Blog Post Archive

    CBAPI 2.0.0 Released

    Posted on Jul 29, 2024

    We would like to announce that CbAPI 2.0.0 is now available for installation via Python’s PyPI. Check out what has changed below. What changed - 2.0.0 - Breaking Changes: Due to the deactivation of several APIs, certain functionalities were completely removed from CBAPI Carbon Black Cloud Competely removed. Endpoint Standard (CB Defense) Competely removed. Enterprise EDR (CB ThreatHunter) Competely removed.

    Read More >>

    Version 1.5.6 of the Carbon Black Cloud Python SDK includes a minor bug fix

    Read More >>

    Version 1.5.5 of the Carbon Black Cloud Python SDK includes a minor bug fix

    Read More >>

    Version 1.5.4 of the Carbon Black Cloud Python SDK includes two minor bug fixes.

    Read More >>

    Version 1.5.3 of the Carbon Black Cloud Python SDK includes Audit Export, along with other improvements and bug fixes.

    Read More >>

    Carbon Black Cloud Alert Export enables up to 25,000 Alert records to be returned in CSV format from the in-console Alerts page and API.

    Read More >>

    We’re pleased to announce version 2.3.0 of the VMware Carbon Black Cloud App for QRadar. One of the headline features of this release is the transition from Alerts v6 to the more advanced Alerts v7. There are some breaking changes, so check out the Release Notes and the User Guide before you install the new version of the app. New Features: Transitioned exclusively to API Keys with an Access Level Type “Custom” for authentication, simplifying API Key configuration.

    Read More >>

    Carbon Black Cloud App for Splunk 2.2.0 includes Asset Inventory Input and has increased the number of Live Query results able to be retrieved

    Read More >>

    Version 1.5.2 of the Carbon Black Cloud Python SDK includes enhanced Audit Logs and CIS Benchmarking, along with other improvements and bug fixes.

    Read More >>

    Carbon Black Cloud now has the ability for Enterprise EDR and XDR customers to control the upload of new binaries to Carbon Black Cloud on a per-policy basis. This feature will be enabled over the coming weeks on a rolling basis.

    Read More >>

    The CarbonCLI - PowerShell CLI for Carbon Black Cloud 1.0.0 has been officially released!

    Read More >>

    The Audit Log service can be used to monitor your Carbon Black Cloud organization for actions performed by Carbon Black Cloud console users and API keys. Audit logs are recorded for most CREATE, UPDATE and DELETE actions as well as a few READ actions. Audit logs will include a description of the action and indicate the actor who performed the action along with their IP to help determine if the User/API key are from an expected source.

    Read More >>

    ServiceNow Apps for ITSM, SecOps and Vulnerability Response have been updated to use Alerts v7 API and Alert Forwarder Schema v2, and to support the Vancouver version of ServiceNow

    Read More >>

    As an Enterprise EDR customer, you now have the option to add a new type of Forwarder to send all Authentication Events to a Forwarder destination (AWS S3 or Azure Blob Storage Container) as they are reported by your Windows sensors. The Auth Events forwarder type fully supports Semantic Versioning, and initially releases with a v1.0.0 schema.

    Read More >>

    Carbon Black Cloud App v2.0.0 for Splunk SOAR supports Alerts v7 API two new alert types to ingest and a few new/updated actions

    Read More >>

    Event Reporting and Sensor Operation Exclusions increase the ability of VMware Carbon Black Endpoint Standard and VMware Carbon Black Enterprise EDR customers to tune product behavior to resolve operational issues and meet business needs. The Policy Service API has been extended with Bypass Rule Configs for this feature.

    Read More >>

    Version 1.5.1 of the Carbon Black Cloud Python SDK includes Alerts v7 enhancements and Asset Groups, along with other improvements and bug fixes.

    Read More >>

    API Access to Carbon Black Cloud should be restricted and monitored. Find out about the mechanisms available.

    Read More >>

    Carbon Black Cloud App for Splunk 2.0.0 supports Alerts v7 API and Forwarder Schema v2, API Key configuration has been simplified, and most alert types can be enriched with the associated Observations. See the Upgrade Guide for all the necessary changes.

    Read More >>

    The Containerized Sensor bundles Endpoint Detection and Response (EDR) and Container Scanning security in one easy to deploy package.

    Read More >>

    A new Azure BLOB storage option is available for customers to exfiltrate key Carbon Black Cloud data to external integrations, applications and long-term storage.

    Read More >>

    Use profiles with Host-based firewalls to provide location awareness. When using profiles, Carbon Black Cloud assigns separate security policies for each location or type of network connection.

    Read More >>

    We’re pleased to announce version 2.2.1 of the VMware Carbon Black Cloud App for QRadar. This is a patch release fixing a number of issues. Bug Fixes: Fixed an issue where alerts and audit logs were sent with delay in setups with low volume of security events. Fixed application crash due to out-of-memory problem under high load which prevents the app from forwarding alerts Fixed application crash when the console or apphost were down for a long time in setups with high volumes of security events.

    Read More >>

    The Carbon Black Cloud Events Data Forwarder Schema v1.1.0 includes new fields for XDR. Configure an Endpoint Event forwarder to produce data using the new schema version by selecting the v1.1.0 schema on the Add Forwarders page.

    Read More >>

    Custom Access Levels for API Keys can now have Authorized IP Addresses set. There are also improvements to the visibility of API Key Session Renewal time.

    Read More >>

    What is it? Carbon Black Cloud gives visibility and control over USB mass storage devices detected in your environment with the ability to block untrusted devices and approve trusted devices. The pre-existing implementation of Device Control blocks ALL operations on any external device. This enhancement enables users to separate read vs write vs execute permissions for approved devices on Windows endpoints. Users can determine whether a policy block should allow approved USB devices to read-only, read and write, read and execute, or read, write and execute.

    Read More >>

    The new API endpoint for retrieving query results from the Live Query API supports fetching results across runs and paginating beyond the 10k limit.

