Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
The Carbon Black Server API is comprised of three parts: the Message Bus API documentation,
the Python language API bindings in the cbapi repository, and the
example scripts and libraries in the
There is no requirement to use the Python language bindings or API; while the helper library and example scripts are written in Python, any AMQP compatible library can consume the Carbon Black Messaging Bus. See the Message Bus API documentation for more information on consuming the Messaging Bus from an alternative AMQP implementation.
You can get started using the Server API in three steps:
There are two types of messages published on the Carbon Black Message Bus: messages generated by events occurring on endpoints (for example, modloads, regmods, and netconns), and messages generated by the Carbon Black server itself (for example, watchlist and feed hits). By default, Carbon Black publishes only server-generated messages on the Message Bus. If you want to also subscribe to messages generated by endpoint events, the Carbon Black configuration file must be modified to enable publishing the raw endpoint events.
The Carbon Black server can be configured to export some or all raw endpoint events by modifying cb.conf, found at
In particular, the following configuration option:
The supported types are:
||all endpoint events|
||Binary module loads (for example, DLLs on Windows)|
||Process creation and termination|
||Binary module information|
Multiple types can be specified using a comma delimiter, without spaces.
In addition, to enable binaryinfo events, you must enable
EnableSolrBinaryInfoNotifications in the cb.conf file:
EnableSolrBinaryInfoNotifications is modified, the Carbon Black service must be restarted:
service cb-enterprise restart
Now the Carbon Black server will publish the endpoint events defined in
DatastoreBroadcastEventTypes to the
For more information, see
/etc/cb/cb.conf. The appropriate configuration settings are
# If this property is not empty, it will enable publishing of incoming events from # sensors onto Redis PUBSUB (use RedisHost/RedisPort and DB value of 1 to establish # connection). The value of this property consists of one or more of the following # comma-separated event types that should be published: # * procstart (or process) # * procend # * childproc # * moduleload # * module # * filemod # * regmod # * netconn # If you wish to subscribe for ALL of the above events, "\*" value can be specified. # Each event type will be published to its own topic: ingress.event.<event type> DatastoreBroadcastEventTypes=* # These parameters enable/disable event notifications on feed hit commit and binary # info observed events (default values below) EnableSolrFeedNotifications=True EnableSolrBinaryInfoNotifications=True
If you don’t already have
git installed on your workstation, do so now. The instructions below assume a Linux
(or other Unix-like) workstation.
[root@localhost carbonblack]# git clone https://github.com/carbonblack/cbapi.git Initialized empty Git repository in /root/repos/carbonblack/cbapi/.git/ remote: Reusing existing pack: 80, done. remote: Counting objects: 25, done. remote: Compressing objects: 100% (25/25), done. Receiving objects: 100% (105/105), 38.03 KiB | 17 KiB/s, done. Resolving deltas: 100% (50/50), done. remote: Total 105 (delta 10), reused 0 (delta 0)
If you are using virtualenv to manage your Python packages, create or activate a virtualenv now.
[root@localhost carbonblack]# cd cbapi/client_apis/python [root@localhost python]# python setup.py develop
The setup script should install the prerequisite packages; the most important package is
The ‘subscribe_all.py’ example script is found at: