • sha256Hash: filter on events generated by a process with the given SHA-256 hash. Note that this hash must be lowercase.
  • applicationName: filter on events generated by a process with the given application name (for example, googleupdate.exe. Note that this name must be lowercase)
  • eventType: filter on events with a given event type. Possible Event Types are:
    • “NETWORK”
    • “FILE_CREATE”
    • “REGISTRY_ACCESS”
    • “SYSTEM_API_CALL”
    • “CREATE_PROCESS”
    • “DATA_ACCESS”
    • “INJECT_CODE”
  • searchWindow: filter on events generated within a given relative time frame. Note that the default is one day if a searchWindow is not specified. Note that events may not be available past 30 days due to retention policies. Available options for using searchWindow:
    • 3h for the past three hours
    • 1d for the past one day - default
    • 1w for the past one week
    • 2w for the past two weeks
    • 1m for the past one month
    • all for all
    • Note: There is an additional restriction for this API endpoint specifically – /event only supports up to 2w for the maximum to limit the volume of data returned.
  • startTime / endTime: Using a combination of startTime and endTime filters events for the given absolute timeframe.
    • startTime and endTime must be used together
    • The timestamps are in RFC3339 format. Example: https://api.confer.net/integrationServices/v3/event?startTime=2017-11-15&endTime=2017-11-20
    • endTime - startTime must be <= 2w
    • Note: Events may not be available past 30 days due to retention policies.

Each event has a unique ID associated with it in the response payload. The event ID is stored as the value of the eventId key.

Example Request & Response:

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    "https://api.confer.net/integrationServices/v3/event?searchWindow=1d&rows=1"
    
  • Response 200 (application/json)

    {
      "success": true,
      "latestTime": 0,
      "results": [
        {
          "eventId": "1defe38112e911e7b34047d6447797bd",
          "processDetails": {
            "userName": "SYSTEM",
            "processId": 2872,
            "milisSinceProcessStart": 32,
            "name": "taskeng.exe",
            "parentPid": 772,
            "interpreterHash": null,
            "interpreterName": null,
            "commandLine": "taskeng.exe {5267BC82-9B0D-4F0B-A566-E06CDE5602F1} S-1-5-18:NT AUTHORITY\\System:Service:",
            "parentName": "svchost.exe",
            "parentPrivatePid": "772-1489763380982-18",
            "targetPid": 2468,
            "targetPrivatePid": "2468-1490617768051-975",
            "parentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs",
            "targetCommandLine": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
            "privatePid": "2872-1490617768004-974",
            "targetName": "GoogleUpdate.exe",
            "fullUserName": "NT AUTHORITY\\SYSTEM"
          },
          "eventTime": 1490617768036,
          "selectedApp": {
            "applicationName": "taskeng.exe",
            "virusName": null,
            "reputationProperty": "TRUSTED_WHITE_LIST",
            "effectiveReputation": null,
            "applicationPath": "C:\\Windows\\System32\\taskeng.exe",
            "md5Hash": "a21ac8d41e63cf1aa24ebc165ae82c9a",
            "effectiveReputationSource": null,
            "virusCategory": null,
            "sha256Hash": "74b9cf472d5008e00735482f084f886eaa201248d6e87ab6b1990e3670bd6693",
            "virusSubCategory": null
          },
          "attackStage": null,
          "targetApp": {
            "applicationName": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
            "virusName": null,
            "reputationProperty": "TRUSTED_WHITE_LIST",
            "effectiveReputation": null,
            "applicationPath": null,
            "md5Hash": null,
            "effectiveReputationSource": null,
            "virusCategory": null,
            "sha256Hash": "52fc3aa9f704300041e486e57fe863218e4cdf4c8eee05ca6b99a296efee5737",
            "virusSubCategory": null
          },
          "registryValue": null,
          "alertCategory": null,
          "longDescription": "The application \"<share><link hash=\"74b9cf472d5008e00735482f084f886eaa201248d6e87ab6b1990e3670bd6693\">C:\\Windows\\System32\\taskeng.exe</link></share>\" attempted to invoke the application \"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\", by calling the function \"CreateProcessW\". The operation was successful.",
          "threatIndicators": [
            "SUSPENDED_PROCESS"
          ],
          "securityEventCode": null,
          "deviceDetails": {
            "deviceName": "WIN-EK5MJ5DQC3Q",
            "agentLocation": "OFFSITE",
            "targetPriorityCode": 2,
            "deviceOwnerName": null,
            "deviceIpAddress": "1.2.3.4",
            "deviceHostName": "example.com",
            "email": "Administrator",
            "groupName": "Restrictive_Windows_Workstation",
            "deviceType": "WINDOWS",
            "deviceId": 218616,
            "targetPriorityType": "HIGH",
            "deviceIpV4Address": "1.2.3.4",
            "deviceLocation": {
              "city": "Ashburn",
              "countryCode": "US",
              "areaCode": 703,
              "metroCode": 123,
              "region": "VA",
              "dmaCode": 123,
              "countryName": "United States",
              "postalCode": "20148",
              "longitude": -77.487442,
              "latitude": 39.043757
            },
            "deviceVersion": "Server 2012 R2 x64 "
          },
          "eventType": "SYSTEM_API_CALL",
          "netFlow": {
            "service": null,
            "peerSiteReputation": null,
            "peerIpAddress": null,
            "destPort": null,
            "sourcePort": null,
            "peerFqdn": null,
            "destAddress": null,
            "peerIpV4Address": null,
            "sourceAddress": null,
            "peerLocation": null
          },
          "incidentId": null,
          "shortDescription": "The application \"<share><link hash=\"74b9cf472d5008e00735482f084f886eaa201248d6e87ab6b1990e3670bd6693\">taskeng.exe</link></share>\" successfully attempted to invoke the application \"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\".",
          "createTime": 1490617872232,
          "alertScore": 0,
          "parentApp": {
            "applicationName": "C:\\Windows\\System32\\svchost.exe",
            "virusName": null,
            "reputationProperty": null,
            "effectiveReputation": null,
            "applicationPath": null,
            "md5Hash": null,
            "effectiveReputationSource": null,
            "virusCategory": null,
            "sha256Hash": "c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370",
            "virusSubCategory": null
          }
        }
      ],
      "elapsed": 3,
      "message": "Success",
      "totalResults": 28
    }
    

Get details for a Specific Event

GET /integrationServices/v3/event/{id}

Retrieve details for an individual event given the event ID (eventId). Note that only events associated with incidents/notifications/alerts will be visible through this API. Other event IDs will return HTTP 404 (Object Not Found).

