InsightConnect Marketplace

VMware Carbon Black EDR

Back to Marketplace

VMware Carbon Black EDR

v3.1.10

Automate information collection, endpoint isolation and hash blacklisting

Tags: carbon black, vmware, response, endpoint, cb, detection

Triggers
  • New Alert

Actions
  • Add Feed
  • Add Watchlist
  • Blacklist Hash
  • Delete Feed
  • Delete Watchlist
  • Get Binary
  • Isolate Sensor
  • List Alerts
  • List Binaries
  • List Feeds
  • List Processes
  • List Sensors
  • List Watchlists
  • Unisolate Sensor
  • Update Alert

Description

VMware Carbon Black EDR is the most complete endpoint detection and response solution available to security teams. The InsightConnect plugin allows you to automate information collection, endpoint isolation and hash blacklisting.

This plugin utilizes the VMware Carbon Black EDR REST API.

Key Features

  • Investigate endpoints
  • Blacklist hashes
  • Isolate endpoints

Requirements

  • Requires an API Key from VMware Carbon Black EDR

Documentation

Setup

The connection configuration accepts the following parameters:

Name Type Default Required Description Enum
url string https://127.0.0.1/api/bit9platform/v1 True Carbon Black Server API URL None
ssl_verify boolean True True SSL certificate verification None
api_key credential_secret_key None True API token found in your Carbon Black profile None

Technical Details

Actions

List Alerts

This action is used to list alerts with given parameters.

Input
Name Type Default Required Description Enum
query string None False Accepts the same data as the search box on the Process Search page None
rows integer 10 False How many rows of data to return. Default is 10 None
start integer 0 False What row of data to start at. Default is 0 None
Output
Name Type Required Description
alerts []alert False The lists of alerts

Example output:


[{
  "username": "SYSTEM",
  "alert_type": "watchlist.hit.query.process",
  "sensor_criticality": 3,
  "modload_count": 0,
  "report_score": 75,
  "watchlist_id": "11",
  "sensor_id": 1,
  "feed_name": "My Watchlists",
  "created_time": "2017-09-11T17:50:03.377Z",
  "ioc_type": "query",
  "watchlist_name": "Watchlist",
  "ioc_confidence": 0.5,
  "ioc_attr": "{\"highlights\": [\"c:\\\\windows\\\\carbonblack\\\\PREPREPREcb.exePOSTPOSTPOST\", \"PREPREPREcb.exePOSTPOSTPOST\"]}",
  "alert_severity": 50.625,
  "crossproc_count": 0,
  "group": "default group",
  "hostname": "win-6epacunb1i1",
  "filemod_count": 0,
  "resolved_time": "2017-09-11T18:11:32.09Z",
  "comms_ip": "52.122.36.18",
  "netconn_count": 1,
  "interface_ip": "172.19.33.201",
  "status": "Resolved",
  "observed_hosts": {
      "numFound": 3,
      "hostCount": 1,
      "globalCount": 3,
      "hostnames": [{
          "name": "win-6epacunb1i1",
          "value": 27893
      }],
      "accurateHostCount": true,
      "processCount": 1,
      "numDocs": "84136",
      "processTotal": 1
  },
  "process_path": "c:\\windows\\carbonblack\\cb.exe",
  "process_name": "cb.exe",
  "process_unique_id": "00000001-0000-0414-01d3-20c7b4fdd3cf-015e2e1f45f7",
  "process_id": "00000001-0000-0414-01d3-20c7b4fdd3cf",
  "_version_": 1578267828122812416,
  "regmod_count": 0,
  "md5": "e472001ffe350a80f4c1f3322180ca53",
  "segment_id": 773801463,
  "total_hosts": 1,
  "feed_id": -1,
  "assigned_to": "irteam",
  "os_type": "windows",
  "childproc_count": 0,
  "unique_id": "a743ee18-ce1d-4fb3-adc5-f05a77c8996c",
  "feed_rating": 3
}]

Delete Feed

This action is used to delete a feed.

Input
Name Type Default Required Description Enum
force boolean None True Force deletion of all matches if multiple matches found None
id string None True The ID of the feed None
Output
Name Type Required Description
success boolean False Whether or not the deletion was successful

Example output:


{
  "success": true
}

List Binaries

This action is used to list binaries with given parameters.

