Getting Started with CB Response

The core strength of CB Response is its always-on recording of activity from all monitored endpoints. This of course generates a vast amount of data – which the CB Enterprise Response server does an admirable job visualizing in its user interface. However, there are cases where a point-and-click user interface just doesn’t cut it. Perhaps you’d like to perform an analysis to see how many endpoints launched Office products in the past week. Or maybe you’d like to find those three machines still running a vulnerable version of the Java runtime. For others, you’d like to automatically collect the contents of any batch script that’s written to disk.

These use cases can be accomplished simply & easily by using the Application Programming Interfaces (APIs) built into CB Response. Everything you can do in the user interface–and much more–can be accomplished programmatically through Carbon Black’s web-based APIs. Carbon Black is committed to open standards and open source; to demonstrate that commitment, we publish full documentation here on the Developer Network website and sample code for all our product APIs to our GitHub repository.

The APIs

There are four major classes of APIs provided by Carbon Black:


    Query the information about every process, binary, sensor and threat intelligence hit stored in CB Response.

    The REST API is available in CB Response Server versions 3.0 and above. The reference documentation describes the APIs available in CB Response Server version 6.1.

    Several new features were added or changed in 6.1. For more information on these changes, see the following pages:

  • Threat Intelligence Feed API

    Feeds allow Carbon Black servers to use freely available threat intelligence, proprietary customer threat data, and provides a mechanism to feed threat indicators from on-premise analytic sources to Carbon Black for verification, detection, visibility and analysis.

    The Feed API is available in CB Response Server versions 4.0 and above.

  • Live Response API

    The CB Response Live Response feature allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.

    The Live Response API is available in CB Response Server versions 5.0 and above.

  • Streaming Message Bus API**

    The CB Response Message Bus API provides a “push” interface for all events collected or generated by the product. These events can be exported over the message bus and delivered to your application. Example uses of the message bus include pushing data into a SIEM, custom analytics, all the way to building entire Managed Security providers from the CB Response dataset.

    The Message Bus API is available in CB Response Server versions 4.2 and above.

Using the APIs

You will find detailed reference documentation for each of the APIs in this section. We also provide example client bindings and scripts for reference purposes. Both the bindings and example scripts are implemented in Python and C#.

In addition, customers have created alternative bindings for other languages as well:

All Documents

Here is a list of all documents available, broken down by CB Response versions.

Version Agnostic

CB Response 6.3x

CB Response 6.0 - 6.2x

CB Response 5.x

Last modified on June 22, 2017