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/event/1defe38112e911e7b34047d6447797bd
    
  • Response 200 (application/json)

    {
      "message": "Success",
      "eventInfo": {
        "eventId": "1defe38112e911e7b34047d6447797bd",
        "processDetails": {
          "userName": "SYSTEM",
          "processId": 2872,
          "milisSinceProcessStart": 32,
          "name": "taskeng.exe",
          "parentPid": 772,
          "interpreterHash": null,
          "interpreterName": null,
          "commandLine": "taskeng.exe {5267BC82-9B0D-4F0B-A566-E06CDE5602F1} S-1-5-18:NT AUTHORITY\\System:Service:",
          "parentName": "svchost.exe",
          "parentPrivatePid": "772-1489763380982-18",
          "targetPid": 2468,
          "targetPrivatePid": "2468-1490617768051-975",
          "parentCommandLine": "C:\\Windows\\system32\\svchost.exe -k netsvcs",
          "targetCommandLine": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
          "privatePid": "2872-1490617768004-974",
          "targetName": "GoogleUpdate.exe",
          "fullUserName": "NT AUTHORITY\\SYSTEM"
        },
        "eventTime": 1490617768036,
        "deviceSecurityEventCode": null,
        "killChainStatus": null,
        "processHash": {
          "applicationName": "taskeng.exe",
          "virusName": null,
          "reputationProperty": "TRUSTED_WHITE_LIST",
          "effectiveReputation": null,
          "applicationPath": "C:\\Windows\\System32\\taskeng.exe",
          "md5Hash": "a21ac8d41e63cf1aa24ebc165ae82c9a",
          "effectiveReputationSource": null,
          "virusCategory": null,
          "sha256Hash": "74b9cf472d5008e00735482f084f886eaa201248d6e87ab6b1990e3670bd6693",
          "virusSubCategory": null
        },
        "registryValue": null,
        "parentHash": {
          "applicationName": "C:\\Windows\\System32\\svchost.exe",
          "virusName": null,
          "reputationProperty": null,
          "effectiveReputation": null,
          "applicationPath": null,
          "md5Hash": null,
          "effectiveReputationSource": null,
          "virusCategory": null,
          "sha256Hash": "c7db4ae8175c33a47baa3ddfa089fad17bc8e362f21e835d78ab22c9231fe370",
          "virusSubCategory": null
        },
        "threatScore": 0,
        "createTime": 1490617872232,
        "longDescription": "The application \"<share><link hash=\"74b9cf472d5008e00735482f084f886eaa201248d6e87ab6b1990e3670bd6693\">C:\\Windows\\System32\\taskeng.exe</link></share>\" attempted to invoke the application \"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\", by calling the function \"CreateProcessW\". The operation was successful.",
        "threatIndicators": [
          "SUSPENDED_PROCESS"
        ],
        "securityEventCode": null,
        "deviceDetails": {
          "deviceName": "WIN-EK5MJ5DQC3Q",
          "agentLocation": "OFFSITE",
          "targetPriorityCode": 2,
          "deviceOwnerName": null,
          "deviceIpAddress": "1.2.3.4",
          "deviceHostName": "example.com",
          "email": "Administrator",
          "groupName": "Restrictive_Windows_Workstation",
          "deviceType": "WINDOWS",
          "deviceId": 218616,
          "targetPriorityType": "HIGH",
          "deviceIpV4Address": "1.2.3.4",
          "deviceLocation": {
            "city": "Ashburn",
            "countryCode": "US",
            "areaCode": 703,
            "metroCode": 123,
            "region": "VA",
            "dmaCode": 123,
            "countryName": "United States",
            "postalCode": "20148",
            "longitude": -77.487442,
            "latitude": 39.043757
          },
          "deviceVersion": "Server 2012 R2 x64 "
        },
        "orgDetails": {
          "organizationId": 423,
          "organizationName": "secureworks.com",
          "organizationType": "BUSINESS"
        },
        "eventType": "SYSTEM_API_CALL",
        "syslogLevel": null,
        "netFlow": {
          "service": null,
          "peerSiteReputation": null,
          "peerIpAddress": null,
          "destPort": null,
          "sourcePort": null,
          "peerFqdn": null,
          "destAddress": null,
          "peerIpV4Address": null,
          "sourceAddress": null,
          "peerLocation": null
        },
        "shortDescription": "The application \"<share><link hash=\"74b9cf472d5008e00735482f084f886eaa201248d6e87ab6b1990e3670bd6693\">taskeng.exe</link></share>\" successfully attempted to invoke the application \"C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe\".",
        "targetHash": {
          "applicationName": "C:\\Program Files (x86)\\Google\\Update\\GoogleUpdate.exe",
          "virusName": null,
          "reputationProperty": "TRUSTED_WHITE_LIST",
          "effectiveReputation": null,
          "applicationPath": null,
          "md5Hash": null,
          "effectiveReputationSource": null,
          "virusCategory": null,
          "sha256Hash": "52fc3aa9f704300041e486e57fe863218e4cdf4c8eee05ca6b99a296efee5737",
          "virusSubCategory": null
        }
      },
      "success": true
    }
    

Find Processes

Find processes associated with a specific indicator or IP address filter. Only API keys of type “API” can call the processes API.

Find Processes

GET /integrationServices/v3/process

Queries all events using input search criteria and returns a list of processes. Response is a list of processes in JSON format.

Query parameters can be used to filter the list of processes:

  • hostNameExact: filter on the exact hostname. For example hostName=WIN-IA9NQ1GN8OI will only return devices with the exact hostname WIN-IA9NQ1GN8OI but not a host named win-IA9NQ1GN8OI
  • ownerName: filter on owner name case insensitive (partial match).
  • ownerNameExact: same as ownerName but with case sensitivity
  • ipAddress: filter on events generated by a device with a given external or internal IP address
  • searchWindow: filter on events generated within a given relative time frame. Note that the default is one day if a searchWindow is not specified. Note that events may not be available past 30 days due to retention policies. Maximum search window is two weeks. Example values are:
    • 4d for the past four days
    • 2w for the past two weeks

Note that the current implementation as of 3/31/2017 returns totalResults == rows, rather than the total number of processes that match the criteria.

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    "https://api.confer.net/integrationServices/v3/process?ipAddress=1.2.3.4&rows=1"
    
  • Response 200 (application/json)

    {
      "success": true,
      "latestTime": 0,
      "results": [
        {
          "applicationName": "chrome.exe",
          "processId": 3052,
          "numEvents": 252,
          "applicationPath": null,
          "privatePid": "3052-1489181082476-30",
          "sha256Hash": "c8b01dd0153bbe4527630fb002f9ef8b4e04127bdff212831ff67bd6ab0ea265"
        }
      ],
      "elapsed": 16,
      "message": "Success",
      "totalResults": 1
    }
    

Alerts

Only API keys of type “API” can call the alerts API.

Get Details on Alert

GET /integrationServices/v3/alert/{id}

Get details on the events that led to an alert. This includes retrieving metadata
around the alert as well as a list of all the events associated with the alert.
Introduced in 0.21.