Input
Name Type Default Required Description Enum
query string None False Accepts the same data as the search box on the Process Search page None
rows integer 10 False How many rows of data to return. Default is 10 None
start integer 0 False What row of data to start at. Default is 0 None
Output
Name Type Required Description
binaries []binary False The list of binaries

Example output:


[{
  "host_count": 1,
  "original_filename": "bcryptprimitives.dll",
  "legal_copyright": "Microsoft Corporation. All rights reserved.",
  "digsig_result": "Signed",
  "observed_filename": [
      "C:\\Windows\\SysWOW64\\bcryptprimitives.dll"
  ],
  "product_version": "6.3.9600.18344",
  "facet_id": 737484,
  "digsig_issuer": "Microsoft Windows Production PCA 2011",
  "digsig_result_code": "0",
  "server_added_timestamp": "2017-08-30T02:37:08.977Z",
  "digsig_sign_time": "2017-08-03T10:45:00Z",
  "digsig_prog_name": "Microsoft Windows",
  "orig_mod_len": 340880,
  "is_executable_image": false,
  "is_64bit": false,
  "md5": "026B0CB0683E48164F43AADBE50E5506",
  "digsig_subject": "Microsoft Windows",
  "digsig_publisher": "Microsoft Corporation",
  "endpoint": [
      "WIN-6EPACUNB1I1|1"
  ],
  "group": [
      "Default Group"
  ],
  "event_partition_id": [
      98566909329408
  ],
  "watchlists": [{
      "wid": "7",
      "value": "2017-08-30T02:40:02.488Z"
  }],
  "file_version": "6.3.9600.18344 (winblue_ltsb.160518-1031)",
  "signed": "Signed",
  "copied_mod_len": 0,
  "company_name": "Microsoft Corporation",
  "internal_name": "bcryptprimitives.dll",
  "timestamp": "2017-08-30T02:37:08.977Z",
  "cb_version": 612,
  "os_type": "Windows",
  "file_desc": "Windows Cryptographic Primitives Library",
  "product_name": "Microsoft Windows Operating System",
  "last_seen": "2017-08-30T02:40:02.727Z"
}]

Add Feed

This action is used to add a feed.

Input
Name Type Default Required Description Enum
username string None False Username None
force boolean False False Add feed even if the feed URL is already in use None
use_proxy boolean None False Whether or not to use proxy None
feed_url string None False The URL of the feed to add None
enabled boolean None False Enable feed None
cert file None False Certificate file None
key file None False Key None
password password None False Password None
validate_server_cert boolean None False Whether or not to validate server certificate None
Output
Name Type Required Description
id integer False The ID of the added feed

Example output:


{
  "id": 5
}

Blacklist Hash

This action is used to ban a hash given its MD5.

Input
Name Type Default Required Description Enum
md5_hash string None True An MD5 hash None
Output
Name Type Required Description
success boolean False Status of request - true if successful, false otherwise

Example output:


{
  "success": true
}

List Watchlists

This action is used to list all watchlists.

Output
Name Type Required Description
watchlists []watchlist False The list of watchlists

Example output:


[{
  "last_hit_count": 8,
  "description": "",
  "search_query": "q=process_name%3Aconhost.exe",
  "from_alliance": false,
  "enabled": true,
  "search_timestamp": "2017-09-24 17:00:03.143824",
  "index_type": "events",
  "readonly": false,
  "alliance_id": null,
  "total_hits": "30368",
  "date_added": "2017-09-21 19:26:10.844270+00:00",
  "group_id": -1,
  "total_tags": "3461",
  "id": "12",
  "last_hit": "2017-09-24 17:00:03.329069+00:00",
  "name": "Conhost"
}]

Delete Watchlist

This action is used to delete a watchlist.

Input
Name Type Default Required Description Enum
force boolean None True Force deletion of all matches if multiple matches found None
id string None True The ID of the watchlist None
Output
Name Type Required Description
success boolean False Whether or not the deletion was successful

Example output:


{
  "success": true
}

List Processes

This action is used to list processes with given parameters.

Input
Name Type Default Required Description Enum
query string None False Accepts the same data as the search box on the Process Search page None
rows integer 10 False How many rows of data to return. Default is 10 None
start integer 0 False What row of data to start at. Default is 0 None
Output
Name Type Required Description
processes []process False The list of processes

Example output:


[{
  "process_md5": "e0c7813a97ca7947ff5c18a8f3b61a45",
  "sensor_id": 1,
  "filtering_known_dlls": false,
  "modload_count": 0,
  "parent_unique_id": "00000001-0000-0250-01d3-202c7755d833-000000000001",
  "emet_count": 0,
  "cmdline": "C:\\Windows\\system32\\services.exe",
  "filemod_count": 0,
  "id": "00000001-0000-02a8-01d3-202c7d4bb023",
  "parent_name": "wininit.exe",
  "parent_md5": "000000000000000000000000000000",
  "group": "default group",
  "parent_id": "00000001-0000-0250-01d3-202c7755d833",
  "hostname": "win-6epacunb1i1",
  "last_update": "2017-08-29T13:07:37.238Z",
  "start": "2017-08-28T18:35:57.663Z",
  "comms_ip": 885592626,
  "regmod_count": 0,
  "interface_ip": -1407252262,
  "process_pid": 680,
  "username": "SYSTEM",
  "terminated": false,
  "process_name": "services.exe",
  "emet_config": "",
  "last_server_update": "2017-08-29T13:12:35.593Z",
  "path": "c:\\windows\\system32\\services.exe",
  "netconn_count": 0,
  "parent_pid": 592,
  "crossproc_count": 0,
  "segment_id": 1504012355063,
  "host_type": "server",
  "processblock_count": 0,
  "os_type": "windows",
  "childproc_count": 19,
  "unique_id": "00000001-0000-02a8-01d3-202c7d4bb023-015e2e1f45f7"
}]

List Sensors

This action is used to list all sensors.