    Read More >>

    The Carbon Black Cloud Asset Groups API has been officially released! Create groups of assets and apply policies to the groups so the protections of all similar assets are synchronized.

    Read More >>

    The Carbon Black Cloud Syslog Connector Version 2.0.0 has been officially released! The Syslog Connector lets administrators forward alerts and audit logs from their Carbon Black Cloud instance to local, on-premise systems

    Read More >>

    Version 1.5.0 of the Carbon Black Cloud Python SDK includes ALerts v7 functionality along with other improvements and bug fixes.

    Read More >>

    Simplifies the management of AWS Accounts with bulk account management and CI-CD Agent Installation Packages

    Read More >>

    The Setup API enables scripted installation of Carbon Black tools for Container Security.

    Read More >>

    VMware Carbon Black Cloud platform with Splunk SOAR version 1.1.1 is a patch release that fixes a security vulnerability in one of the app dependencies

    Read More >>

    We have recently released several new APIs and Schemas for the Carbon Black Cloud, which requires deprecation and eventual deactivation of the existing APIs and Schemas. We want to ensure you are taking full advantage of the exciting new features! We have developed migration guides and other resources for each of the new APIs and Schemas to make the transition as smooth as possible and allow you to quickly get up and running with the new features.

    Read More >>

    Core Prevention Exclusions Release

    Posted on Sep 14, 2023

    Carbon Black Cloud Core Prevention Exclusions: Allow essential business processes to run, even in the event of a false positive block.

    Read More >>

    As part of the release of Cloud Native Detection and Response, container fields are now included in Process Search APIs. Customers can query for Kubernetes and container-based events to investigate Cloud-Native environments easily, create a watchlist, and trigger Kubernetes and containers threats alerts.

    Read More >>

    Version 1.1.10 of the VMware Carbon Black Cloud App for Splunk has been released. It includes the ability to ingest Auth Events, updates an action to get Observations and fixes some issues

    Read More >>

    Announcing the CIS Benchmark APIs

    Posted on Aug 14, 2023

    CIS benchmarks are configuration guidelines published by the Center for Internet Security. These APIs enable configuration and retrieval of Benchmark Sets and Rules in Carbon Black Cloud, and retrieval of the results from scans performed using these Rules.

    Read More >>

    Announcing the Postman Workspace

    Posted on Aug 14, 2023

    The Carbon Black Postman Workspace makes it easier to fork the collection and get started with APIs. Try it out here.

    Read More >>

    ServiceNow Apps for ITSM, SecOps and Vulnerability Response have been updated to support the Utah version of ServiceNow.

    Read More >>

    QRadar App v2.2.0 OOM issue

    Posted on Aug 1, 2023

    How to change the memory setting to address the known issue that under high load (high ammount of alerts or audit logs per minute), the Carbon Black Cloud QRadar App may stop forwarding messages to QRadar due to hitting a memory limitation which leads to app restarts.

    Read More >>

    Use the Image Scanning APIs to get information about when scans were performed, their source and risk summary as well as identify vulnerabilities in your environment. Use the Management APIs to manage hardening policies that combine predefined and user-defined policy rules that describe the target configuration of Kubernetes resources.

    Read More >>

    The Enriched Events API has been replaced by the new Observations API.

    Read More >>

    Script-based attacks are commonly used to gain entry into systems and to move laterally to inflict damage. The latest Script Deobfuscation API allows users to deobfuscate obfuscated PowerShell scripts. Deobfuscation increases an analyst’s efficiency when analyzing malicious scripts.

    Read More >>

    Carbon Black Cloud’s latest-generation Alerts data is now available to ingest directly into your Data Forwarder-enabled integrations. Making the full power of Carbon Black Cloud’s updated Alert data available to system integrators, the v2.0.0 Data Forwarder for Alerts provides a continuous stream of rich Carbon Black Cloud Alerts to be integrated into your SIEM, security lake and other custom applications.

    Read More >>

    Carbon Black Cloud Data Forwarder will always strive to offer parity with the latest and greatest data from the associated Carbon Black Cloud API. Carbon Black Cloud’s data continues to evolve as we add support for new kinds of findings and periodically re-align the data models across the platform; new fields and field values are added and semantics about how those fields are generated can vary.

    Read More >>

    How to migrate to Alerts v7 APIs

    Posted on Jul 9, 2023

    Learn how to move from the Alerts v6 API to the new Alerts v7 API to have access to a lot of new information and streamlined workflow.

    Read More >>

    To use the same Custom API key as for other calls, grant the key the permission org.audits and use it to call the Audit Log Endpoint.

    Read More >>

    Version 1.4.3 of the Carbon Black Cloud Python SDK includes Host-Based Firewall and Data Collection Rule Configurations along with other improvements and bug fixes.

    Read More >>

    The new Alerts V7 API will improve alert management and allow for easier management, consumption, and triage of alerts in the Carbon Black Cloud. Alerts v7 API extends the capabilities with improved methods of retrieving alerts and added functionality to manage alert workflow.

    Read More >>

    Audit Log Retention Changes

    Posted on May 31, 2023

    The VMware Cloud Services Guide that governs the terms of VMware Carbon Black Cloud states that customer audit log data will be retained for 12 months, after which the logs will be removed. Historically, we have not enforced this policy, and customers have been able to access audit logs beyond the specified 12-month window. Moving forward, we will begin to enforce this policy and remove older audit logs. Customers will be able to access audit logs from the previous 12 months; however, beyond that, access is not guaranteed.

    Read More >>

    We are proud to announce VMware Carbon Black Cloud platform with Splunk SOAR version 1.1.0. This release adds new contextual actions that can be used in custom user-defined playbooks and a new CBC Assets playbook which helps users automate the orchestration and remediation of alerts in Carbon Black Cloud from based on endpoint device details. New features 7 new actions: dismiss future alerts get asset info get cleared eventlogs get rdp info get scheduled tasks list logged users list persistence locations A new CBC Assets playbook to help users automate the orchestration and remediation of alerts in Carbon Black Cloud from within Splunk SOAR based on endpoint device details.

