Document toolboxDocument toolbox

Carbon Black Response v2

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
8 min read
[ 1 Connect CB Response with Devo SOAR ] [ 2 Actions for CB Response ] [ 2.1 Device Background Scan ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Device Quarantine V2 ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Reputation Add File V2(Deprecated) ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Reputation Delete File ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Search Devices ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 3 Release Notes ]

Carbon Black Response is a highly scalable, real-time EDR with unparalleled visibility for top security operations centers and incident response teams. V2 version is developed for Carbon Black Response API's latest version.

Connect CB Response with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Carbon Black Response.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Host: Hostname of the CB Response instance.

  9. API Token: API Token for your CB Response instance.

  10. Org Key: Org Key for your CB Response instance.

  11. After you've entered all the details, click Connect.

Actions for CB Response

Device Background Scan

Perform Background Scan on device.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Device Id

Jinja-templated text for Device Id. Example: {{device_id}}

Required

Toggle

Select toggle for device (Default is 'ON')

Optional

Output

A JSON object returning the status of the request.

``` {json}{ "Success": true, "Response Code": 204, "error": null, "has_error": false }

## Device Quarantine (Deprecated) Perform Quarantine action on device. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :------------------------------------------------------------------------------- | :------- | | Device Id | [Jinja-templated](doc:jinja-template) text for Device Id. Example: {{device_id}} | Required | | Toggle | Select toggle for device (Default is 'ON') | Optional | ### Output A JSON object returning the status of the request. ``` {json}{ "Success": true, "Response Code": 204, "error": null, "has_error": false }

Device Quarantine V2

Perform Quarantine action on device.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Device Id

Jinja-templated text for Device Id. Example: {{device_id}}

Required

Toggle

Jinja-templated text for toggle value for device (Default is 'ON')

Optional

Output

A JSON object returning the status of the request.

``` {json}{ "Success": true, "Response Code": 204, "error": null, "has_error": false }

## Reputation Add File (Deprecated) Add file to Reputation. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------------------- | :--------------------------------------------------------------------------------------------- | :------- | | Override List | Name of the Override List. | Required | | Reputation Description | The description of Reputation. | Required | | SHA256 Hash | A hexadecimal string of length 64 characters representing the SHA-256 hash of the application. | Required | | Filename | A filename for the hash, | Required | ### Output A JSON object returning the status of the request. ``` {json}{ "created_by": "abc123", "source": "APP", "source_ref": null, "description": "Test", "override_list": "BLACK_LIST", "has_error": false, "id": "123456abcdef", "error": null, "filename": "test.exe", "sha256_hash": "abcdefgh12345677", "override_type": "SHA256", "create_time": "2022-01-31T06:36:05.196Z" }

Reputation Add File V2(Deprecated)

Add file to Reputation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Override List

Name of the Override List.

Required

Reputation Description

The description of Reputation.

Optional

Override Type

Select Override Type for the Reputation. Default is SHA256

Optional

Override Type Required Field

Required field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards).

Required

Filename

A filename for the hash. (Additional fields when override_type is SHA256)

Optional

Certificate Authority

Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT)

Optional

Include Child Processes

Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL)

Optional

Output

A JSON object returning the status of the request.

``` {json}{ "created_by": "abc123", "source": "APP", "source_ref": null, "description": "Test", "override_list": "BLACK_LIST", "has_error": false, "id": "123456abcdef", "error": null, "filename": "test.exe", "sha256_hash": "abcdefgh12345677", "override_type": "SHA256", "create_time": "2022-01-31T06:36:05.196Z" }

## Reputation Add File Add file to Reputation. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Override List | [Jinja-templated](doc:jinja-template) text containing the name of the Override List. Currently BLACK_LIST and WHITE_LIST are supported. | Required | | Reputation Description | [Jinja-templated](doc:jinja-template) text containing the description of Reputation. | Optional | | Override Type | [Jinja-templated](doc:jinja-template) text containing the Override Type for the Reputation.Currently SHA256, CERT and IT_TOOL are supported (Default is SHA256). | Optional | | Override Type Required Field | [Jinja-templated](doc:jinja-template) text containing the Required field relative to override type. In case the override type is SHA256 then enter a hexadecimal string of length 64 characters representing the SHA-256 hash of the application. In case the override type is CERT then enter the name of the signer for the application. In case the override type is IT_TOOL then enter the path to the file or directory where the IT tool(s) exist on disk (Path may include wildcards). | Required | | Filename | [Jinja-templated](doc:jinja-template) text containing the filename for the hash. (Additional fields when override_type is SHA256) | Optional | | Certificate Authority | [Jinja-templated](doc:jinja-template) text containing the Certificate authority that authorizes the validity of the certificate. (Additional fields when override_type is CERT) | Optional | | Include Child Processes | [Jinja-templated](doc:jinja-template) text containing the Boolean value to include tool's child processes on approved list. (Additional fields when override_type is IT_TOOL) (Default value is True) | Optional | ### Output A JSON object returning the status of the request. ``` {json}{ "created_by": "abc123", "source": "APP", "source_ref": null, "description": "Test", "override_list": "BLACK_LIST", "has_error": false, "id": "123456abcdef", "error": null, "filename": "test.exe", "sha256_hash": "abcdefgh12345677", "override_type": "SHA256", "create_time": "2022-01-31T06:36:05.196Z" }

Reputation Delete File

Delete file of Reputation.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Reputation Id

Jinja-templated text containing the Id of the Reputation.

Required

Output

A JSON object returning the status of the request.