Input
Name Type Default Required Description Enum
ip string None False The sensor IP address None
hostname string None False The sensor hostname None
id string None False The sensor ID None
groupid string None False The sensor group ID None
Output
Name Type Required Description
sensors []sensor False The list of sensors

Example output:

[
    {
      "systemvolume_total_size": "107267223552",
      "os_environment_display_string": "Windows 7 Enterprise Service Pack 1, 64-bit",
      "clock_delta": "0",
      "supports_cblr": true,
      "sensor_uptime": "7655",
      "last_update": "2018-09-19 09:06:09.970817-07:00",
      "physical_memory_size": "1073274880",
      "build_id": 2,
      "uptime": "8757",
      "is_isolating": false,
      "computer_dns_name": "cb-sensor-win7",
      "emet_report_setting": " (GPO configured)",
      "id": 1,
      "emet_process_count": 0,
      "emet_is_gpo": false,
      "power_state": 0,
      "network_isolation_enabled": false,
      "systemvolume_free_size": "78565584896",
      "status": "Online",
      "num_eventlog_bytes": "11800",
      "sensor_health_message": "Elevated memory usage",
      "build_version_string": "006.001.002.71109",
      "computer_sid": "S-1-5-21-2519757177-4078746215-1447329238",
      "next_checkin_time": "2018-09-19 09:06:32.092306-07:00",
      "node_id": 0,
      "cookie": 1389712705,
      "emet_exploit_action": " (Locally configured)",
      "computer_name": "CB-SENSOR-WIN7",
      "license_expiration": "1990-01-01 00:00:00-08:00",
      "supports_isolation": true,
      "parity_host_id": "0",
      "supports_2nd_gen_modloads": false,
      "network_adapters": "10.4.26.148,00505694808c|",
      "sensor_health_status": 90,
      "registration_time": "2018-09-19 06:58:31.543400-07:00",
      "restart_queued": false,
      "num_storefiles_bytes": "0",
      "os_environment_id": 1,
      "shard_id": 0,
      "boot_id": "0",
      "last_checkin_time": "2018-09-19 09:06:03.096077-07:00",
      "os_type": 1,
      "group_id": 1,
      "display": true,
      "uninstall": false
    }
]

Get Binary

This action is used to retrieve a binary by its MD5 hash.

Input
Name Type Default Required Description Enum
hash string None True An MD5 hash None
Output
Name Type Required Description
binary bytes False A resulting binary, Base64-encoded

Example output:


{
  "binary": "b'MZ\\x00\\x00'"
}

Update Alert

This action is used to update or resolve an alert.

Input
Name Type Default Required Description Enum
status string Resolved True The status to update ['Resolved', 'Unresolved', 'In Progress', 'False Positive']
id string None True Unique ID of the alert. Example: 1cb11d0d-f86b-415d-aeb3-05f085973fbb None
Output
Name Type Required Description
success boolean False Whether or not the update was successful

Example output:


{
  "success": true
}

Add Watchlist

This action is used to add a watchlist.

Input
Name Type Default Required Description Enum
index_type string modules True Either modules or events for binary and process watchlists, respectively ['modules', 'events']
name string None True Watchlist name None
query string None True Raw Carbon Black query that this watchlist matches None
Output
Name Type Required Description
id string False The ID of the created watchlist

Example output:


{
  "id": 3
}

Isolate Sensor

This action is used to isolate a sensor from the network.

Input
Name Type Default Required Description Enum
hostname string None False Hostname of the sensor to isolate None
Output
Name Type Required Description
success boolean False Whether or not the isolation was successful

Example output:


{
  "success": true
}

List Feeds

This action is used to list all feeds.

Input

This action does not contain any inputs.

Output
Name Type Required Description
feeds []feed False The list of feeds

Example output:


[{
  "provider_url": "https://www.bit9.com/solutions/cloud-services/",
  "ssl_client_crt": null,
  "local_rating": null,
  "requires_who": null,
  "icon_small": "",
  "id": 13,
  "category": "Bit9 + Carbon Black First Party",
  "display_name": "Bit9 Software Reputation Service Trust",
  "use_proxy": null,
  "feed_url": "https://api.alliance.carbonblack.com/feed/SRSTrust",
  "username": null,
  "validate_server_cert": null,
  "ssl_client_key": null,
  "manually_added": false,
  "password": null,
  "icon": "",
  "provider_rating": 3,
  "name": "SRSTrust",
  "tech_data": "It is necessary to share MD5s of observed binaries with the Carbon Black Alliance to use this feed",
  "requires": null,
  "enabled": false,
  "summary": "The Bit9 Software Reputation Service (SRS) feed provides a level of software trustworthness",
  "requires_what": null,
  "order": 2
}]

Unisolate Sensor

This action is used to bring a sensor back into the network.