    Read More >>

    We’re pleased to announce version 2.2.0 of the VMware Carbon Black Cloud App for QRadar. This release includes new features, a redesign of the configuration experience with improved feedback, bugs fixes and compatibility with QRadar 7.5. New Features: Refresh of the user interface for configuration of the app New design and validations. When selecting Settings > Configuration requests are triggered to check the validity. If there is something wrong with the credentials, the Device API or Alerts API at the current moment, validation errors will be shown.

    Read More >>

    A POST Process Search Validation endpoint has been released to address limitations in the length of the previous GET URL

    Read More >>

    Version 1.1.9 of the VMware Carbon Black Cloud App for Splunk has been released and addresses some issues

    Read More >>

    What’s New? We’re excited to announce the release of v1.0.0 of the Carbon Policy Replicator Tool. This Python-based GUI tool allows you to replicate policies and their rules to an unlimited number of other organizations across different Environments. Under the hood, this tool uses the Carbon Black Cloud Python SDK for things like Authentication and Credentials Handling, Retrieving Data from Carbon Black Cloud and Handling Errors and Exceptions. This is one example of how the SDK can be used to build powerful tools and integrations to streamline your workflows.

    Read More >>

    The Jobs Service API has been extended with the Event Export endpoint. Use this API to start an asynchronous search for Processes and Process Events Observations Auth Events Enriched Events The Job Service API supports long running searches with the results being available for download in a zipped csv file. Please reach out to us with feedback.

    Read More >>

    The Carbon Black Postman Collection has been updated to include recently released Carbon Black Cloud features. Observations Auth Events Network Threat Metadata Service Export Events using the Job Service API

    Read More >>

    What’s New? We’re excited to announce the release of v1.4.2 of the Carbon Black Cloud Python SDK. There are several new features in this release: Policy Rule Configurations Core Prevention Rule Configurations Observations Auth Events The Complete Changelog Here’s a complete changelog for this release of the SDK which includes some less visible changes: New Features: Policy Rule Configurations - allows users to make adjustments to Carbon Black-defined rules.

    Read More >>

    The new Carbon Black Cloud App for ServiceNow Vulnerability Response v1.0.0 is now available and provides integration of vulnerability data from Carbon Black Cloud to create tickets in ServiceNow. Updated versions of the ServiceNow SecOps App v2.0.0 and ITSM App v2.0.0 are available with new data ingest options and more actions available. All apps also include integration with the ServiceNow Configuration Management Database (CMDB) to support inventory use cases. Release Highlights New ServiceNow Vulnerability Response App CMDB Integration across all three apps (ITSM, SecOps, VR) for inventory use cases Additional SOAR actions in the ITSM and SecOps Apps Data Forwarder Alert ingestion Support Support for ServiceNow Versions San Diego and Tokyo App for Vulnerability Response (VR) v1.

    Read More >>

    VMware Carbon Black Extended Detection and Response (XDR) greatly enhances lateral security by leveraging telemetry. Security teams can leverage VMware Carbon Black XDR to quickly identify threats across their environment and make better-informed decisions in applying prevention policies. You can visualize and analyze relevant network data. For example: Signatures of network connections (JA3 and JA3S thumbprints) Network intrusion detection Security wrapper details (TLS data) Signer of certificate (encryption - TLS data) HTTP details Requirements XDR is an add-on to Carbon Black Enterprise EDR Auth Events is included with Carbon Black Enterprise EDR Both require the Carbon Black Cloud Windows Sensor 3.

    Read More >>

    What was changed and why? We are releasing minor version of the Carbon Black Cloud QRadar App due to a change in the way API type key is validated in the app and the upgrade of a few packages which previous versions have reported vulnerabilities. This change is necessary because there is a deprecation notice of the API that checks the validity of the API type key. Carbon Black Cloud QRadar App v2.

    Read More >>

    The Carbon Black Postman Collection has been updated to include recently released Carbon Black Cloud features. Hide / dismiss vulnerabilities Policy extensions for Core Prevention and Host-Based Firewall Live Query corrections and improvements to examples Align with Device Search Criteria Align with Process and Enriched Event Search Recommendations If there are any concerns about this change, please reach out to us.

    Read More >>

    Host-Based Firewall Release

    Posted on Jan 25, 2023

    The latest policy release has added an important functional component to the Carbon Black Cloud. Host-Based Firewall increases analyst visibility over their organization’s network traffic and adds the ability to control what network traffic they want to allow.

    Read More >>

    Carbon Black Cloud Integration with Splunk SOAR We are proud to announce the first release of a unified integration connecting the VMware Carbon Black Cloud platform with Splunk SOAR. Through this application, customers can integrate Carbon Black Cloud actions and data into Splunk SOAR workflows using a single application. Additionally, customers can integrate their endpoint protection platform functionality either directly from the Carbon Black Cloud, or from Splunk SIEM (using the Splunk App for Splunk SOAR), and eliminate the need for outdated or custom-built integrations.

    Read More >>

    When checking the status of the following calls, the Job ID endpoint is no longer supported. Instead, use the query ?start=0&rows=0 with the appropriate results request and the jobs status is available in the result by comparing contacted to completed. The job will be complete when contacted == completed in the response. However during high usage a searcher may fail leaving a difference of 1. To prevent an infinite loop, ensure you add a timeout of 3 minutes as a job’s maximum active time is limited to 3 minutes.

    Read More >>

    Core Prevention Release

    Posted on Jan 11, 2023

    The latest policy release has added an important functional component to the Carbon Black Cloud. Core Prevention simplifies policy management and provides increased control over your Endpoints and Workloads.