``` {json}{ "Response Code": 204, "has_error": false, "Response Text": "Successfully deleted resource override", "error": null, "Success": true }

Search Devices

Search Devices on Carbon Black instance.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Criteria

Jinja-templated text containing the Criteria. A Criteria is an object that represents values that must be in the results in JSON format. Example {"os": ["WINDOWS"]}

Optional

Exclusions

Jinja-templated text containing the Exclusions. The Exclusions is a map that represents values that must not be in the results in JSON format. Example {"sensorVersion": ["windows:1.0.0"]}

Optional

Query

Jinja-templated text containing query in lucene syntax and/or including value searches.

Optional

Rows

Jinja-templated value for number of rows to return. (Default is 20)

Optional

Start

Jinja-templated value what row to begin returning results from. (Default is 0)

Optional

Sort Field

Jinja-templated text containing the field to sort on. Example 'policyName'. (Default is null)

Optional

Sort Order

Jinja-templated text containing the direction to sort by. Supports 'asc' or 'desc'. (Default is 'asc')

Optional

Output

A JSON object returning the status of the request.

{json}{ "num_found": 977, "results": [{ "activation_code": "CIG28U", "activation_code_expiry_time": "2019-05-10T21:12:52.697Z", "ad_group_id": 0, "appliance_name": null, "appliance_uuid": null, "auto_scaling_group_name": null, "av_ave_version": null, "av_engine": null, "av_last_scan_time": null, "av_master": false, "av_pack_version": null, "av_product_version": null, "av_status": null, "av_update_servers": null, "av_vdf_version": null, "base_device": null, "cloud_provider_account_id": null, "cloud_provider_resource_id": null, "cloud_provider_tags": null, "cluster_name": null, "current_sensor_policy_name": null, "datacenter_name": null, "deployment_type": "ENDPOINT", "deregistered_time": null, "device_meta_data_item_list": [], "device_owner_id": 361641, "email": "andreano+cb2@gmail.com", "encoded_activation_code": "ENUYH5W3019", "esx_host_name": null, "esx_host_uuid": null, "first_name": null, "golden_device": null, "golden_device_id": null, "host_based_firewall_failure_reason": null, "host_based_firewall_status": null, "id": 167070478, "last_contact_time": null, "last_device_policy_changed_time": "2021-01-29T18:50:03.041Z", "last_device_policy_requested_time": null, "last_external_ip_address": null, "last_internal_ip_address": null, "last_location": null, "last_name": null, "last_policy_updated_time": "2022-05-18T09:33:54.526Z", "last_reported_time": null, "last_reset_time": null, "last_shutdown_time": null, "linux_kernel_version": null, "login_user_name": null, "mac_address": null, "middle_name": null, "name": null, "nsx_distributed_firewall_policy": null, "nsx_enabled": null, "organization_id": 1105, "organization_name": "cb-internal-alliances.com", "os": "OTHER", "os_version": null, "passive_mode": false, "policy_id": 6525, "policy_name": "default", "policy_override": true, "quarantined": false, "registered_time": null, "scan_last_action_time": null, "scan_last_complete_time": null, "scan_status": null, "sensor_kit_type": "OTHER", "sensor_out_of_date": false, "sensor_pending_update": false, "sensor_states": null, "sensor_version": null, "status": "PENDING", "target_priority": "MEDIUM", "uninstall_code": null, "vcenter_host_url": null, "vcenter_name": null, "vcenter_uuid": null, "vdi_base_device": null, "virtual_machine": false, "virtual_private_cloud_id": null, "virtualization_provider": null, "vm_ip": null, "vm_name": null, "vm_uuid": null, "vulnerability_score": 0, "vulnerability_severity": null, "windows_platform": null }], "error": null, "has_error": false }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.5.1 - Added new action Search Devices.

  • v1.4.0 - Added new action Device Quarantine V2 and deprecated the Device Quarantine.

  • v1.3.0 - Added new action Search Reputation Overrides.

  • v1.2.6 - Deprecated the Reputation Add File V2 action and added Reputation Add File action as the inputs are changed to jinja template.

  • v1.2.2 - Updated connection procedure.

  • v1.2.0 - Added Reputation delete file action.

  • v1.1.1 - Added Reputation add file v2 action and deprecated old version.

  • v1.0.3 - Added three actions to Carbon Black v6 api.