Input
Name Type Default Required Description Enum
hostname string None False Hostname of the sensor to unisolate None
Output
Name Type Required Description
success boolean False Whether or not the unisolation was successful

Example output:


{
  "success": true
}

Triggers

New Alert

This trigger is used to fire when a new alert is found.

Input

This action does not contain any inputs.

Output
Name Type Required Description
alert alert False Carbon Black alert

Example output:


{
  "username": "SYSTEM",
  "alert_type": "watchlist.hit.query.process",
  "sensor_criticality": 3,
  "modload_count": 0,
  "report_score": 75,
  "watchlist_id": "11",
  "sensor_id": 1,
  "feed_name": "My Watchlists",
  "created_time": "2017-09-11T17:50:03.377Z",
  "ioc_type": "query",
  "watchlist_name": "Watchlist",
  "ioc_confidence": 0.5,
  "ioc_attr": "{\"highlights\": [\"c:\\\\windows\\\\carbonblack\\\\PREPREPREcb.exePOSTPOSTPOST\", \"PREPREPREcb.exePOSTPOSTPOST\"]}",
  "alert_severity": 50.625,
  "crossproc_count": 0,
  "group": "default group",
  "hostname": "win-6epacunb1i1",
  "filemod_count": 0,
  "resolved_time": "2017-09-11T18:11:32.09Z",
  "comms_ip": "52.122.36.18",
  "netconn_count": 1,
  "interface_ip": "172.19.33.201",
  "status": "Resolved",
  "observed_hosts": {
      "numFound": 3,
      "hostCount": 1,
      "globalCount": 3,
      "hostnames": [{
          "name": "win-6epacunb1i1",
          "value": 27893
      }],
      "accurateHostCount": true,
      "processCount": 1,
      "numDocs": "84136",
      "processTotal": 1
  },
  "process_path": "c:\\windows\\carbonblack\\cb.exe",
  "process_name": "cb.exe",
  "process_unique_id": "00000001-0000-0414-01d3-20c7b4fdd3cf-015e2e1f45f7",
  "process_id": "00000001-0000-0414-01d3-20c7b4fdd3cf",
  "_version_": 1578267828122812416,
  "regmod_count": 0,
  "md5": "e472001ffe350a80f4c1f3322180ca53",
  "segment_id": 773801463,
  "total_hosts": 1,
  "feed_id": -1,
  "assigned_to": "irteam",
  "os_type": "windows",
  "childproc_count": 0,
  "unique_id": "a743ee18-ce1d-4fb3-adc5-f05a77c8996c",
  "feed_rating": 3
}

Custom Output Types

This plugin does not contain any custom output types.

Troubleshooting

This plugin does not contain any troubleshooting information.

Version History

  • 3.1.10 - Rebrand plugin
  • 3.1.9 - Pin to latest version of cbapi (1.6.2) to fix broken isolate() function
  • 3.1.8 - New spec and help.md format for the Extension Library
  • 3.1.7 - Fix issue where Delete Watchlist action would not run successfully
  • 3.1.6 - Fix issue where output from the New Alert trigger did not match the output schema
  • 3.1.5 - Update connection tests
  • 3.1.4 - Update descriptions
  • 3.1.3 - Pull the ConnectionCacheKey update from SDK
  • 3.1.2 - Fixed List Sensors action from failing when sensor dosen't exist
  • 3.1.1 - New input parameters for List Sensors action
  • 3.1.0 - Added action List Sensors
  • 3.0.0 - Plugin audited and various minor bugs corrected
  • 2.0.0 - Update to v2 Python plugin architecture | Support web server mode
  • 1.0.1 - SSL bug fix in SDK
  • 0.1.0 - Initial plugin