    Read More >>

    The Device API documentation has been updated with all fields in snake_case. Previously there were inconsistencies in field names where the request specified camelCase and the response used snake_case. Check the Device v6 API page for full API information on searching and sorting. Affected fields for search criteria: ad_group_id auto_scaling_group_name base_device cloud_provider_account_id cloud_provider_resource_id cloud_provider_tags deployment_type golden_device_id golden_device_status host_based_firewall_status host_based_firewall_reason infrastructure_provider last_contact_time os_version policy_id sensor_version signature_status sub_deployment_type target_priority vcenter_uuid virtual_private_cloud_id virtualization_provider vm_uuid vcenter_host_url Affected fields for sorting

    Read More >>

    What’s New? We’re excited to announce the release of v1.4.1 of the Carbon Black Cloud Python SDK. There are several new features in this release: Live Query Differential Analysis support Upgraded support for Workloads Search, including AWS workloads support The Complete Changelog Here’s a complete changelog for this release of the SDK which includes some less visible changes: New Features: AWS workloads now supported in VM Workloads Search.

    Read More >>

    Event Forwarder 3.8.4 is now generally available for all on-prem VMware Carbon Black EDR customers as a containerized distribution and as a standard RPM distribution. Containerized Event Forwarder 3.8.4 is compatible with containerized Carbon Black EDR Server (7.7.0+). This is a maintenance release that delivers the following: Features The service employs a more efficient compression engine. Bug Fixes / Other Changes A fix for an issue that affects previous 3.

    Read More >>

    CBAPI 1.7.9 Released

    Posted on Sep 29, 2022

    We are proud to announce that CbAPI 1.7.9 is now available for installation via Python’s PyPI. Check out what has changed below. We also want to thank all the collaborators on CBAPI that made this release possible. If you have any improvements or new ideas, feel free to make an issue or create a pull request at our CBAPI GitHub repo. What changed - 1.7.8 and 1.7.9 EDR (CB Response) Adjust Live Response Worker creation for EDR sensors to optimize for sensor specific jobs

    Read More >>

    New Carbon Black Cloud Rate Limits

    Posted on Sep 27, 2022

    We strive to ensure maximum uptime, availability and fidelity of our APIs within and across customer organization boundaries. However, the outsized API request volume from a small number of callers could degrade API performance for other organizations in the same Carbon Black Cloud environment. To prevent service outages from reoccurring, rate limits are being introduced. The limits may change or be rolled out to additional APIs and Carbon Black Cloud environments as needed.

    Read More >>

    Carbon Black Cloud has achieved Federal Risk and Authorization Management Program (FedRAMP) High Authorization and is available for customers in the AWS GovCloud (US) environment. These cloud services are designed to empower US government agencies and customers supporting the US government to migrate, manage, and operate sensitive workloads in the cloud. What is different in the AWS GovCloud (US)? The AWS GovCloud (US) is built on VMware’s Cloud Services Platform (CSP).

    Read More >>

    Version 1.1.6 of the VMware Carbon Black Cloud App for Splunk has been released and addresses some issues. Version 1.1.6 The following bugs have been fixed in 1.1.6: Updated Alert Action to allow Splunk index naming conventions. Resources Installation, configuration and user guides Guide on TechZone Download from splunkbase Have questions or feedback? Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community Report bugs and change requests to Carbon Black Support

    Read More >>

    Event Forwarder 3.8.2, the initial release of containerized Event Forwarder, is now generally available for all on-prem EDR customers! Event Forwarder 3.8.2 is available as a containerized distribution and as a standard RPM distribution. Containerized Event Forwarder 3.8.2 is compatible with containerized EDR Server, while Event Forwarder versions prior to 3.8.2 are not compatible with containerized EDR Server. This is a maintenance release that delivers the following: Features Compatibility with containerized EDR Server via a new Event Forwarder docker image Bug Fixes / Other Changes An adjustment to a change in RabbitMQ authentication released in EDR Server 7.

    Read More >>

    We are excited to announce that VMware Carbon Black Workload will extend support for native AWS EC2 instances to multi-cloud environments. By using a single unified console that integrates into existing infrastructure, security and IT teams can reduce the attack surface and strengthen security postures, while achieving consistent and unified visibility for workloads running on AWS, VMware Cloud and on-premises environments. This offering helps bring operational confidence and reduce time to resolution to future-proof AWS workloads.

    Read More >>

    EDR Live Query exposes an operating system as a high-performance relational database, which enables you to write SQL-based queries that explore operating system data. These queries allow you to gain a better understanding of your environment, analyze security vulnerabilities, and identify anomalies like unencrypted disks or processes running without a binary on disk. Live Query is based on osquery, which is an open-source project that uses a SQLite interface. The Live Query API allows you to execute queries against the operating system via API call and analyze the results outside of the EDR console.

    Read More >>

    What’s New? We’re excited to announce the release of v1.4.0 of the Carbon Black Cloud Python SDK. There are several new features in this release: Support for the new Policy APIs. Credentials handler now supports OAuth tokens. Support for querying a single Report from a Feed. Support for Alert notes. Breaking Changes to Be Aware Of The Policy object has been moved from cbc_sdk.endpoint_standard to cbc_sdk.platform, as it now uses the new Policy Services API rather than the old APIs through Integration Services.

    Read More >>

    We recently announced the new Policy Service v1 API. We now have all the information you need to migrate your integrations and automation to take advantage of the new API and be ready to extend when new features are added. Read the Policy API Migration Guide for the details. Changes to the API Details of the new API are here. In addition to the structure of the API requests and responses, the type of API key for authentication has changed.

    Read More >>

    Event Forwarder 3.7.6 is now generally available for all on-prem EDR customers. Event Forwarder 3.7.6 is the only version that should be run with Server 7.7.0 at the time of this writing and replaces 3.8.0 and 3.8.1 as the latest stable release. This is a maintenance release that delivers the following bug fixes: Corrects an issue in which Event Forwarder could not authenticate with EDR Server versions 7.7.0 and greater, causing Event Forwarder to fail to start.