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/alert/JSPJCU9K
    
  • Response 200 (application/json)

    {
      "success": true,
      "deviceInfo": {
        "assignedToName": null,
        "deviceName": "ProjectManagementMac",
        "avEngine": "",
        "linuxKernelVersion": null,
        "message": "success",
        "registeredTime": 1488234251183,
        "group": "default",
        "deregisteredTime": 0,
        "deviceType": "MAC",
        "scanLastActionTime": 0,
        "sensorVersion": "1.0.2.15",
        "assignedToId": 0,
        "scanStatus": null,
        "importance": "MEDIUM",
        "deviceId": 218609,
        "osVersion": "MAC OS X 10.9.0",
        "groupId": 2141,
        "userName": "Brad.Follmer@strugholdmining.com",
        "avStatus": null,
        "success": true,
        "status": "REGISTERED",
        "avLastScanTime": 0,
        "scanLastCompleteTime": 0
      },
      "orgId": 423,
      "message": "Success",
      "events": [
        {
          "eventId": "ac2b8641fd3b11e6808d7d14b0f2459a",
          "userName": null,
          "eventTime": 1488229840388,
          "parentPid": 146,
          "processId": 233,
          "applicationPath": "/Applications/Safari.app/Contents/MacOS/Safari",
          "eventType": "CREATE_PROCESS",
          "commandLine": null,
          "parentName": "/sbin/launchd",
          "longDescription": "The application \"<share><link hash=\"47b209606559bd304606b7197bea675175d9d339f9582fd44147fce5a78c6265\">/Applications/Safari.app/Contents/MacOS/Safari</link></share>\" invoked the application \"<share><link hash=\"41b6c19f1e6b30fd1bb0f89684ba1f8aaf2b7abf751a8fdd4def069ef21e699e\">/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/jspawnhelper</link></share>\". ",
          "parentCommandLine": null,
          "processHash": "47b209606559bd304606b7197bea675175d9d339f9582fd44147fce5a78c6265",
          "threatIndicators": [
            "RUN_ANOTHER_APP"
          ],
          "parentPPid": "146",
          "killChainStatus": "INSTALL_RUN",
          "processMd5Hash": "c10a1acb932aa8a78a510c9e78bc2b37",
          "processPPid": "233",
          "parentHash": "6a18c33dbcd8e681878f19990276d1554d2d2a6c1fdb074627abaa79d32885d3",
          "policyState": "NOT_APPLIED"
        },
        ...
      ],
      "threatInfo": {
        "threatId": "ed0d0913598ed1798acf7848b6428070",
        "threatScore": 5,
        "summary": "The application Payload.class invoked another application (uname).",
        "time": 1488230650998,
        "indicators": [
          {
            "applicationName": "Payload.class",
            "indicatorName": "RUN_SYSTEM_APP",
            "sha256Hash": "6750c319c5d1ba2d2937ef602c2e5c03df6fb60449566e5efb0331310a655c4e"
          },
          ...
        ],
        "incidentId": "JSPJCU9K"
      }
    }
    

Notifications

Notifications API allows consumers to get alert and policy action notifications that a connector is subscribed to. Only API keys of type “SIEM” can call the notifications API.

Get Notifications

GET /integrationServices/v3/notification

Get new notifications since last checkin. The connector must be subscribed to at least one notification rule to get notifications.

Note that, once delivered, notifications will not be delivered again. Also, the API key associated with the request to the Notifications API must be of the “SIEM” type - “API” key types will return a HTTP 401 Unauthorized when attempting to access the notifications API.

Every SIEM key type can be subscribed to a different set of notifications in the product. Therefore, each SIEM key type will have a different “view” of the notifications available. Each SIEM key is considered separate from the others, and even if both are subscribed to the same set of notifications, the notifications will be delivered to both – retrieving a notification from one SIEM key will not automatically “remove” it from the view of the other SIEM key.

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/notification
    
  • Response 200 (application/json)

    {
        "notifications": [
            {
                "policyAction": {
                    "sha256Hash": "2552332222112552332222112552332222112552332222112552332222112552",
                    "action": "TERMINATE",
                    "reputation": "KNOWN_MALWARE",
                    "applicationName": "firefox.exe"
                },
                "type": "POLICY_ACTION",
                "eventTime": 1423163263482,
                "eventId": "EV1",
                "url": "http://carbonblack.com/ui#device/100/hash/2552332222112552332222112552332222112552332222112552332222112552/app/firefox.exe/keyword/terminate policy action",
                "deviceInfo": {
                    "deviceType": "WINDOWS",
                    "email": "tester@carbonblack.com",
                    "deviceId": 100,
                    "deviceName": "testers-pc",
                    "deviceHostName": null,
                    "deviceVersion": "7 SP1",
                    "targetPriorityType": "HIGH",
                    "targetPriorityCode": 0,
                    "internalIpAddress": "55.33.22.11",
                    "groupName": "Executives",
                    "externalIpAddress": "255.233.222.211"
                },
                "eventDescription": "Policy action 1",
                "ruleName": "Alert Rule 1"
            },
            {
                "threatInfo": {
                    "time": 1423163263501,
                    "indicators": [
                        {
                            "sha256Hash": "aafafafafafafafafafafafafafafafafafafa7347878",
                            "indicatorName": "BUFFER_OVERFLOW",
                            "applicationName": "chrome.exe"
                        },
                        {
                            "sha256Hash": "ddfdhjhjdfjdfjdhjfdjfhjdfhjdhfjdhfjdhfjdh7347878",
                            "indicatorName": "INJECT_CODE",
                            "applicationName": "firefox.exe"
                        }
                    ],
                    "summary": "Threat Summary 23",
                    "score": 8,
                    "incidentId": "ABCDEF"
                },
                "type": "THREAT",
                "eventTime": 1423163263501,
                "eventId": "EV2",
                "url": "http://carbonblack.com/ui#device/100/incident/ABCDEF",
                "deviceInfo": {
                    "deviceType": "WINDOWS",
                    "email": "tester@carbonblack.com",
                    "deviceId": 100,
                    "deviceName": "testers-pc",
                    "deviceHostName": null,
                    "deviceVersion": "7 SP1",
                    "targetPriorityType": "HIGH",
                    "targetPriorityCode": 0,
                    "internalIpAddress": "55.33.22.11",
                    "groupName": "Executives",
                    "externalIpAddress": "255.233.222.211"
                },
                "eventDescription": "time|Threat summary 23|score",
                "ruleName": "Alert Rule 2"
            }
        ],
        "message": "Success",
        "success": true
    }
    

Policy

The Policy API allows users to manage security policies on the Cb Defense backend. The API allows you to create, replace, and delete security policies. You can apply these policies to devices using the Device API above. Only API keys of type “API” can call the Policy API.

