Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams. V2 version is developed for Carbon Black Response API's latest version.
Connect CB Response with Devo SOAR
Navigate to Automations > Integrations.
Search for Carbon Black Response.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Host: Hostname of the CB Response instance.
API Token: API Token for your CB Response instance.
Org Key: Org Key for your CB Response instance.
After you've entered all the details, click Connect.
Actions for CB Response
Device Background Scan
Perform Background Scan on device.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Device Id | Jinja-templated text for Device Id. Example: {{device_id}} | Required |
Toggle | Select toggle for device (Default is 'ON') | Optional |
Output
A JSON object returning the status of the request.
``` {json}{ "Success": true, "Response Code": 204, "error": null, "has_error": false }
## Device Quarantine (Deprecated) Perform Quarantine action on device. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :------------------------------------------------------------------------------- | :------- | | Device Id | [Jinja-templated](doc:jinja-template) text for Device Id. Example: {{device_id}} | Required | | Toggle | Select toggle for device (Default is 'ON') | Optional | ### Output A JSON object returning the status of the request. ``` {json}{ "Success": true, "Response Code": 204, "error": null, "has_error": false }
Device Quarantine V2
Perform Quarantine action on device.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Device Id | Jinja-templated text for Device Id. Example: {{device_id}} | Required |
Toggle | Jinja-templated text for toggle value for device (Default is 'ON') | Optional |
Output
A JSON object returning the status of the request.
``` {json}{ "Success": true, "Response Code": 204, "error": null, "has_error": false }
## Reputation Add File (Deprecated) Add file to Reputation. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------------------- | :--------------------------------------------------------------------------------------------- | :------- | | Override List | Name of the Override List. | Required | | Reputation Description | The description of Reputation. | Required | | SHA256 Hash | A hexadecimal string of length 64 characters representing the SHA-256 hash of the application. | Required | | Filename | A filename for the hash, | Required | ### Output A JSON object returning the status of the request. ``` {json}{ "created_by": "abc123", "source": "APP", "source_ref": null, "description": "Test", "override_list": "BLACK_LIST", "has_error": false, "id": "123456abcdef", "error": null, "filename": "test.exe", "sha256_hash": "abcdefgh12345677", "override_type": "SHA256", "create_time": "2022-01-31T06:36:05.196Z" }
Reputation Add File V2(Deprecated)
Add file to Reputation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Override List | Name of the Override List. | Required |
Reputation Description | The description of Reputation. | Optional |
Override Type | Select Override Type for the Reputation. Default is SHA256 | Optional |
Override Type Required Field | Required field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards). | Required |
Filename | A filename for the hash. (Additional fields when override_type is SHA256) | Optional |
Certificate Authority | Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT) | Optional |
Include Child Processes | Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL) | Optional |
Output
A JSON object returning the status of the request.
``` {json}{ "created_by": "abc123", "source": "APP", "source_ref": null, "description": "Test", "override_list": "BLACK_LIST", "has_error": false, "id": "123456abcdef", "error": null, "filename": "test.exe", "sha256_hash": "abcdefgh12345677", "override_type": "SHA256", "create_time": "2022-01-31T06:36:05.196Z" }
## Reputation Add File Add file to Reputation. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Override List | [Jinja-templated](doc:jinja-template) text containing the name of the Override List. Currently BLACK_LIST and WHITE_LIST are supported. | Required | | Reputation Description | [Jinja-templated](doc:jinja-template) text containing the description of Reputation. | Optional | | Override Type | [Jinja-templated](doc:jinja-template) text containing the Override Type for the Reputation.Currently SHA256, CERT and IT_TOOL are supported (Default is SHA256). | Optional | | Override Type Required Field | [Jinja-templated](doc:jinja-template) text containing the Required field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards). | Required | | Filename | [Jinja-templated](doc:jinja-template) text containing the filename for the hash. (Additional fields when override_type is SHA256) | Optional | | Certificate Authority | [Jinja-templated](doc:jinja-template) text containing the Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT) | Optional | | Include Child Processes | [Jinja-templated](doc:jinja-template) text containing the Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL) (Default value is True) | Optional | ### Output A JSON object returning the status of the request. ``` {json}{ "created_by": "abc123", "source": "APP", "source_ref": null, "description": "Test", "override_list": "BLACK_LIST", "has_error": false, "id": "123456abcdef", "error": null, "filename": "test.exe", "sha256_hash": "abcdefgh12345677", "override_type": "SHA256", "create_time": "2022-01-31T06:36:05.196Z" }
Reputation Delete File
Delete file of Reputation.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Reputation Id | Jinja-templated text containing the Id of the Reputation. | Required |
Output
A JSON object returning the status of the request.