    Read More >>

    Resources Customers with Carbon Black Cloud Audit & Remediation can now perform differential analysis on scheduled queries using the Differential Queries API. This feature will allow users to answer the question, “What has changed since the last time this query ran?” The Differential Analysis API enables users to only view changes to the results of scheduled queries between different sessions, saving time and manual effort by making it easier to track system changes over time.

    Read More >>

    VMware Carbon Black’s latest integrations combine industry-leading endpoint telemetry and response actions with ServiceNow’s solutions for IT and Security teams to accelerate cross-functional workflows through automation. IT and Security teams can now leverage Carbon Black Cloud telemetry and endpoint response actions from within their ServiceNow console and workflows, streamlining hand-offs between analysts and standardizing common workflows. The apps are now available in the ServiceNow app store and provide joint customers with access to pre-built ticketing and incident response workflows powered by Carbon Black Cloud data and response actions.

    Read More >>

    Version 1.1.5 of the VMware Carbon Black Cloud App for Splunk has been released and addresses some issues. Earlier in 2022 in Version 1.1.4 of the app, the ability to ingest Watchlist Hits via the Data Forwarder was added. Version 1.1.5 The following bugs have been fixed in 1.1.5: Updated client handler to process more than 2500 remediation results without a failure in code. Updated client handler to capture 410 errors on live query result histories, and save the checkpoint.

    Read More >>

    We’re pleased to announce the United Kingdom Point of Presence (UK POP) for Carbon Black Cloud is available. The PoP will deliver cloud native endpoint and workload protection for customers that need to meet the UK government’s Cyber Essentials Plus requirements, while providing peace of mind for all UK customers who require their telemetry data to remain resident within the UK. Read more on the VMware Security Blog. What is different in the UK PoP?

    Read More >>

    We’re pleased to announce improvements to the two app for IBM QRadar - VMware Carbon Black Cloud App v2.1.0 and VMware Carbon Black EDR App v2.0.1. Improvements in VMware Carbon Black Cloud App v2.1.0 Features: Support of multi-tenancy Ability to configure a custom Log Source Identifier Ability to toggle ON/OFF Audit Logs UI Changes: The help tooltips on the Settings pages are displayed only on click on the “?” icon Watchlist Alerts are locked if Enterprise EDR is not available Upgrades of dependencies because of vulnerabilities in older versions Bug Fixes:

    Read More >>

    Overview The Carbon Black Cloud Threat Intelligence connector allows the importing of threat intelligence data by using the STIX/TAXII standards. This new version supports the major versions of STIX (1.2/2.0/2.1). In contrast to the previous version it is a standalone connector with improved usability and more features, rather than part of the CBC SDK. Prerequisites To use this connector you must have the following products: Carbon Black Cloud, Enterprise EDR Carbon Black Cloud Threat Intelligence Connector (GitHub) Third-Party Threat Intelligence data (STIX 1.

    Read More >>

    New Policy Service API Release

    Posted on Apr 25, 2022

    Overview Policies are a group of rules and sensor settings that determine preventative behavior. Each endpoint sensor, or sensor group, is assigned to a policy. With the Policy Service API, you can now manage your Policies for endpoints and workloads with a single CUSTOM API key. This will allow more granular permission controls when creating API keys to manage Policies. This iteration of the Policies API also aligns many field names with those used elsewhere in the product.

    Read More >>

    What’s New? We’re excited to announce the release of v1.3.6 of the Carbon Black Cloud Python SDK. There are three new features in this release: Container Runtime Alerts, generated by Kubernetes containers when you have VMware Carbon Black Container. NSX Remediation functionality. Device Facet API now supported. The Complete Changelog Here’s a complete changelog for this release of the SDK which includes some less visible changes: New Features Support for Device Facet API.

    Read More >>

    We have simplified the Data Forwarder to require fewer permissions. The following actions are no longer required in the bucket policy: “s3:AbortMultipartUpload” “s3:GetObjectAcl” “s3:ListMultipartUploadParts” Additionally, it is now possible to enable KMS encryption on any AWS S3 bucket used to store data sent from the Carbon Black Cloud Data Forwarder. The following instructions are intended for existing customers who have already enabled a CBC Data Forwarder, and who wish to enable KMS encryption on their existing S3 bucket.

    Read More >>

    Announcing Container Runtime Alerts

    Posted on Mar 21, 2022

    Overview With the release of the Container Runtime Security for VMware Carbon Black Container, Container Runtime alerts are now included in the Alerts API and the Data Forwarder. With this change, you can now pull Container alerts into your SIEM, SOAR, or other analysis platform just like CB Analytics, Watchlist, and Device Control alerts. Requirements Carbon Black Cloud Container More information Container Runtime Data Forwarder Carbon Black Cloud APIs

    Read More >>

    Overview The integration between Carbon Black Cloud Workload and NSX-T orchestrates network remediations using NSX-T Distributed Firewall (DFW) policies, and associated tags. After registering the Carbon Black Cloud Workload with the NSX Manager, you can use the newly created NSX policies to remediate VM workloads within the Carbon Black Cloud console, or remove already applied NSX policies tags from certain VM workloads. Prerequisites The VM workload must be associated with a Carbon Black Cloud Workload appliance that is registered with NSX, and has an active NSX connectivity.

    Read More >>

    Cb Event Forwarder 3.8.1 Released

    Posted on Mar 8, 2022

    Announcing the Release of Carbon Black EDR Event Forwarder 3.8.1 We’re excited to announce the release of Carbon Black EDR Event Forwarder 3.8.1 for on-prem EDR customers. Event Forwarder 3.8.1 is a maintenance release, which delivers the following bug fixes and improvements: Bug Fixes / Improvements Fixes a bug where timestamps were not included with certain event-types Fixes a bug where messages were silently dropped in certain error cases Improved hostname detection Better error logging for configuration errors Download On-prem EDR customers can download Event Forwarder 3.