Policies in Cb Defense are comprised of three components:

  • Policy metadata: Metadata about a policy, including:
    • Policy name (name)
    • Policy description (description)
    • Schema version number (version)
    • Priority Level assigned to endpoints in this policy (priorityLevel)
  • Policy contents: The actual policy, which is included as its own object in the policy key of a policy object
  • Policy rules: A set of rules for the policy, included as the rules subkey in the policy contents above. Rules can be defined to restrict activity by application type (suspected malware, files by pathname, etc.) and the operation that the application attempts to perform (executing itself, scraping memory, injecting code into another process, etc.)

The Policy API allows you create or modify policies, and to add/replace/remove rules on existing policies.

Get List of Policies

GET /integrationServices/v3/policy

Get the list of policies available in your organization. This list of policies include system policies (cannot be deleted or modified) as well as user-created policies (which can be deleted and modified). Each policy is a JSON document containing metadata about the policy and a list of rules. There is a separate rule API that can create, modify, and delete rules inside of a policy in addition to replacing the entire policy through the Policy API.

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/policy
    
  • Response 200 (application/json)

    {
      "message": "Success",
      "results": [
        {
          "latestRevision": 1501850861950,
          "name": "default",
          "priorityLevel": "LOW",
          "version": 2,
          "systemPolicy": true,
          "policy": {
            "rules": [
              {
                "action": "DENY",
                "application": {
                  "type": "REPUTATION",
                  "value": "KNOWN_MALWARE"
                },
                "operation": "RUN",
                "required": true,
                "id": 1
              },
              {
                "action": "DENY",
                "application": {
                  "type": "NAME_PATH",
                  "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe"
                },
                "operation": "RUN",
                "required": false,
                "id": 10
              }
            ],
            "avSettings": {
              "features": [
                {
                  "enabled": false,
                  "name": "SIGNATURE_UPDATE"
                },
                {
                  "enabled": true,
                  "name": "ONACCESS_SCAN"
                },
                {
                  "enabled": true,
                  "name": "ONDEMOND_SCAN"
                }
              ],
              "updateServers": {
                "serversForOffSiteDevices": [
                  "http://updates.cdc.carbonblack.io/update"
                ],
                "servers": [
                  {
                    "regId": null,
                    "flags": 0,
                    "server": [
                      "http://updates.cdc.carbonblack.io/update"
                    ]
                  }
                ]
              },
              "onDemandScan": {
                "profile": "NORMAL",
                "scanUsb": "AUTOSCAN",
                "scanCdDvd": "AUTOSCAN",
                "schedule": {
                  "recoveryScanIfMissed": true,
                  "days": null,
                  "rangeHours": 0,
                  "startHour": 0
                }
              },
              "onAccessScan": {
                "profile": "NORMAL"
              },
              "apc": {
                "maxFileSize": 4,
                "riskLevel": 4,
                "maxExeDelay": 45,
                "enabled": false
              },
              "signatureUpdate": {
                "schedule": {
                  "fullIntervalHours": 0,
                  "initialRandomDelayHours": 4,
                  "intervalHours": 2
                }
              }
            },
            "id": -1,
            "sensorSettings": [
              {
                "name": "SHOW_UI",
                "value": "true"
              },
              {
                "name": "BACKGROUND_SCAN",
                "value": "true"
              },
              {
                "name": "POLICY_ACTION_OVERRIDE",
                "value": "true"
              },
              {
                "name": "QUARANTINE_DEVICE_MESSAGE",
                "value": "Your device has been quarantined by your computer administrator."
              },
              {
                "name": "LOGGING_LEVEL",
                "value": "false"
              },
              {
                "name": "ALLOW_UNINSTALL",
                "value": "true"
              },
              {
                "name": "QUARANTINE_DEVICE",
                "value": "false"
              },
              {
                "name": "RATE_LIMIT",
                "value": "0"
              },
              {
                "name": "CONNECTION_LIMIT",
                "value": "0"
              },
              {
                "name": "QUEUE_SIZE",
                "value": "100"
              },
              {
                "name": "LEARNING_MODE",
                "value": "0"
              },
              {
                "name": "SCAN_NETWORK_DRIVE",
                "value": "true"
              },
              {
                "name": "BYPASS_AFTER_LOGIN_MINS",
                "value": "0"
              },
              {
                "name": "BYPASS_AFTER_RESTART_MINS",
                "value": "0"
              },
              {
                "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE",
                "value": "true"
              },
              {
                "name": "DELAY_EXECUTE",
                "value": "true"
              },
              {
                "name": "PRESERVE_SYSTEM_MEMORY_SCAN",
                "value": "false"
              },
              {
                "name": "HASH_MD5",
                "value": "false"
              },
              {
                "name": "SCAN_LARGE_FILE_READ",
                "value": "false"
              },
              {
