Carbon Black EDR Message Bus Quickstart

Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.

The Carbon Black Server API is comprised of three parts: the Message Bus API documentation, the Python language API bindings in the cbapi repository, and the example scripts and libraries in the server_apis subdirectory.

There is no requirement to use the Python language bindings or API; while the helper library and example scripts are written in Python, any AMQP compatible library can consume the Carbon Black Messaging Bus. See the Message Bus API documentation for more information on consuming the Messaging Bus from an alternative AMQP implementation.

Using the Carbon Black Server API

You can get started using the Server API in three steps:

  1. Configuring the Carbon Black server to publish endpoint messages on the Message Bus
  2. Installing the Python language Carbon Black API bindings
  3. Running and modifying the example Message Bus consumer scripts

Configuring the Carbon Black Server

There are two types of messages published on the Carbon Black Message Bus: messages generated by events occurring on endpoints (for example, modloads, regmods, and netconns), and messages generated by the Carbon Black server itself (for example, watchlist and feed hits). By default, Carbon Black publishes only server-generated messages on the Message Bus. If you want to also subscribe to messages generated by endpoint events, the Carbon Black configuration file must be modified to enable publishing the raw endpoint events.

The Carbon Black server can be configured to export some or all raw endpoint events by modifying cb.conf, found at /etc/cb/cb.conf.

In particular, the following configuration option:

DatastoreBroadcastEventTypes=<TYPE[S]>

The supported types are:

type description
* all endpoint events
moduleload Binary module loads (for example, DLLs on Windows)
netconn Network connections
filemod File modifications
regmod Registry modifications
process Process creation and termination
moduleinfo Binary module information

Multiple types can be specified using a comma delimiter, without spaces.

In addition, to enable binaryinfo events, you must enable EnableSolrBinaryInfoNotifications in the cb.conf file:

EnableSolrBinaryInfoNotifications=True

Once DatastoreBroadcastEventTypes and/or EnableSolrBinaryInfoNotifications is modified, the Carbon Black service must be restarted:

service cb-enterprise restart

Now the Carbon Black server will publish the endpoint events defined in DatastoreBroadcastEventTypes to the Message Bus.

For more information, see /etc/cb/cb.conf. The appropriate configuration settings are included below:

# If this property is not empty, it will enable publishing of incoming events from
# sensors onto Redis PUBSUB (use RedisHost/RedisPort and DB value of 1 to establish
# connection). The value of this property consists of one or more of the following
# comma-separated event types that should be published:
#   * procstart (or process)
#   * procend
#   * childproc
#   * moduleload
#   * module
#   * filemod
#   * regmod
#   * netconn
# If you wish to subscribe for ALL of the above events, "\*" value can be specified.
# Each event type will be published to its own topic: ingress.event.<event type>
DatastoreBroadcastEventTypes=*

# These parameters enable/disable event notifications on feed hit commit and binary
# info observed events (default values below)
EnableSolrFeedNotifications=True
EnableSolrBinaryInfoNotifications=True

Install the API

If you don’t already have git installed on your workstation, do so now. The instructions below assume a Linux (or other Unix-like) workstation.

Clone the github cbapi repository:

[root@localhost carbonblack]# git clone https://github.com/carbonblack/cbapi.git
Initialized empty Git repository in /root/repos/carbonblack/cbapi/.git/
remote: Reusing existing pack: 80, done.
remote: Counting objects: 25, done.
remote: Compressing objects: 100% (25/25), done.
Receiving objects: 100% (105/105), 38.03 KiB | 17 KiB/s, done.
Resolving deltas: 100% (50/50), done.
remote: Total 105 (delta 10), reused 0 (delta 0)

Install the API

If you are using virtualenv to manage your Python packages, create or activate a virtualenv now.

[root@localhost carbonblack]# cd cbapi/client_apis/python
[root@localhost python]# python setup.py develop

The setup script should install the prerequisite packages; the most important package is pika.

use the example “subscribe_all.py” to see all event notifications on the Carbon Black server.

The ‘subscribe_all.py’ example script is found at:

`server_apis/python/example`
Last modified on January 4, 2016