    Read More >>

    What has changed with MITRE ATT&CK v10? In the last year, as part of their bi-annual content releases, MITRE added new techniques, converted some techniques to sub-techniques, renamed other techniques, and also deprecated several techniques. These are specified in the MITRE ATT&CK v10. The latest backend release of Carbon Black Cloud introduces new MITRE TTPs, both new techniques and sub techniques, throughout the platform. These are intended to simplify defender workflows and improve overall communication around adversary tactics and techniques.

    Read More >>

    Do I need this change? VMware Carbon Black Cloud App v2 changed the log source identifier that was used to send the events from CBC to QRadar from cbcloud (in v1.0) to localhost (in v2.0). As a result if you already have any log sources of type syslog that uses localhost as the log source identifier then the events will be processed by the existing DSM and not by the DSM provided by the app.

    Read More >>

    Yara Manager 2.2.0 Released

    Posted on Jan 31, 2022

    The 2.2.0 release of the Yara Manager has the following changes: Updated version number to match Yara Connector. Fixed uploading and validation of rules that depend on OpenSSL (e.g., using pe.imphash in a condition). Updated several third-party packages to prevent potential security issues. Some code cleanup. Documentation: /reference/enterprise-response/connectors/cb-yara-manager-guide/

    Read More >>

    What’s New? We’re excited to announce the release of v1.3.5 of the Carbon Black Cloud Python SDK. The major new functionality of this release is improvements to Live Query, with new helper functions and exporting of results, both synchronously and asynchronously (using the Jobs API). The Live Query documentation on the Developer Network has also been updated. Also appearing in this release is a new SDK Guide for the Vulnerabilities API, and a new credential handler that uses AWS Secret Keeper to store credentials.

    Read More >>

    Cb Event Forwarder 3.8.0 Released

    Posted on Jan 7, 2022

    Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.8.0 New Features The new EDR event task.error.logged is now supported. This event is enabled using task_errors=ALL in the EF configuration file. It is also supported in the EDR console configuration page for EF, starting with EDR v7.5.0. compression_type=lz4 A new compression type, lz4 is now available. The gzip type is still the default. LZ4 is a lossless data compression algorithm that is focused on compression and decompression speed.

    Read More >>

    Now Available: Watchlist Hit Forwarding in the Carbon Black Cloud Data Forwarder Carbon Black Cloud Enterprise EDR customers can now forward Watchlist Hits to external tools and workflows using the Data Forwarder. The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event, alert and watchlist data in near-real time within other tools and workflows without having to perform one-off API calls.

    Read More >>

    Carbon Black Cloud Integration with IBM QRadar We are proud to announce the release of version 2.0 of the unified integration that connects the VMware Carbon Black Cloud platform with IBM QRadar. Through this application, customers can eliminate disparate log sources and outdated integrations in their QRadar SIEM and streamline their security operations and processes. The release of this application eliminates the need for disparate modules to integrate your endpoint alerts, events and response actions into the QRadar console.

    Read More >>

    Advanced Event Filtering with Custom Queries Advanced Filters are now available for the VMware Carbon Black Cloud Data Forwarder. With this update you can reduce the volume of data that’s delivered to downstream tools by providing the ability to specify precisely which events are needed for your use case. The Carbon Black Cloud Data Forwarder is a reliable, scalable mechanism for Carbon Black Cloud customers to access event and alert data in near-real time within other tools and workflows without having to perform one-off API calls.

    Read More >>

    All new Recommendations for the Carbon Black Cloud We’re excited to announce that Recommendations are available in the Carbon Black Cloud Endpoint Standard product to assist you in tuning your console and optimizing your environment. The Recommendations API provides programmatic access to the same features available through the Carbon Black Cloud console: Rapidly configure a Policy tailored for your environment View top ten Recommendations daily Accept and reject Recommendations Tune new configurations based on the system Recommendations rather than requiring manual investigation of activity in that environment How to get access: Learn how to use the Recommendations feature in the Carbon Black Cloud console Get started with the Recommendations API Access the Recommendations features in the Carbon Black Cloud Python SDK Have questions or feedback?

    Read More >>

    VMworld and Code Connect Sessions

    Posted on Oct 5, 2021

    On October 5th - 6th 2021, VMware will host VMworld, including Code Connect. Register here to join the sessions live, or view on demand after the event. During this event there will be several sessions to help customers leverage the full power of the Carbon Black Cloud through open APIs and technical integrations. After the live portion of the event has passed, you can still register to access the sessions on-demand.

    Read More >>

    What’s new? The 2.0.0 version of VMware Carbon Black EDR App for IBM QRadar lets administrators leverage an industry-leading, EDR (Endpoint Detection and Response) solution to detect risk and take action on endpoint activity from the QRadar console has had a refresh to be compatible with QRadar 7.3.3 Patch 6+, and more recent versions. Where to find the app Details of the app are available here. Download the app from IBM App Exchange.

    Read More >>

    In order to improve the resilience and stability of the VMware Carbon Black Cloud, we are setting the default time range setting of the V6 Alerts API to one month. If no time range is specified in the search request, the API will search through the past one month of data instead of searching through all alerts. Affected routes include _search, _facet, and workflow/_criteria. This change will take effect starting Wednesday, October 20th.

    Read More >>

    Since VMware’s acquisition of Carbon Black, Carbon Black Cloud and Workspace ONE Intelligence have been working on updating the existing integration to be more seamless, building towards the vision of Intrinsic Security. Soon, customers who have enabled the Carbon Black Cloud to Workspace ONE Intelligence integration will be migrated to a new integration experience. When is this happening? Update: The date of migration is yet to be determined. We were previously targeting September 20th 2021, however this has been delayed.

    Read More >>

    Note: See the Alert Bulk Export Guide which has been updated for the Alerts v7 API, released in June 2023. Forward Alerts to an S3 Bucket The Data Forwarder is the recommended export method for reliable and guaranteed delivery. This method works at scale to support any size customer or MSSP by writing jsonl zipped content to an S3 bucket. See the Quick Setup instructions for more details. Exporting Alerts via the Alerts API If the Data Forwarder doesn’t work for you then the following algorithm will allow you to fetch alerts with no duplicates using the Alerts API.