                "name": "SHOW_FULL_UI",
                "value": "true"
              },
              {
                "name": "HELP_MESSAGE",
                "value": "CarbonBlack"
              },
              {
                "name": "SECURITY_CENTER_OPT",
                "value": "true"
              },
              {
                "name": "CB_LIVE_RESPONSE",
                "value": "true"
              },
              {
                "name": "UNINSTALL_CODE",
                "value": "false"
              }
            ]
          },
          "id": 1,
          "description": ""
        },
        {
          "latestRevision": 1496342016813,
          "name": "quarantine",
          "priorityLevel": "LOW",
          "version": 2,
          "systemPolicy": true,
          "policy": {
            "directoryActionRules": [],
            "rules": [
              {
                "action": "DENY",
                "application": {
                  "type": "REPUTATION",
                  "value": "KNOWN_MALWARE"
                },
                "operation": "RUN",
                "required": true,
                "id": 1
              },
              {
                "action": "DENY",
                "application": {
                  "type": "REPUTATION",
                  "value": "COMPANY_BLACK_LIST"
                },
                "operation": "RUN",
                "required": true,
                "id": 2
              },
              {
                "action": "DENY",
                "application": {
                  "type": "REPUTATION",
                  "value": "SUSPECT_MALWARE"
                },
                "operation": "NETWORK",
                "required": false,
                "id": 3
              },
              {
                "action": "DENY",
                "application": {
                  "type": "REPUTATION",
                  "value": "PUP"
                },
                "operation": "NETWORK",
                "required": false,
                "id": 4
              },
              {
                "action": "ALLOW",
                "application": {
                  "type": "REPUTATION",
                  "value": "RESOLVING"
                },
                "operation": "RUN",
                "required": false,
                "id": 5
              }
            ],
            "avSettings": {
              "features": [
                {
                  "enabled": true,
                  "name": "SIGNATURE_UPDATE"
                },
                {
                  "enabled": true,
                  "name": "ONACCESS_SCAN"
                },
                {
                  "enabled": true,
                  "name": "ONDEMOND_SCAN"
                }
              ],
              "updateServers": {
                "serversForOffSiteDevices": [
                  "http://updates.cdc.carbonblack.io/update"
                ],
                "servers": [
                  {
                    "regId": null,
                    "flags": 0,
                    "server": [
                      "http://updates.cdc.carbonblack.io/update"
                    ]
                  }
                ]
              },
              "onDemandScan": {
                "profile": "NORMAL",
                "scanUsb": "AUTOSCAN",
                "scanCdDvd": "AUTOSCAN",
                "schedule": {
                  "recoveryScanIfMissed": true,
                  "days": null,
                  "rangeHours": 8,
                  "startHour": 20
                }
              },
              "onAccessScan": {
                "profile": "NORMAL"
              },
              "apc": {
                "maxFileSize": 4,
                "riskLevel": 4,
                "maxExeDelay": 45,
                "enabled": false
              },
              "signatureUpdate": {
                "schedule": {
                  "fullIntervalHours": 0,
                  "initialRandomDelayHours": 4,
                  "intervalHours": 4
                }
              }
            },
            "id": -1,
            "sensorSettings": [
              {
                "name": "SHOW_UI",
                "value": "true"
              },
              {
                "name": "BACKGROUND_SCAN",
                "value": "false"
              },
              {
                "name": "POLICY_ACTION_OVERRIDE",
                "value": "true"
              },
              {
                "name": "QUARANTINE_DEVICE_MESSAGE",
                "value": "Your device has been quarantined by your computer administrator."
              },
              {
                "name": "QUARANTINE_DEVICE",
                "value": "true"
              },
              {
                "name": "LOGGING_LEVEL",
                "value": "false"
              },
              {
                "name": "ALLOW_UNINSTALL",
                "value": "true"
              },
              {
                "name": "SCAN_NETWORK_DRIVE",
                "value": "false"
              },
              {
                "name": "BYPASS_AFTER_LOGIN_MINS",
                "value": "0"
              },
              {
                "name": "BYPASS_AFTER_RESTART_MINS",
                "value": "0"
              },
              {
                "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE",
                "value": "true"
              },
              {
                "name": "DELAY_EXECUTE",
                "value": "false"
              },
              {
                "name": "PRESERVE_SYSTEM_MEMORY_SCAN",
                "value": "false"
              },
              {
                "name": "HASH_MD5",
                "value": "true"
              },
              {
                "name": "SCAN_LARGE_FILE_READ",
                "value": "false"
              },
              {
                "name": "SECURITY_CENTER_OPT",
                "value": "false"
              },
              {
                "name": "CB_LIVE_RESPONSE",
                "value": "false"
              },
              {
                "name": "UNINSTALL_CODE",
                "value": "false"
              }
            ]
          },
          "id": 501,
          "description": ""
        }
      ],
      "success": true
    }
    

