EDR APIs & Integrations

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

The core strength of Carbon Black EDR is its always-on recording of activity from all monitored endpoints. This of course generates a vast amount of data – which the EDR server does an admirable job visualizing in its user interface. However, there are cases where a point-and-click user interface just doesn’t cut it. Perhaps you’d like to perform an analysis to see how many endpoints launched Office products in the past week. Or maybe you’d like to find those three machines still running a vulnerable version of the Java runtime. For others, you’d like to automatically collect the contents of any batch script that’s written to disk.

These use cases can be accomplished simply & easily by using the Application Programming Interfaces (APIs) built into EDR. Everything you can do in the user interface and more can be accomplished programmatically through web-based APIs.

Integrations and Connectors

We have a variety of integrations for connecting your EDR instance to other applications.

Release Notes - EDR 7.8

  • Enhancement to allow PUT calls for watchlist to update the search_query as well as description, name, enable fields update. See more detail in the Update a Watchlist API Reference.

Release Notes - EDR 7.7

There are new features and api routes in EDR 7.7.

  • Live Query API
  • API Payload Validation - validation of all payload tagged create (POST) and update (PUT) API requests against expected model schemas.
  • New APIs for Approving IP routes
    • Bulk add new IP addresses
    • Apply settings feature is no longer needed
  • Process Events have a new field of block_type to identify when Netconns that were attempted by an endpoint that has been isolated from the EDR console.
  • Objectionable terminology has been removed from API URLs. approvedlist and bannedlist are used throughout the product.


There are four major classes of APIs provided by Carbon Black EDR:


    Query the information about every process, binary, sensor and threat intelligence hit stored in EDR. Begin with the Quick Start Guide

    The REST API is available in the EDR Server versions 3.0 and above. The reference documentation describes the APIs available in the EDR Server version 7.7. Information on earlier versions is below.

  • Live Query API

    EDR Live Query exposes an operating system as a high-performance relational database, which enables you to write SQL-based queries that explore operating system data. These queries allow you to gain a better understanding of your environment, analyze security vulnerabilities, and identify anomalies like unencrypted disks or processes running without a binary on disk.

    Live Query is based on osquery, which is an open-source project that uses a SQLite interface.

    The Live Query API is available in EDR Server versions 7.7 and above.

  • Live Response API

    The EDR Live Response feature allows security operators to collect information and take action on remote endpoints in real time. These actions include the ability to upload, download, and remove files, retrieve and remove registry entries, dump contents of physical memory, execute and terminate processes.

    The Live Response API is available in the EDR Server versions 5.0 and above.

  • Streaming Message Bus API

    The EDR Message Bus API provides a “push” interface for all events collected or generated by the product. These events can be exported over the message bus and delivered to your application. Example uses of the message bus include pushing data into a SIEM, custom analytics, all the way to building entire Managed Security providers from the EDR dataset.

    The Message Bus API is available in the EDR Server versions 4.2 and above.

Using the APIs

You will find detailed reference documentation for each of the APIs in this section. We also provide example client bindings and scripts for reference purposes. Both the bindings and example scripts are implemented in Python.

Python CbAPI

Python CbAPI is a python library which makes the APIs easier to use.

In addition, customers have created alternative bindings for other languages as well:

All Documents


Document First EDR Version
Event Forwarder Configuration API EDR 7.1x
Ingress Filter EDR 7.7+
Live Query API EDR 7.7x
Live Response API EDR 6.3x

Version Agnostic


Document EDR Version
REST API EDR 6.0 - 6.2x
Live Response API EDR 6.0 - 6.2x
Process API Changes EDR 6.0 - 6.2x
Command Line Query Changes EDR 6.0 - 6.2x
Ingress Filter EDR 6.0 - 7.6
Live Response API EDR 5.x
Threat Intelligence Feeds EDR 5.x
Message Bus API EDR 5.x

Last modified on August 15, 2023