Links

References

plugin_spec_version: v2
extension: plugin
products: [insightconnect]
name: carbon_black_response
title: VMware Carbon Black EDR
vendor: rapid7
support: rapid7
status: []
description: Automate information collection, endpoint isolation and hash blacklisting
version: 3.1.10
resources:
  source_url: https://github.com/rapid7/insightconnect-plugins/tree/master/carbon_black_response
  license_url: https://github.com/rapid7/insightconnect-plugins/blob/master/LICENSE
  vendor_url: https://www.carbonblack.com/
tags:
- carbon black
- vmware
- response
- endpoint
- cb
- detection
hub_tags:
  use_cases: [alerting_and_notifications, threat_detection_and_response]
  keywords: [carbon black, vmware, response, endpoint, cb, detection]
  features: []
enable_cache: true
types:
  alert:
    alert_severity:
      type: number
      required: false
      title: Severity
    sensor_criticality:
      type: number
      required: false
      title: Sensor Criticality
    hostname:
      type: string
      required: false
      title: Hostname
    report_score:
      type: integer
      required: false
      title: Report Score
    feed_name:
      type: string
      required: false
      title: Feed Name
    created_time:
      type: date
      required: false
      title: Created Time
    os_type:
      type: string
      required: false
      title: OS Type
    feed_rating:
      type: number
      format: double
      required: false
      title: Feed Rating
    ioc_confidence:
      type: number
      required: false
      title: IOC Confidence
    unique_id:
      type: string
      required: false
      title: Unique ID
    md5:
      type: string
      required: false
      title: MD5
    sensor_id:
      type: integer
      required: false
      title: Sensor ID
    feed_id:
      type: integer
      required: false
      title: Feed ID
    ioc_attr:
      type: string
      required: false
      title: IOC Attributes
    status:
      type: string
      required: false
      title: Status
    alert_type:
      type: string
      required: false
      title: Type
  process:
    mod_load:
      type: integer
      required: false
      title: Mod Load
    sensor_id:
      type: integer
      required: false
      title: Sensor ID
    uid:
      type: string
      required: false
      title: UID
    filtering_known_dls:
      type: boolean
      required: false
      title: Filtering Known Downloads
    process_md5:
      type: string
      required: false
      title: MD5
    parent_unique_id:
      type: string
      required: false
      title: Parent Unique ID
    cmdline:
      type: string
      required: false
      title: CMD Line
    path:
      type: string
      required: false
      title: Path
    filemod_count:
      type: integer
      required: false
      title: Filemod Count
    id:
      type: string
      required: false
      title: ID
    parent_name:
      type: string
      required: false
      title: Parent Name
    crossproc_count:
      type: integer
      required: false
      title: Crossproc Count
    parent_pid:
      type: integer
      required: false
      title: Parent PID
    hostname:
      type: string
      required: false
      title: Hostname
    last_update:
      type: string
      required: false
      title: Last Update
    start:
      type: string
      required: false
      title: Start
    comms_ip:
      type: integer
      required: false
      title: Comms IP
    regmod_count:
      type: integer
      required: false
      title: Regmod Count
    interface_ip:
      type: integer
      required: false
      title: Interface IP
    process_pid:
      type: integer
      required: false
      title: PID
    username:
      type: string
      required: false
      title: Username
    terminated:
      type: boolean
      required: false
      title: Terminated
    process_name:
      type: string
      required: false
      title: Name
    emet_count:
      type: integer
      required: false
      title: EMET Count
    group:
      type: string
      required: false
      title: Group
    netconn_count:
      type: integer
      required: false
      title: Netconn Count
    segment_id:
      type: integer
      required: false
      title: Segment ID
    host_type:
      type: string
      required: false
      title: Host Type
    processblock_count:
      type: integer
      required: false
      title: Process Block Count
    filemod_complete:
      type: '[]string'
      required: false
      title: Filemod Complete
    os_type:
      type: string
      required: false
      title: OS Type
    binaries:
      type: object
      required: false
      title: Binaries
    childproc_count:
      type: integer
      required: false
      title: Childproc Count
    unique_id:
      type: string
      required: false
      title: Unique ID
  binary:
    digsig_prog_name:
      type: string
      description: If signed and present, the program name
      required: false
      title: Digital Signature Program Name
    digsig_issuer:
      type: string
      description: If signed and present, the issuer name
      required: false
      title: Digital Signature Issuer
    product_name:
      type: string
      description: If present, product name from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Product Name
    is_executable_image:
      type: boolean
      description: True if an EXE
      required: false
      title: Is Executable Image
    digsig_result:
      type: string
      description: Digital signature status; One of Signed, Unsigned, Expired, Bad
        Signature, Invalid Signature, Invalid Chain, Untrusted Root, Explicit Distrust
      required: false
      title: Digital Signature Result
    digsig_subject:
      type: string
      description: If signed and present, the subject
      required: false
      title: Digital Signature Subject
    observed_filename:
      type: '[]string'
      description: The set of unique filenames this binary has been seen as
      required: false
      title: Observed Filename
    os_type:
      type: string
      enum:
      - Windows
      - OSX
      - Linux
      description: Operating system type of this binary; one of windows, linux, osx
      required: false
      title: OS Types
    orig_mod_len:
      type: integer
      description: Filesize in bytes
      required: false
      title: Original Mod Length
    special_build:
      type: string