Retrieve Policy by ID

GET /integrationServices/v3/policy/{id}

Retrieve a policy object by ID. The policy object includes the policy metadata, policy details, and associated rules for the policy.

  • Request (application/json)

    $ curl -H X-Auth-Token:ABCD/1234 \
    https://api.confer.net/integrationServices/v3/policy/32
    
  • Response 200 (application/json)

    {
      "policyInfo" : {
        "id" : 7049,
        "priorityLevel" : "LOW",
        "systemPolicy" : false,
        "latestRevision" : 1505155560455,
        "policy" : {
          "sensorSettings" : [ {
            "name" : "SHOW_UI",
            "value" : "true"
          }, {
            "name" : "BACKGROUND_SCAN",
            "value" : "true"
          }, {
            "name" : "POLICY_ACTION_OVERRIDE",
            "value" : "true"
          }, {
            "name" : "QUARANTINE_DEVICE_MESSAGE",
            "value" : "Your device has been quarantined by your computer administrator."
          }, {
            "name" : "LOGGING_LEVEL",
            "value" : "false"
          }, {
            "name" : "ALLOW_UNINSTALL",
            "value" : "true"
          }, {
            "name" : "QUARANTINE_DEVICE",
            "value" : "false"
          }, {
            "name" : "RATE_LIMIT",
            "value" : "0"
          }, {
            "name" : "CONNECTION_LIMIT",
            "value" : "0"
          }, {
            "name" : "QUEUE_SIZE",
            "value" : "100"
          }, {
            "name" : "LEARNING_MODE",
            "value" : "0"
          }, {
            "name" : "SCAN_NETWORK_DRIVE",
            "value" : "true"
          }, {
            "name" : "BYPASS_AFTER_LOGIN_MINS",
            "value" : "0"
          }, {
            "name" : "BYPASS_AFTER_RESTART_MINS",
            "value" : "0"
          }, {
            "name" : "SCAN_EXECUTE_ON_NETWORK_DRIVE",
            "value" : "true"
          }, {
            "name" : "DELAY_EXECUTE",
            "value" : "true"
          }, {
            "name" : "PRESERVE_SYSTEM_MEMORY_SCAN",
            "value" : "false"
          }, {
            "name" : "HASH_MD5",
            "value" : "false"
          }, {
            "name" : "SCAN_LARGE_FILE_READ",
            "value" : "false"
          }, {
            "name" : "SHOW_FULL_UI",
            "value" : "true"
          }, {
            "name" : "HELP_MESSAGE",
            "value" : "CarbonBlack"
          }, {
            "name" : "SECURITY_CENTER_OPT",
            "value" : "true"
          }, {
            "name" : "CB_LIVE_RESPONSE",
            "value" : "true"
          }, {
            "name" : "UNINSTALL_CODE",
            "value" : "false"
          } ],
          "avSettings" : {
            "updateServers" : {
              "servers" : [ {
                "flags" : 0,
                "regId" : null,
                "server" : [ "http://updates.cdc.carbonblack.io/update" ]
              } ],
              "serversForOffSiteDevices" : [ "http://updates.cdc.carbonblack.io/update" ]
            },
            "apc" : {
              "maxFileSize" : 4,
              "maxExeDelay" : 45,
              "riskLevel" : 4,
              "enabled" : false
            },
            "onAccessScan" : {
              "profile" : "NORMAL"
            },
            "features" : [ {
              "enabled" : false,
              "name" : "SIGNATURE_UPDATE"
            }, {
              "enabled" : true,
              "name" : "ONACCESS_SCAN"
            }, {
              "enabled" : true,
              "name" : "ONDEMAND_SCAN"
            } ],
            "onDemandScan" : {
              "profile" : "NORMAL",
              "scanCdDvd" : "AUTOSCAN",
              "scanUsb" : "AUTOSCAN",
              "schedule" : {
                "days" : null,
                "rangeHours" : 0,
                "startHour" : 0,
                "recoveryScanIfMissed" : true
              }
            },
            "signatureUpdate" : {
              "schedule" : {
                "intervalHours" : 2,
                "fullIntervalHours" : 0,
                "initialRandomDelayHours" : 4
              }
            }
          },
          "directoryActionRules" : [ {
            "actions" : {
              "FILE_UPLOAD" : false,
              "PROTECTION" : false
            },
            "path" : "C:\\FXCM\\**"
          }, {
            "actions" : {
              "FILE_UPLOAD" : true,
              "PROTECTION" : false
            },
            "path" : "sadf"
          }, {
            "actions" : {
              "FILE_UPLOAD" : true,
              "PROTECTION" : false
            },
            "path" : "/Users/**"
          } ],
          "rules" : [ {
            "id" : 1,
            "required" : true,
            "operation" : "RUN",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 2,
            "required" : true,
            "operation" : "RUN",
            "application" : {
              "value" : "COMPANY_BLACK_LIST",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 3,
            "required" : false,
            "operation" : "NETWORK",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 5,
            "required" : false,
            "operation" : "RANSOM",
            "application" : {
              "value" : "ADAPTIVE_WHITE_LIST",
              "type" : "REPUTATION"
            },
            "action" : "TERMINATE"
          }, {
            "id" : 4,
            "required" : false,
            "operation" : "RANSOM",
            "application" : {
              "value" : "**\\devenv.exe",
              "type" : "NAME_PATH"
            },
            "action" : "IGNORE"
          }, {
            "id" : 10,
            "required" : false,
            "operation" : "RUN",
            "application" : {
              "value" : "%SystemDrive%\\Windows\\System32\\notepad2.exe",
              "type" : "NAME_PATH"
            },
            "action" : "DENY"
          }, {
            "id" : 11,
            "required" : true,
            "operation" : "RANSOM",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 13,
            "required" : false,
            "operation" : "MEMORY_SCRAPE",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 14,
            "required" : false,
            "operation" : "CODE_INJECTION",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 15,
            "required" : false,
            "operation" : "RUN_INMEMORY_CODE",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 17,
            "required" : false,
            "operation" : "POL_INVOKE_NOT_TRUSTED",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 18,
            "required" : false,
            "operation" : "INVOKE_CMD_INTERPRETER",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 20,
            "required" : false,
            "operation" : "INVOKE_SCRIPT",
            "application" : {
              "value" : "KNOWN_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 22,
            "required" : false,
            "operation" : "RUN",
            "application" : {
              "value" : "RESOLVING",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 23,
            "required" : false,
            "operation" : "RUN",
            "application" : {
              "value" : "PUP",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 24,
            "required" : false,
            "operation" : "RUN",
            "application" : {
              "value" : "SUSPECT_MALWARE",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 25,
            "required" : false,
            "operation" : "NETWORK",
            "application" : {
              "value" : "ADAPTIVE_WHITE_LIST",
              "type" : "REPUTATION"
            },
            "action" : "DENY"
          }, {
            "id" : 26,
            "required" : false,
            "operation" : "INVOKE_SCRIPT",
            "application" : {
              "value" : "c:\\test\\**",
              "type" : "NAME_PATH"
            },
            "action" : "ALLOW"
          } ],
          "id" : -1
        },
        "version" : 2,
        "name" : "documentation test 2",
        "description" : "test policy for documentation"
      },
      "success" : true,
      "message" : "Success"
    }
    