    Read More >>

    CB Analytics Identifier Unification

    Posted on Aug 11, 2021

    The following change will take effect on August 19th, please reach out to support if you have concerns. In the V6 Alerts API response, customers viewing CB Analytics alerts may notice that legacy_alert_id now equals id. The field legacy_alert_id used to represent an 8-character ID and differed from the standard GUID (ie. 33bca411-77b6-4c6c-a643-ce9e7f82c742) format used across all other alert types in the Carbon Black Cloud. To better unify alerts within our platform, Carbon Black Cloud has aligned on the GUID format as our standard for all types of alerts in the product.

    Read More >>

    On June 3rd, VMware hosted Security Connect, an event focused on our security community and the tools they use to deliver security to their organizations. During this event, several sessions were provided that help customers leverage the full power of the Carbon Black Cloud through open APIs and technical integrations. Even though the live portion of the event has passed, you can still register today to access the sessions on-demand until early September.

    Read More >>

    What’s New? We’re excited to announce the release of v1.3 of the Carbon Black Cloud Python SDK. This release has breaking changes compared to the previous version (1.2.x) that will require new API keys and possibly changes to your integration code, as well as new features and bug fixes. User administration features User Management - create and modify user accounts. The SDK provides functions that make using the APIs more intuitive and aligned to common use cases.

    Read More >>

    We are happy to announce the release of two new APIs for the Carbon Black Cloud: These APIs allow you to manage Users and control the level of access and permissions in your multi-tenant environment for all Carbon Black Cloud products: User Management - create, modify, or list users in an organization Access Profiles and Grants - create and manage grants for users in one or more organizations

    Read More >>

    Announcing Live Response v6

    Posted on Apr 21, 2021

    Live Response API releasing v6: now with granular RBAC! Live Response allows security operators to collect information and take action on remote endpoints in real time for all Carbon Black Cloud products. Some of these actions include the ability to upload, download, remove files, execute or terminate processes, and more. Live Response - manage files, processes and more on remote endpoints Find more details on the highlights, what has changed, how to migrate from v3 to v6, and more here.

    Read More >>

    The CBC Data Forwarder is making a change to how it handles endpoint.event.netconn and endpoint.event.moduleload events to provide additional visibility for customers on March 22nd. Netconn For customers who are using an HTTP proxy, we’re making a change to endpoint.event.netconn events that will use the same approach that the Platform Search API uses to emit netconn & netconn_proxy events: For organizations whose endpoints do not have an HTTP proxy configured, there will be no change - all netconn events will continue to emit as endpoint.

    Read More >>

    What’s New? We’re excited to announce the 1.2 release of the Carbon Black Cloud Python SDK. This release brings new features to the Carbon Black Cloud SDK along with guides and tutorials. The new features in this release include: Search, Vulnerability Assessment and Sensor Lifecycle Management for Workload Reputation Overrides written tutorial for Platform VM Workloads Search written tutorial for Workload VM Workloads Search example script for Workload Bug Fixes:

    Read More >>

    With the latest release of our Carbon Black Cloud App for Splunk, we’ve consolidated key features from our platform into a single integrated solution that streamlines SIEM and SOAR workflows between Splunk and the Carbon Black Cloud. In this blog, we’ll provide overviews of several key use cases that simplify and accelerate modern SOC workflows using a single pane of glass. Hash Banning by Certificate Prevention based on MITRE Attack Behaviors Identifying and Mitigating Malicious PowerShell Activity Automated Mitigation of Exploitable Vulnerabilities Using Live Query to Enrich LSASS Scraping Investigations These use cases can be achieved within the Splunk console using the Carbon Black Cloud App for Splunk and can also be implemented and extended through dedicated SOAR platforms, including Splunk Phantom.

    Read More >>

    We’re pleased to announce enhancements to the VMware Carbon Black Cloud App for Splunk 8. This app provides an updated solution for customers to access their Carbon Black Cloud Endpoint and Workload features and data within the Splunk console. Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk. Enhancements include: Built-in Data Inputs: Device Control Alerts Audit Logs Live Query Results Vulnerability Assessment Common Information Model for:

    Read More >>

    What’s New? We’re excited to announce the 1.1 release of the Carbon Black Cloud Python SDK. This release brings new features to the Carbon Black Cloud SDK along with various bug fixes. The new features in this release include: Reputation Overrides for Endpoint Standard with Enterprise EDR support coming soon Device Control for Endpoint Standard Live Query Templates/Scheduled Runs and Template History Add set_time_range for Alert query Bug Fixes:

    Read More >>

    What is it? The Reputation Overrides API is now available for Endpoint Standard customers. The Reputation Overrides API enables customers and partners to automate the management of hashes, certificates and IT Tools to their organization’s Allow List or Banned List. The operations you perform with this API are reflected in the Reputations page in the CBC console, and in the Deny/Block, Terminate or Allow reactions performed by Endpoint Standard sensors.

    Read More >>

    February 3rd at 10am Mountain Time Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black Cloud and Splunk. What is it This event is a chance to meet members of the VMware Carbon Black Developer Relations team and other developers in the Developer Community. We invite you to brew a cup of your favorite coffee or tea and join us on February 3rd at 10am Mountain Time (5pm GMT) for a demo of the new unified Splunk App for the Carbon Black Cloud.

    Read More >>

    What’s New? We’re excited to announce the 1.0 release of the Carbon Black Cloud Python SDK. This release completes the alpha feedback period, further quality assurance work, and inclusion of new search APIs. The new features in this release include: Process and Process Event searches for Enterprise EDR and Endpoint Standard data Enriched Event searches for Endpoint Standard Addition of Python Futures to support asynchronous queries for customers who want to leverage that feature, while continuing to also provide the simplified experience which hides the multiple API calls required.

