Carbon Black Response
- Jonas Gonzalez
Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams.
Connect CB Response with Devo SOAR
Navigate to Automations > Integrations.
Search for Carbon Black Response.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Host: Hostname of the CB Response instance.
API Token: API Token for your CB Response instance.
After you've entered all the details, click Connect.
Actions for CB Response
Retrieve Binary
Returns the binary for the provided md5 hash.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Hash | md5 hash of binary. | Required |
Output
A JSON object containing file-id of the binary downloaded to Devo SOAR instance.
Get Watchlists
Returns all watchlists with details.
Input Field
No specific input.
Output
A JSON object with uncorrelated rows, each with a watchlist details per row.
Create Watchlist
Create a new watchlist in CB Response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Name | Name of the newly created watchlist. | Required |
Search Query | Raw query that this watchlist should match. | Required |
Watchlist Index Type | 'modules' and 'events' for binary and process watchlists, respectively. | Required |
Output
A JSON object containing multiple results of action.
Update/Set Watchlist
Updates a watchlist in CB Response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist ID | Watchlist ID that needs to be updated. | Required |
Name | New name to update watchlist. | Required |
Search Query | An updated raw query that this watchlist should match. | Required |
Watchlist Index Type | 'modules' and 'events' for binary and process watchlists, respectively. | Required |
Output
A JSON object containing multiple results of action.
Delete Watchlist
Delete a Watchlist from CB Response.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Watchlist ID | Watchlist ID that needs to be updated. | Required |
Output
A JSON object containing multiple results of action.
Get Sensors
Returns all registered sensors with details.
Input Field
No specific input.
Output
A JSON object with uncorrelated rows, each with a sensor details per row.
Search Sensors
Returns all sensors matching the search-filter criteria with details.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Search Filter | JSON search-query to filter sensors. | Required |
Output
A JSON object containing each sensor with details satisfying the filtering criteria per row.
Release Notes
v3.0.0- Updated architecture to support IO via filesystem