EDR APIs & Integrations
Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
The core strength of Carbon Black EDR is its always-on recording of activity from all monitored endpoints. This of course generates a vast amount of data – which the EDR server does an admirable job visualizing in its user interface. However, there are cases where a point-and-click user interface just doesn’t cut it. Perhaps you’d like to perform an analysis to see how many endpoints launched Office products in the past week. Or maybe you’d like to find those three machines still running a vulnerable version of the Java runtime. For others, you’d like to automatically collect the contents of any batch script that’s written to disk.
These use cases can be accomplished simply & easily by using the Application Programming Interfaces (APIs) built into EDR. Everything you can do in the user interface and more can be accomplished programmatically through web-based APIs.
Integrations and Connectors
We have a variety of integrations for connecting your EDR instance to other applications.
Release Notes - EDR 7.7
There are new features and api routes in EDR 7.7.
- Live Query API
- API Payload Validation - validation of all payload tagged create (POST) and update (PUT) API requests against expected model schemas.
- New APIs for Approving IP routes
- Bulk add new IP addresses
- Apply settings feature is no longer needed
- Process Events have a new field of
block_typeto identify when Netconns that were attempted by an endpoint that has been isolated from the EDR console.
- Objectionable terminology has been removed from API URLs.
bannedlistare used throughout the product.
There are four major classes of APIs provided by Carbon Black EDR:
Query the information about every process, binary, sensor and threat intelligence hit stored in EDR. Begin with the Quick Start Guide
The REST API is available in the EDR Server versions 3.0 and above. The reference documentation describes the APIs available in the EDR Server version 7.7. Information on earlier versions is below.
EDR Live Query exposes an operating system as a high-performance relational database, which enables you to write SQL-based queries that explore operating system data. These queries allow you to gain a better understanding of your environment, analyze security vulnerabilities, and identify anomalies like unencrypted disks or processes running without a binary on disk.
Live Query is based on osquery, which is an open-source project that uses a SQLite interface.
The Live Query API is available in EDR Server versions 7.7 and above.
The EDR Live Response feature allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.
The Live Response API is available in the EDR Server versions 5.0 and above.
The EDR Message Bus API provides a “push” interface for all events collected or generated by the product. These events can be exported over the message bus and delivered to your application. Example uses of the message bus include pushing data into a SIEM, custom analytics, all the way to building entire Managed Security providers from the EDR dataset.
The Message Bus API is available in the EDR Server versions 4.2 and above.
Using the APIs
You will find detailed reference documentation for each of the APIs in this section. We also provide example client bindings and scripts for reference purposes. Both the bindings and example scripts are implemented in Python.
Python CbAPI is a python library which makes the APIs easier to use.
In addition, customers have created alternative bindings for other languages as well:
- Elixir language bindings - REST API, Streaming API (Author: Redvers Davies)
|Document||First EDR Version|
|Event Forwarder Configuration API||EDR 7.1x|
|Ingress Filter||EDR 7.7+|
|Live Query API||EDR 7.7x|
|Live Response API||EDR 6.3x|
|REST API||EDR 7.5x|
|REST API||EDR 6.3x|
|REST API||EDR 6.0 - 6.2x|
|Live Response API||EDR 6.0 - 6.2x|
|Process API Changes||EDR 6.0 - 6.2x|
|Command Line Query Changes||EDR 6.0 - 6.2x|
|Ingress Filter||EDR 6.0 - 7.6|
|REST API||EDR 5.x|
|Live Response API||EDR 5.x|
|Threat Intelligence Feeds||EDR 5.x|
|Message Bus API||EDR 5.x|