Create New Policy

POST /integrationServices/v3/policy

Create a new Policy on the Cb Defense backend from a policy JSON string. At this time, there is no comprehensive reference to the options available in the Policy schema, so the best way to use this API is to extract the “policy” key from a policy object (retrieved via the “GET” method above) and use it as a template for the new policy.

The new policy must be contained in a JSON object named policyInfo. The contents of the policyInfo object must be must include the following keys:

  • description: A description of the policy (can be multiple lines)
  • name: A one-line name for the policy (shown in the UI)
  • version: Must be set to “2” for the current policy API
  • priorityLevel: HIGH, MEDIUM or LOW - the priority score associated with sensors assigned to this policy.
  • policy: the JSON object containing the policy details. See examples in the policy key from the policies in the GET request above.

  • Request (application/json)

    $ curl -X POST -H X-Auth-Token:ABCD/1234 -H Content-Type:application/json \
    https://api.confer.net/integrationServices/v3/policy -d @policy.txt
    

where the policy.txt file contains the following (note that not all options may be available on your specific instance. Retrieve a policy from your instance to determine the allowable values for your instance).

  
{
    "policyInfo": {
        "description": "test policy for documentation",
        "name": "documentation test",
        "policy": {
            "avSettings": {
                "apc": {
                    "enabled": false,
                    "maxExeDelay": 45,
                    "maxFileSize": 4,
                    "riskLevel": 4
                },
                "features": [
                    {
                        "enabled": false,
                        "name": "SIGNATURE_UPDATE"
                    },
                    {
                        "enabled": true,
                        "name": "ONACCESS_SCAN"
                    },
                    {
                        "enabled": true,
                        "name": "ONDEMAND_SCAN"
                    }
                ],
                "onAccessScan": {
                    "profile": "NORMAL"
                },
                "onDemandScan": {
                    "profile": "NORMAL",
                    "scanCdDvd": "AUTOSCAN",
                    "scanUsb": "AUTOSCAN",
                    "schedule": {
                        "days": null,
                        "rangeHours": 0,
                        "recoveryScanIfMissed": true,
                        "startHour": 0
                    }
                },
                "signatureUpdate": {
                    "schedule": {
                        "fullIntervalHours": 0,
                        "initialRandomDelayHours": 4,
                        "intervalHours": 2
                    }
                },
                "updateServers": {
                    "servers": [
                        {
                            "flags": 0,
                            "regId": null,
                            "server": [
                                "http://updates.cdc.carbonblack.io/update"
                            ]
                        }
                    ],
                    "serversForOffSiteDevices": [
                        "http://updates.cdc.carbonblack.io/update"
                    ]
                }
            },
            "directoryActionRules": [
                {
                    "actions": {
                        "FILE_UPLOAD": false,
                        "PROTECTION": false
                    },
                    "path": "C:\\FXCM\\**"
                },
                {
                    "actions": {
                        "FILE_UPLOAD": true,
                        "PROTECTION": false
                    },
                    "path": "sadf"
                },
                {
                    "actions": {
                        "FILE_UPLOAD": true,
                        "PROTECTION": false
                    },
                    "path": "/Users/**"
                }
            ],
            "id": -1,
            "rules": [
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 1,
                    "operation": "RUN",
                    "required": true
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "COMPANY_BLACK_LIST"
                    },
                    "id": 2,
                    "operation": "RUN",
                    "required": true
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 3,
                    "operation": "NETWORK",
                    "required": false
                },
                {
                    "action": "TERMINATE",
                    "application": {
                        "type": "REPUTATION",
                        "value": "ADAPTIVE_WHITE_LIST"
                    },
                    "id": 5,
                    "operation": "RANSOM",
                    "required": false
                },
                {
                    "action": "IGNORE",
                    "application": {
                        "type": "NAME_PATH",
                        "value": "**\\devenv.exe"
                    },
                    "id": 4,
                    "operation": "RANSOM",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "NAME_PATH",
                        "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe"
                    },
                    "id": 10,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 11,
                    "operation": "RANSOM",
                    "required": true
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 13,
                    "operation": "MEMORY_SCRAPE",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 14,
                    "operation": "CODE_INJECTION",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 15,
                    "operation": "RUN_INMEMORY_CODE",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 17,
                    "operation": "POL_INVOKE_NOT_TRUSTED",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 18,
                    "operation": "INVOKE_CMD_INTERPRETER",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 20,
                    "operation": "INVOKE_SCRIPT",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "RESOLVING"
                    },
                    "id": 22,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "PUP"
                    },
                    "id": 23,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "SUSPECT_MALWARE"
                    },
                    "id": 24,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "ADAPTIVE_WHITE_LIST"
                    },
                    "id": 25,
                    "operation": "NETWORK",
                    "required": false
                },
                {
                    "action": "ALLOW",
                    "application": {
                        "type": "NAME_PATH",
                        "value": "c:\\test\\**"
                    },
                    "id": 26,
                    "operation": "INVOKE_SCRIPT",
                    "required": false
                }
            ],
            "sensorSettings": [
                {
                    "name": "SHOW_UI",
                    "value": "true"
                },
                {
                    "name": "BACKGROUND_SCAN",
                    "value": "true"
                },
                {
                    "name": "POLICY_ACTION_OVERRIDE",
                    "value": "true"
                },
                {
                    "name": "QUARANTINE_DEVICE_MESSAGE",
                    "value": "Your device has been quarantined by your computer administrator."
                },
                {
                    "name": "LOGGING_LEVEL",
                    "value": "false"
                },
                {
                    "name": "ALLOW_UNINSTALL",
                    "value": "true"
                },
                {
                    "name": "QUARANTINE_DEVICE",
                    "value": "false"
                },
                {
                    "name": "RATE_LIMIT",
                    "value": "0"
                },
                {
                    "name": "CONNECTION_LIMIT",
                    "value": "0"
                },
                {
                    "name": "QUEUE_SIZE",
                    "value": "100"
                },
                {
                    "name": "LEARNING_MODE",
                    "value": "0"
                },
                {
                    "name": "SCAN_NETWORK_DRIVE",
                    "value": "true"
                },
                {
                    "name": "BYPASS_AFTER_LOGIN_MINS",
                    "value": "0"
                },
                {
                    "name": "BYPASS_AFTER_RESTART_MINS",
                    "value": "0"
                },
                {
                    "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE",
                    "value": "true"
                },
                {
                    "name": "DELAY_EXECUTE",
                    "value": "true"
                },
                {
                    "name": "PRESERVE_SYSTEM_MEMORY_SCAN",
                    "value": "false"
                },
                {
                    "name": "HASH_MD5",
                    "value": "false"
                },
                {
                    "name": "SCAN_LARGE_FILE_READ",
                    "value": "false"
                },
                {
                    "name": "SHOW_FULL_UI",
                    "value": "true"
                },
                {
                    "name": "HELP_MESSAGE",
                    "value": "CarbonBlack"
                },
                {
                    "name": "SECURITY_CENTER_OPT",
                    "value": "true"
                },
                {
                    "name": "CB_LIVE_RESPONSE",
                    "value": "true"
                },
                {
                    "name": "UNINSTALL_CODE",
                    "value": "false"
                }
            ]
        },
        "priorityLevel": "LOW",
        "version": 2
    }
}

  • Response 200 (application/json)
    {
      "policyId" : 7047,
      "success" : true,
      "message" : "Success"
    }
    

Update Existing Policy

PUT /integrationServices/v3/policy/{id}

Update an existing policy with a new policy.

The new policy must be contained in a JSON object named policyInfo. The contents of the policyInfo object must be must include the following keys:

  • description: A description of the policy (can be multiple lines)
  • name: A one-line name for the policy (shown in the UI)
  • version: Must be set to “2” for the current policy API
  • priorityLevel: HIGH, MEDIUM or LOW - the priority score associated with sensors assigned to this policy.
  • policy: the JSON object containing the policy details. See examples in the policy key from the policies in the GET request above.
  • id: The ID of the policy to replace. This ID must match the ID in the request URL.

  • Request (application/json)

    $ curl -X PUT -H X-Auth-Token:ABCD/1234 -H Content-Type:application/json \
    https://api.confer.net/integrationServices/v3/policy/7049 -d @policy.txt
    

where the policy.txt file contains the following (note that not all options may be available on your specific instance. Retrieve a policy from your instance to determine the allowable values for your instance).

