Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
The core strength of Carbon Black EDR is its always-on recording of activity from all monitored endpoints. This of course generates a vast amount of data – which the EDR server does an admirable job visualizing in its user interface. However, there are cases where a point-and-click user interface just doesn’t cut it. Perhaps you’d like to perform an analysis to see how many endpoints launched Office products in the past week. Or maybe you’d like to find those three machines still running a vulnerable version of the Java runtime. For others, you’d like to automatically collect the contents of any batch script that’s written to disk.
These use cases can be accomplished simply & easily by using the Application Programming Interfaces (APIs) built into EDR. Everything you can do in the user interface and more can be accomplished programmatically through web-based APIs.
The following connectors are supported for EDR:
View all connectors and integrations here.
There are four major classes of APIs provided by Carbon Black:
Query the information about every process, binary, sensor and threat intelligence hit stored in EDR.
The REST API is available in the EDR Server versions 3.0 and above. The reference documentation describes the APIs available in the EDR Server version 6.1.
Several new features were added or changed in 6.1. For more information on these changes, see the following pages:
Feeds allow Carbon Black servers to use freely available threat intelligence, proprietary customer threat data, and provides a mechanism to feed threat indicators from on-premise analytic sources to Carbon Black for verification, detection, visibility and analysis.
The Feed API is available in the EDR Server versions 4.0 and above.
The EDR Live Response feature allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.
The Live Response API is available in the EDR Server versions 5.0 and above.
The EDR Message Bus API provides a “push” interface for all events collected or generated by the product. These events can be exported over the message bus and delivered to your application. Example uses of the message bus include pushing data into a SIEM, custom analytics, all the way to building entire Managed Security providers from the EDR dataset.
The Message Bus API is available in the EDR Server versions 4.2 and above.
You will find detailed reference documentation for each of the APIs in this section. We also provide example client bindings and scripts for reference purposes. Both the bindings and example scripts are implemented in Python and C#.
In addition, customers have created alternative bindings for other languages as well:
Here is a list of all documents available, broken down by EDR versions.