``` {json}{ "Response Code": 204, "has_error": false, "Response Text": "Successfully deleted resource override", "error": null, "Success": true }
## Search Reputation Overrides Search Reputation Overrides. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :------------ | :---------------------------------------------------------------------------------------------------------------- | :------- | | Override List | [Jinja-templated](doc:jinja-template) text containing the override list. | Optional | | Override Type | [Jinja-templated](doc:jinja-template) text containing the override type. | Optional | | Query | [Jinja-templated](doc:jinja-template) text containing the query in lucene syntax and/or including value searches. | Optional | | Rows | [Jinja-templated](doc:jinja-template) text for pagination, how many results to return. | Optional | | Start | [Jinja-templated](doc:jinja-template) text for pagination, where to start retrieving results from. | Optional | | Sort Field | [Jinja-templated](doc:jinja-template) text containing the field to sort on. | Optional | | Sort Order | [Jinja-templated](doc:jinja-template) text containing the direction to sort by. | Optional | ### Output A JSON object returning the status of the request. ``` {json}{ "result": { "num_found": 2, "results": [ { "id": "0202216556bb95d0bb43b594f", "created_by": "NKVPZ3SN", "create_time": "2021-12-06T04:21:39.284Z", "override_list": "WHITE_LIST", "override_type": "SHA256", "description": "Block this hash", "source": "APP", "source_ref": null, "sha256_hash": "5434a2f58ecc07d2f75ea314fc7b8b58d76e39d8d98d1e05a3", "filename": null }, { "id": "b67ccb1f5220154243e58c2", "created_by": "NKVCHPZ3SN", "create_time": "2021-12-01T10:30:32.701Z", "override_list": "WHITE_LIST", "override_type": "SHA256", "description": "", "source": "APP", "source_ref": null, "sha256_hash": "e2daf2e1dfd4b78280511f4745dc4e4852ee1a44d280b98b5", "filename": null } ], "error": null, "has_error": false }, "stdout": "", "stderr": "", "start_node": "" }
Search Devices
Search Devices on Carbon Black instance.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Criteria | Jinja-templated text containing the Criteria. A Criteria is an object that represents values that must be in the results in JSON format. Example {"os": ["WINDOWS"]} | Optional |
Exclusions | Jinja-templated text containing the Exclusions. The Exclusions is a map that represents values that must not be in the results in JSON format. Example {"sensorVersion": ["windows:1.0.0"]} | Optional |
Query | Jinja-templated text containing query in lucene syntax and/or including value searches. | Optional |
Rows | Jinja-templated value for number of rows to return. (Default is 20) | Optional |
Start | Jinja-templated value what row to begin returning results from. (Default is 0) | Optional |
Sort Field | Jinja-templated text containing the field to sort on. Example 'policyName'. (Default is null) | Optional |
Sort Order | Jinja-templated text containing the direction to sort by. Supports 'asc' or 'desc'. (Default is 'asc') | Optional |
Output
A JSON object returning the status of the request.
{json}{
"num_found": 977,
"results": [{
"activation_code": "CIG28U",
"activation_code_expiry_time": "2019-05-10T21:12:52.697Z",
"ad_group_id": 0,
"appliance_name": null,
"appliance_uuid": null,
"auto_scaling_group_name": null,
"av_ave_version": null,
"av_engine": null,
"av_last_scan_time": null,
"av_master": false,
"av_pack_version": null,
"av_product_version": null,
"av_status": null,
"av_update_servers": null,
"av_vdf_version": null,
"base_device": null,
"cloud_provider_account_id": null,
"cloud_provider_resource_id": null,
"cloud_provider_tags": null,
"cluster_name": null,
"current_sensor_policy_name": null,
"datacenter_name": null,
"deployment_type": "ENDPOINT",
"deregistered_time": null,
"device_meta_data_item_list": [],
"device_owner_id": 361641,
"email": "andreano+cb2@gmail.com",
"encoded_activation_code": "ENUYH5W3019",
"esx_host_name": null,
"esx_host_uuid": null,
"first_name": null,
"golden_device": null,
"golden_device_id": null,
"host_based_firewall_failure_reason": null,
"host_based_firewall_status": null,
"id": 167070478,
"last_contact_time": null,
"last_device_policy_changed_time": "2021-01-29T18:50:03.041Z",
"last_device_policy_requested_time": null,
"last_external_ip_address": null,
"last_internal_ip_address": null,
"last_location": null,
"last_name": null,
"last_policy_updated_time": "2022-05-18T09:33:54.526Z",
"last_reported_time": null,
"last_reset_time": null,
"last_shutdown_time": null,
"linux_kernel_version": null,
"login_user_name": null,
"mac_address": null,
"middle_name": null,
"name": null,
"nsx_distributed_firewall_policy": null,
"nsx_enabled": null,
"organization_id": 1105,
"organization_name": "cb-internal-alliances.com",
"os": "OTHER",
"os_version": null,
"passive_mode": false,
"policy_id": 6525,
"policy_name": "default",
"policy_override": true,
"quarantined": false,
"registered_time": null,
"scan_last_action_time": null,
"scan_last_complete_time": null,
"scan_status": null,
"sensor_kit_type": "OTHER",
"sensor_out_of_date": false,
"sensor_pending_update": false,
"sensor_states": null,
"sensor_version": null,
"status": "PENDING",
"target_priority": "MEDIUM",
"uninstall_code": null,
"vcenter_host_url": null,
"vcenter_name": null,
"vcenter_uuid": null,
"vdi_base_device": null,
"virtual_machine": false,
"virtual_private_cloud_id": null,
"virtualization_provider": null,
"vm_ip": null,
"vm_name": null,
"vm_uuid": null,
"vulnerability_score": 0,
"vulnerability_severity": null,
"windows_platform": null
}],
"error": null,
"has_error": false
}
Release Notes
v2.0.0
- Updated architecture to support IO via filesystemv1.5.1
- Added new actionSearch Devices
.v1.4.0
- Added new actionDevice Quarantine V2
and deprecated theDevice Quarantine
.v1.3.0
- Added new actionSearch Reputation Overrides
.v1.2.6
- Deprecated theReputation Add File V2
action and addedReputation Add File
action as the inputs are changed to jinja template.v1.2.2
- Updated connection procedure.v1.2.0
- Added Reputation delete file action.v1.1.1
- Added Reputation add file v2 action and deprecated old version.v1.0.3
- Added three actions to Carbon Black v6 api.