  
{
    "policyInfo": {
        "description": "test policy for documentation",
        "name": "documentation test",
        "id": 7049,
        "policy": {
            "avSettings": {
                "apc": {
                    "enabled": false,
                    "maxExeDelay": 45,
                    "maxFileSize": 4,
                    "riskLevel": 4
                },
                "features": [
                    {
                        "enabled": false,
                        "name": "SIGNATURE_UPDATE"
                    },
                    {
                        "enabled": true,
                        "name": "ONACCESS_SCAN"
                    },
                    {
                        "enabled": true,
                        "name": "ONDEMAND_SCAN"
                    }
                ],
                "onAccessScan": {
                    "profile": "NORMAL"
                },
                "onDemandScan": {
                    "profile": "NORMAL",
                    "scanCdDvd": "AUTOSCAN",
                    "scanUsb": "AUTOSCAN",
                    "schedule": {
                        "days": null,
                        "rangeHours": 0,
                        "recoveryScanIfMissed": true,
                        "startHour": 0
                    }
                },
                "signatureUpdate": {
                    "schedule": {
                        "fullIntervalHours": 0,
                        "initialRandomDelayHours": 4,
                        "intervalHours": 2
                    }
                },
                "updateServers": {
                    "servers": [
                        {
                            "flags": 0,
                            "regId": null,
                            "server": [
                                "http://updates.cdc.carbonblack.io/update"
                            ]
                        }
                    ],
                    "serversForOffSiteDevices": [
                        "http://updates.cdc.carbonblack.io/update"
                    ]
                }
            },
            "directoryActionRules": [
                {
                    "actions": {
                        "FILE_UPLOAD": false,
                        "PROTECTION": false
                    },
                    "path": "C:\\FXCM\\**"
                },
                {
                    "actions": {
                        "FILE_UPLOAD": true,
                        "PROTECTION": false
                    },
                    "path": "sadf"
                },
                {
                    "actions": {
                        "FILE_UPLOAD": true,
                        "PROTECTION": false
                    },
                    "path": "/Users/**"
                }
            ],
            "id": -1,
            "rules": [
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 1,
                    "operation": "RUN",
                    "required": true
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "COMPANY_BLACK_LIST"
                    },
                    "id": 2,
                    "operation": "RUN",
                    "required": true
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 3,
                    "operation": "NETWORK",
                    "required": false
                },
                {
                    "action": "TERMINATE",
                    "application": {
                        "type": "REPUTATION",
                        "value": "ADAPTIVE_WHITE_LIST"
                    },
                    "id": 5,
                    "operation": "RANSOM",
                    "required": false
                },
                {
                    "action": "IGNORE",
                    "application": {
                        "type": "NAME_PATH",
                        "value": "**\\devenv.exe"
                    },
                    "id": 4,
                    "operation": "RANSOM",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "NAME_PATH",
                        "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe"
                    },
                    "id": 10,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 11,
                    "operation": "RANSOM",
                    "required": true
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 13,
                    "operation": "MEMORY_SCRAPE",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 14,
                    "operation": "CODE_INJECTION",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 15,
                    "operation": "RUN_INMEMORY_CODE",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 17,
                    "operation": "POL_INVOKE_NOT_TRUSTED",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 18,
                    "operation": "INVOKE_CMD_INTERPRETER",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "KNOWN_MALWARE"
                    },
                    "id": 20,
                    "operation": "INVOKE_SCRIPT",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "RESOLVING"
                    },
                    "id": 22,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "PUP"
                    },
                    "id": 23,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "SUSPECT_MALWARE"
                    },
                    "id": 24,
                    "operation": "RUN",
                    "required": false
                },
                {
                    "action": "DENY",
                    "application": {
                        "type": "REPUTATION",
                        "value": "ADAPTIVE_WHITE_LIST"
                    },
                    "id": 25,
                    "operation": "NETWORK",
                    "required": false
                },
                {
                    "action": "ALLOW",
                    "application": {
                        "type": "NAME_PATH",
                        "value": "c:\\test\\**"
                    },
                    "id": 26,
                    "operation": "INVOKE_SCRIPT",
                    "required": false
                }
            ],
            "sensorSettings": [
                {
                    "name": "SHOW_UI",
                    "value": "true"
                },
                {
                    "name": "BACKGROUND_SCAN",
                    "value": "true"
                },
                {
                    "name": "POLICY_ACTION_OVERRIDE",
                    "value": "true"
                },
                {
                    "name": "QUARANTINE_DEVICE_MESSAGE",
                    "value": "Your device has been quarantined by your computer administrator."
                },
                {
                    "name": "LOGGING_LEVEL",
                    "value": "false"
                },
                {
                    "name": "ALLOW_UNINSTALL",
                    "value": "true"
                },
                {
                    "name": "QUARANTINE_DEVICE",
                    "value": "false"
                },
                {
                    "name": "RATE_LIMIT",
                    "value": "0"
                },
                {
                    "name": "CONNECTION_LIMIT",
                    "value": "0"
                },
                {
                    "name": "QUEUE_SIZE",
                    "value": "100"
                },
                {
                    "name": "LEARNING_MODE",
                    "value": "0"
                },
                {
                    "name": "SCAN_NETWORK_DRIVE",
                    "value": "true"
                },
                {
                    "name": "BYPASS_AFTER_LOGIN_MINS",
                    "value": "0"
                },
                {
                    "name": "BYPASS_AFTER_RESTART_MINS",
                    "value": "0"
                },
                {
                    "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE",
                    "value": "true"
                },
                {
                    "name": "DELAY_EXECUTE",
                    "value": "true"
                },
                {
                    "name": "PRESERVE_SYSTEM_MEMORY_SCAN",
                    "value": "false"
                },
                {
                    "name": "HASH_MD5",
                    "value": "false"
                },
                {
                    "name": "SCAN_LARGE_FILE_READ",
                    "value": "false"
                },
                {
                    "name": "SHOW_FULL_UI",
                    "value": "true"
                },
                {
                    "name": "HELP_MESSAGE",
                    "value": "CarbonBlack"
                },
                {
                    "name": "SECURITY_CENTER_OPT",
                    "value": "true"
                },
                {
                    "name": "CB_LIVE_RESPONSE",
                    "value": "true"
                },
                {
                    "name": "UNINSTALL_CODE",
                    "value": "false"
                }
            ]
        },
        "priorityLevel": "LOW",
        "version": 2
    }
}

Delete Policy

DELETE /integrationServices/v3/policy/{id}

Delete a policy from the Cb Defense backend. This API may return an error if devices are actively assigned to the policy id requested for deletion.

  • Request (application/json)

    $ curl -X DELETE -H X-Auth-Token:ABCD/1234  \
    https://api.confer.net/integrationServices/v3/policy/7047
    
  • Response 200 (application/json)

    {
      "success" : true,
      "message" : "Success"
    }
    

Add Rule to Existing Policy

POST /integrationServices/v3/policy/{id}/rule

Add a new rule to an existing policy. Wrap the new rule definition into a JSON object under the key ruleInfo.

  • Request (application/json)

    $ curl -X POST -H X-Auth-Token:ABCD/1234 -H Content-Type:application/json \
    https://api.confer.net/integrationServices/v3/policy/7049/rule \
    -d '{"ruleInfo": {"action": "DENY", "application": {"type": "REPUTATION", "value": "COMPANY_BLACK_LIST"}, "operation": "RANSOM", "required": true, "id": 1}}'
    
  • Response 200 (application/json)

    {
      "ruleId" : 29,
      "success" : true,
      "message" : "Success"
    }
    

Remove Rule from Existing Policy

DELETE /integrationServices/v3/policy/{id}/rule/{rule_id}

Removes a rule from an existing policy.

  • Request (application/json)

    $ curl -X DELETE -H X-Auth-Token:ABCD/1234 -H Content-Type:application/json \
    https://api.confer.net/integrationServices/v3/policy/7049/rule/29
    
  • Response 200 (application/json)

    {
      "success" : true,
      "message" : "Success"
    }
    

Update Existing Rule

PUT /integrationServices/v3/policy/{id}/rule/{rule_id}

Update an existing rule with a new rule. Note that the rule_id in the URL must match the id included in the ruleInfo payload passed to this API.

  • Request (application/json)

    $ curl -X PUT -H X-Auth-Token:ABCD/1234 -H Content-Type:application/json \
    https://api.confer.net/integrationServices/v3/policy/7049/rule/32 \
    -d '{"ruleInfo": {"action": "DENY", "application": {"type": "REPUTATION", "value": "COMPANY_BLACK_LIST"}, "operation": "RANSOM", "required": false, "id": 32}}'
    
  • Response 200 (application/json)

    {
      "success" : true,
      "message" : "Success"
    }
    

Last modified on June 26, 2018