      description: If present, special build from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Special Build
    company_name:
      type: string
      description: If present, company name from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Company Name
    alliance_score_virustotal:
      type: string
      description: If enabled and the hit count is greater than one, the number of
        [VirusTotal](http://virustotal.com) hits for this MD5
      required: false
      title: Alliance Score Virustotal
    server_added_timestamp:
      type: string
      format: date
      description: The first time this binary was received on the server in the server
        GMT time
      required: false
      title: Server Added Timestamp
    private_build:
      type: string
      description: If present, private build from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Private Build
    internal_name:
      type: string
      description: If present, internal name from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Internal Name
    copied_mod_len:
      type: integer
      description: Bytes copied from remote host. If file is greater than 25MB this
        will be less than orig_mod_len
      required: false
      title: Copied Mod Length
    file_version:
      type: string
      description: If present, file version from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: File Version
    product_version:
      type: string
      description: If present, product version from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Product Version
    signed:
      type: string
      description: Digital signature status. One of Signed, Unsigned, Expired, Bad
        Signature, Invalid Signature, Invalid Chain, Untrusted Root, Explicit Distrust
      required: false
      title: Signed
    digsig_sign_time:
      type: string
      description: If signed, the timestamp of the signature in GMT
      required: false
      title: Digital Signature Times
    file_desc:
      type: string
      description: If present, file description from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: File Description
    legal_trademark:
      type: string
      description: If present, legal trademark from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Legal Trademark
    digsig_result_code:
      type: string
      description: HRESULT_FROM_WIN32 for the result of the digital signature operation
        via [WinVerifyTrust](http://msdn.microsoft.com/en-us/library/windows/desktop/aa388208)
      required: false
      title: Digital Signature Result Code
    original_filename:
      type: string
      description: If present, original filename from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Original Filename
    legal_copyright:
      type: string
      description: If present, legal copyright from [FileVersionInformation](http://msdn.microsoft.com/en-us/library/system.diagnostics.fileversioninfo.aspx)
      required: false
      title: Legal Copyright
    host_count:
      type: integer
      description: Count of unique endpoints which have ever reported this binary
      required: false
      title: Host Count
    is_64bit:
      type: boolean
      description: True if x64
      required: false
      title: Is 64-bit
    md5:
      type: string
      description: The MD5 hash of this binary
      required: false
      title: MD5
    digsig_publisher:
      type: string
      description: If signed and present, the publisher name
      required: false
      title: Digital Signature Publisher
    endpoint:
      type: '[]string'
      required: false
      title: Endpoint
    group:
      type: '[]string'
      required: false
      title: Group
    timestamp:
      type: date
      required: false
      title: Timestamp
    cb_version:
      type: integer
      required: false
      title: Carbon Black Version
    last_seen:
      type: date
      required: false
      title: Last Seen
  watchlist:
    last_hit_count:
      type: integer
      required: false
      title: Last Hit Count
    name:
      type: string
      required: false
      title: Name
    list_query:
      type: string
      description: URL-encoded search query associated with this watchlist
      required: false
      title: List Query
    enabled:
      type: boolean
      required: false
      title: Enabled
    list_timestamp:
      type: date
      required: false
      title: List Timestamp
    index_type:
      type: string
      description: Index to search for this watchlist
      enum:
      - events
      - modules
      required: false
      title: Index Type
    readonly:
      type: boolean
      required: false
      title: Readonly
    alliance_id:
      type: integer
      required: false
      title: Alliance ID
    total_hits:
      type: string
      required: false
      title: Total Hits
    date_added:
      type: date
      required: false
      title: Date Added
    group_id:
      type: integer
      required: false
      title: Group ID
    total_tags:
      type: string
      required: false
      title: Total Tags
    last_hit:
      type: date
      required: false
      title: Last Hit
    from_alliance:
      type: boolean
      required: false
      title: From Alliance
  feed:
    provider_url:
      type: string
      required: false
      title: Provider URL
    ssl_client_crt:
      type: string
      required: false
      title: SSL Client Certificate
    local_rating:
      type: integer
      required: false
      title: Local Rating
    requires_who:
      type: string
      required: false
      title: Requires Who
    icon_small:
      type: bytes
      required: false
      title: Icon Small
    id:
      type: integer
      required: false
      title: ID
    category:
      type: string
      required: false
      title: Category
    display_name:
      type: string
      required: false
      title: Display Name
    use_proxy:
      type: boolean
      required: false
      title: Use Proxy
    feed_url:
      type: string
      required: false
      title: Feed URL
    username:
      type: string
      required: false
      title: Username
    validate_server_cert:
      type: boolean
      required: false
      title: Validate Server Cert
    ssl_client_key:
      type: string
      required: false
      title: SSL Client Key
    manually_added:
      type: boolean
      required: false
      title: Manually Added
    password:
      type: string
      required: false
      title: Password
