Guides
Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
Just Starting Out
Our API Bindings are written in Python 2. We recommend learning the basics of python before continuing. Python is very easy to learn. Here are some resources to help get you started.
I know basic Python, now what? Learn by example
-
Our Quickstart guide is a great place to start for anyone. If you want to get your feet wet with out REST API, definitely check this out first. It will walkthrough the basics of what you need to work with our REST API.
-
We recommend taking a look at our EDR Python API (CbAPI) and the list of example scripts. Likely, there will be an existing script that already matches your use case.
-
Development Environment Setup
Set up your python development environment
-
Need to generate reports? Our incident reporting script is a good example of how to accomplish this use case, while also being a good example of using the EDR REST APIs.
-
Learn from our Integrations
At Carbon Black we firmly believe in open APIs and code sharing. We try to open source all of our integrations so others can learn and modify our code to fit their specific use case. Here is a list of our open source integrations:
Advanced Use Cases
Need something more advanced or requires talking to the EDR Messaging Bus? The Event Forwarder is used to forward events into a SIEM or custom framework using the EDR Messaging Bus, its source code is valuable for learning how to interface with the EDR Messaging Bus elegantly and efficiently. If you are doing something that can’t easily be mapped by one of integrations or example scripts, we’d love to hear about it. Feel free to contact us.
Integration | Description |
---|---|
CbAPI - Python | Python API |
EDR App for Splunk | Splunk App |
Event Forwarder Connector/API | Forward Events |
Error Management
EDR has a number of processes, or tasks, that execute in the background, including a periodic cron job that ensures all threat intelligence feeds are in sync with their source. Errors can occur in these tasks, for example, if a custom feed cannot be parsed. EDR version 7.5.0 stores these errors in the database and retains them for 30 days. You can view and manage these errors from a widget in the HUD page of the EDR console.
To retrieve the error information programmatically, use the cbtaskerr command-line utility by logging in to your
EDR server (use the master if you have a cluster) and execute /usr/share/cb/cbtaskerr
. Error information is printed
to the terminal and formatted as a separate JSON object.
Example:
{
"error_text": "Error during synchronization of feed somename(23): bad query field: '#47'",
"task_name": "FeedSynchronizer",
"task_type": "Task",
"timestamp": "2020-12-08 15:28:15.999581-05:00"
}
Note: This example is pretty-printed for readability, but errors appear on one line in the terminal.
The cbtaskerr tool includes optional parameters that allow you to control how much information shows. To display
the options, execute /usr/share/cb/cbtaskerr --help
.
Carbon Black Integration Network
Carbon Black Integration Network Partners support vendor interoperability to help customers build next-generation security infrastructures. Leveraging our Open APIs, Carbon Black has partnered with industry leaders to create integrated solutions that provide end-to-end protection against advanced threats.
As a member of the Carbon Black Connect program, partners can submit their products to Carbon Black for certification and promote interoperability across security solutions.
Last modified on February 15, 2023