REST API Authentication

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

Each EDR user has a personal API key. That API key confers all rights and capabilities assigned to that user to anyone possessing the API key. Therefore, treat your API key as you would your password. If the API Token is missing or compromised, you can reset the API key to generate a new token and revoke any previous API keys issued to a user.

To find a API key corresponding with a particular Carbon Black user account, log into the console as that user, then click the username in the upper right -> Profile info.

Then, click the “API Token” button on the left hand side to reveal the API token for the logged-in user. If there is no API token displayed, click the “Reset” button to create a new one.

API Request

For an API request to the CB EDR server, add this key to a custom HTTP Request Header X-Auth-Token.

For example, to get the summary information for a binary with MD5 6D778E0F95447E6546553EEEA709D03C:

$ curl -H 'X-Auth-Token:15dd7c486d81899f64643d6618c47a4e5ccc5c01' -k
  "digsig_result": "Signed",
  "observed_filename": [
  "product_version": "5.1.2600.5512",
  "signed": "Signed",
  "digsig_sign_time": "2008-04-14T09:07:00Z",
  "orig_mod_len": 389120,
  "is_executable_image": true,
  "is_64bit": false,
  "digsig_publisher": "Microsoft Corporation",
  "file_version": "5.1.2600.5512 (xpsp.080413-2111)",
  "company_name": "Microsoft Corporation",
  "internal_name": "cmd",
  "_version_": 1457126999526998016,
  "product_name": "Microsoft\u00c2\u00ae Windows\u00c2\u00ae Operating System",
  "digsig_result_code": "0",
  "timestamp": "2014-01-13T14:49:55.189Z",
  "copied_mod_len": 389120,
  "server_added_timestamp": "2014-01-13T14:49:55.189Z",
  "md5": "6D778E0F95447E6546553EEEA709D03C",
  "legal_copyright": "\u00c2\u00a9 Microsoft Corporation. All rights reserved.",
  "original_filename": "Cmd.Exe",
  "file_desc": "Windows Command Processor"

Last modified on May 5, 2020