    icon:
      type: bytes
      required: false
      title: Icon
    provider_rating:
      type: number
      required: false
      title: Provider Rating
    name:
      type: string
      required: false
      title: Name
    tech_data:
      type: string
      required: false
      title: Tech Data
    requires:
      type: string
      required: false
      title: Requires
    enabled:
      type: boolean
      required: false
      title: Enabled
    summary:
      type: string
      required: false
      title: Summary
    requires_what:
      type: string
      required: false
      title: Requires What
    order:
      type: integer
      required: false
      title: Order
  sensor:
    systemvolume_total_size:
      description: Total size of system volume
      title: Systemvolume Total Size
      type: string
    os_environment_display_string:
      description: OS environment display string
      title: OS Environment Display String
      type: string
    sensor_uptime:
      description: How long the sensor has been up
      title: Sensor Uptime
      type: string
    is_isolating:
      description: Is sensor isolated
      title: Is Isolating
      type: boolean
    id:
      description: Sensor ID
      title: ID
      type: integer
    build_id:
      description: Sensor build ID
      title: Build ID
      type: integer
    uptime:
      description: Uptime
      title: Uptime
      type: string
    computer_dns_name:
      description: DNS name of the computer
      title: Computer DNS Name
      type: string
    physical_memory_size:
      description: Physical memory size
      title: Physical Memory Size
      type: string
    next_checkin_time:
      description: Next check-in time
      title: Next Check-In Time
      type: string
    sensor_health_message:
      description: Sensor health message
      title: Sensor Health Message
      type: string
    boot_id:
      description: Boot ID
      title: Boot ID
      type: string
    computer_sid:
      description: Computer SID
      title: Computer SID
      type: string
    event_log_flush_time:
      description: Event log flush time
      title: Event Log Flush Time
      type: string
    computer_name:
      description: Computer name
      title: Computer Name
      type: string
    license_expiration:
      description: License expiration
      title: License Expiration
      type: string
    network_adapters:
      description: Network adapters
      title: Network Adapters
      type: string
    sensor_health_status:
      description: Sensor health status
      title: Sensor Health Status
      type: integer
    registration_time:
      description: Registration time
      title: Registration Time
      type: string
    systemvolume_free_size:
      description: Systemvolume free size
      title: Systemvolume Free Size
      type: string
    notes:
      description: Notes
      title: Notes
      type: string
    network_isolation_enabled:
      description: Network isolation enabled
      title: Network Isolation Enabled
      type: boolean
    os_environment_id:
      description: OS environment ID
      title: OS Environment ID
      type: integer
    cookie:
      description: Cookie
      title: Cookie
      type: integer
    build_version_string:
      description: Build version string
      title: Build Version String
      type: string
    last_checkin_time:
      description: Last checkin time
      title: Last Checkin Time
      type: string
    group_id:
      description: Group ID
      title: Group ID
      type: integer
    display:
      description: Display
      title: Display
      type: boolean
    uninstall:
      description: Uninstall
      title: Uninstall
      type: boolean
    found:
      description: If sensor was found
      title: Found
      type: boolean
connection:
  api_key:
    title: API Key
    type: credential_secret_key
    description: API token found in your Carbon Black profile
    required: true
  url:
    title: URL
    type: string
    description: Carbon Black Server API URL
    default: https://127.0.0.1/api/bit9platform/v1
    required: true
  ssl_verify:
    title: SSL Verify
    type: boolean
    description: SSL certificate verification
    default: true
    required: true
actions:
  list_alerts:
    title: List Alerts
    description: List Carbon Black alerts with given parameters
    input:
      query:
        type: string
        description: Accepts the same data as the search box on the Process Search
          page
        required: false
        title: Query String
      rows:
        type: integer
        description: How many rows of data to return. Default is 10
        default: 10
        required: false
        title: Rows
      start:
        type: integer
        description: What row of data to start at. Default is 0
        default: 0
        required: false
    output:
      alerts:
        description: The lists of alerts
        type: '[]alert'
        required: false
  list_processes:
    title: List Processes
    description: List Carbon Black processes with given parameters
    input:
      query:
        type: string
        description: Accepts the same data as the search box on the Process Search
          page
        required: false
        title: Query String
      rows:
        type: integer
        description: How many rows of data to return. Default is 10
        default: 10
        required: false
        title: Rows
      start:
        type: integer
        description: What row of data to start at. Default is 0
        default: 0
        required: false
    output:
      processes:
        description: The list of processes
        type: '[]process'
        required: false
  list_binaries:
    title: List Binaries
    description: List Carbon Black binaries with given parameters
    input:
      query:
        type: string
        description: Accepts the same data as the search box on the Process Search
          page
        required: false
        title: Query String
      rows:
        type: integer
        description: How many rows of data to return. Default is 10
        default: 10
        required: false
        title: Rows
      start:
        type: integer
        description: What row of data to start at. Default is 0
        default: 0
        required: false
    output:
      binaries:
        description: The list of binaries
        type: '[]binary'
        required: false
  list_watchlists:
    title: List Watchlists
    description: List all watchlists
    output:
      watchlists:
        description: The list of watchlists
        type: '[]watchlist'
        required: false
  list_feeds:
    title: List Feeds
    description: List all feeds
    output:
      feeds:
        description: The list of feeds
        type: '[]feed'
        required: false
  list_sensors:
    title: List Sensors
    description: List all sensors
    input:
      id:
        type: string
        description: The sensor ID
        required: false
        title: ID
      hostname:
        type: string
        description: The sensor hostname
        required: false
        title: Hostname
      ip:
        type: string
        description: The sensor IP address
        required: false
        title: IP Address
      groupid:
        type: string
        description: The sensor group ID
        required: false
        title: Group ID
    output:
      sensors:
        description: The list of sensors
        type: '[]sensor'
        required: false
  get_binary:
    title: Get Binary
    description: Retrieve a binary by its MD5 Hash
    input:
      hash:
        description: An MD5 hash
        type: string
        required: true
        title: Hash
    output:
      binary:
        description: A resulting binary, Base64-encoded
        type: bytes
        required: false
  blacklist_hash:
    title: Blacklist Hash
    description: Ban a hash given its MD5
    input:
      md5_hash:
        description: An MD5 hash
        type: string
        required: true
        title: MD5 Hash
    output:
      success:
        type: boolean
        description: Status of request - true if successful, false otherwise
        required: false
  add_watchlist:
    title: Add Watchlist
    description: Adds a watchlist
    input:
      name:
        type: string
        description: Watchlist name
        required: true
      index_type:
        type: string
        description: Either modules or events for binary and process watchlists, respectively
        required: true
        default: modules
        enum:
        - modules
        - events
      query:
        type: string
        description: Raw Carbon Black query that this watchlist matches
        required: true
    output:
      id:
        description: The ID of the created watchlist
        type: string
        required: false
        title: ID
  add_feed:
    title: Add Feed
    description: Adds a feed
    input:
      feed_url:
        description: The URL of the feed to add
        type: string
        required: false
      force:
        type: boolean
        default: false
        description: Add feed even if the feed URL is already in use
        required: false
      enabled:
        type: boolean
        description: Enable feed
        required: false
      username:
        description: Username
        type: string
        required: false
      password:
        description: Password
        type: password
        required: false
      cert:
        description: Certificate file
        type: file
        required: false
      key:
        description: Key
        type: file
        required: false
      use_proxy:
        description: Whether or not to use proxy
        type: boolean
        required: false
      validate_server_cert:
        description: Whether or not to validate server certificate
        type: boolean
        required: false
    output:
      id:
        description: The ID of the added feed
        type: integer
        required: false
        title: ID
  delete_feed:
    title: Delete Feed
    description: Deletes a feed
    input:
      id:
        description: The ID of the feed
        type: string
        required: true
        title: ID
      force:
        type: boolean
        description: Force deletion of all matches if multiple matches found
        required: true
        title: Force
    output:
      success:
        type: boolean
        description: Whether or not the deletion was successful
        required: false
  delete_watchlist:
    title: Delete Watchlist
    description: Deletes a watchlist
    input:
      id:
        description: The ID of the watchlist
        type: string
        required: true
        title: ID
      force:
        type: boolean
        description: Force deletion of all matches if multiple matches found
        required: true
        title: Force
    output:
      success:
        type: boolean
        description: Whether or not the deletion was successful
        required: false
  update_alert:
    title: Update Alert
    description: Updates or Resolves an Alert in Carbon Black
    input:
      id:
        description: 'Unique ID of the alert. Example: 1cb11d0d-f86b-415d-aeb3-05f085973fbb'
        type: string
        required: true
        title: Unique ID
      status:
        description: The status to update
        type: string
        enum:
        - Resolved
        - Unresolved
        - In Progress
        - False Positive
        required: true
        default: Resolved
        title: Status
    output:
      success:
        type: boolean
        description: Whether or not the update was successful
        required: false
  isolate_sensor:
    title: Isolate Sensor
    description: Isolates a sensor from the network
    input:
      hostname:
        description: Hostname of the sensor to isolate
        type: string
        required: false
        title: Hostname
    output:
      success:
        type: boolean
        description: Whether or not the isolation was successful
        required: false
  unisolate_sensor:
    title: Unisolate Sensor
    description: Brings a sensor back into the network
    input:
      hostname:
        description: Hostname of the sensor to unisolate
        type: string
        required: false
        title: Hostname
    output:
      success:
        type: boolean
        description: Whether or not the unisolation was successful
        required: false
triggers:
  new_alert:
    title: New Alert
    description: Fires when a new alert is found
    output:
      alert:
        type: alert
        description: Carbon Black alert
        required: false
        title: Alert
Other plugins
Ivanti Security Controls
Rapid7   |   v1.5.0
Plugin
Get
McAfee ePO
Rapid7   |   v5.0.0
Plugin
Get
BlackBerry CylancePROTECT
Rapid7   |   v1.1.0
Plugin
Get
Fortinet FortiGate
Rapid7   |   v4.0.4
Plugin
Get
Jira
Rapid7   |   v6.0.1
Plugin
Get