    Read More >>

    What is it? The Device Control API lets you view, manage, approve and implement blocking policies across your organization for external USB storage devices. This gives IT and Security Operations administrators direct access to the external devices in their environment to change how those devices can operate. Who is it for? Carbon Black Cloud Endpoint Standard customers with a Windows 3.6.0.1897 sensor or above. What can you do with it? Retrieve an inventory of external devices and their associated metadata within an organization Search for a specific external device and its associated metadata Create an approval for an external device, set of devices, or for specific vendor and product models Cross reference additional external device data after an alert Where do I go to get started?

    Read More >>

    We’re pleased to announce the release of the VMware Carbon Black Cloud App for Splunk. This app provides an updated solution for customers to access their Carbon Black Cloud Endpoint and Workload features and data within the Splunk console. Out-of-the-box, this app provides holistic visibility into the state of your endpoints and workloads through customizable dashboards and alert feeds in Splunk. The app is available for download from Splunkbase here. Depending on your installation, the Input Add-on or Technology Add-on may also be required.

    Read More >>

    The Carbon Black Cloud Syslog Connector Version 1.3.0 has been officially released! The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and: Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols This release adds the following features:

    Read More >>

    Watch the Video Demo See how to get started using the Carbon Black Cloud Python SDK, or view the full instructions on GitHub. var player; var time_update_interval; function onYouTubeIframeAPIReady() { player = new YT.Player('video-placeholder', { width: 600, height: 400, videoId: 'Mcy75uY9qU4', playerVars: { color: 'white' } }); } function initialize(){ updateTimerDisplay(); clearInterval(time_update_interval); time_update_interval = setInterval(function () { updateTimerDisplay(); }, 1000) } function updateTimerDisplay(){ $('#current-time').text(formatTime( player.getCurrentTime() )); $('#duration').text(formatTime( player.

    Read More >>

    All new Python Bindings for the Carbon Black Cloud We’re excited to announce the Alpha release of the Carbon Black Cloud Python SDK. This release provides an updated package leveraging Python 3.6+ to access data and features of the Carbon Black Cloud platform. The CBC SDK replaces the platform functionality that was available in CBAPI. CBAPI will continue to function, but it will not be supported or updated for Carbon Black Cloud products going forward.

    Read More >>

    Join us for another virtual meetup!

    Posted on Oct 15, 2020

    October 22nd at 4pm MDT Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black Cloud and/or CBAPI, the Python SDK. What is it This event is a chance to meet members of the VMware Carbon Black Developer Relations team and other developers in the Developer Community. We’ll start out the hour with a demo and discussion about the alpha release of our new Carbon Black Cloud Python SDK.

    Read More >>

    We are happy to announce the release of two new search APIs for the Carbon Black Cloud: Enriched Events Processes These APIs help you find specific applications and their activity across all endpoint events and processes reported by Carbon Black Cloud sensors. You can: Search for endpoint activity at the process or the individual event level Retrieve summaries or details about events, including statistical selections of the most prevalent values for some of the most interesting data fields Formulate valid search queries — get suggestions for partial fields or values and validate queries before running them in the Search service Manage your submitted search queries — check the status of a long-running queries and even cancel queries Which API is right for me?

    Read More >>

    What is the Zscaler Internet Access Sandbox Integration? This integration is between Zscaler’s Internet Access (ZIA) Sandbox and Carbon Black Cloud Endpoint Standard or Enterprise EDR. Zscaler can scan all files before they reach the endpoint if they come through the network, but cannot scan files coming in from other methods, or prior to sensor installation. This connector will scan for any Endpoint Standard events or Enterprise EDR processes. It pulls the processes, checks the unique hashes against a database of files that have been checked in the past, and if the file is not known, a request to Zscaler’s Sandbox is made to see if they have any information on it.

    Read More >>

    Carbon Black Cloud customers using the Event Forwarder now have additional capabilities to filter endpoint.event data delivered to their designated S3 bucket. Users of the Event Forwarder can now filter data by: Event_origin Type Alert_id Sensor_action These filters are available with the .59 release. What is the Event Forwarder? The Carbon Black Cloud Event Forwarder enables users to extract data from our console to be used in external dashboards and tools alongside other security data.

    Read More >>

    As of February 2020, we updated the Service Category portion of the path for the Enterprise EDR Process Search V1 and V2 API. The new Service Category is /api/investigate/ and should be used for all API calls. The current Service Category /threathunter/search/ will be deactivated on December 31st, 2020. After that, the path will not return complete results, and all users will be required to use the new /api/investigate/ Service Category.

    Read More >>

    We are happy to announce the release of the Carbon Black Cloud Sensor Update Services API 1.0. What is it? This API replaces the following: /appservices/v6/orgs/{org_key}/device_actions POST Specifically with “UPDATE_SENSOR_VERSION” action Who is it for? The Sensor Update Services API can be used by any Carbon Black Cloud user with permission in the service category “org.kits” set to EXECUTE. What does it do? The Sensor Update Service lets you batch sensor updates automatically across your organization and provides visibility into the update jobs progress.

    Read More >>

    We are happy to announce some additional alert fields for the Event Forwarder Configuration API. The tables below provide the new field names and descriptions of each. New Common Alert Fields Field Name Description device_internal_ip IP address of the endpoint as reported by the sensor. Can be either IPv4 (dotted decimal notation, e.g. “10.0.103.101”) or IPv6 (proprietary format, e.g. “62e0:00f9:ccde:8fc4:c0c2:e0bd:a8fe:0726”) device_external_ip IP address of the endpoint from the perspective of the Carbon Black Cloud.

    Read More >>

    Join us for our first virtual meetup!

    Posted on Jul 23, 2020

    Aug 5th at 3pm MDT Who should attend This hour long event is for developers in cybersecurity, especially those that use Carbon Black and cross-product SIEM integrations, like Splunk. What is it We want to forge a deeper connection with the developer community, discuss meaningful topics, and learn from one another. Since we didn’t get to meet you in person at CB Connect Developer Day, we can’t hang out in person, and our community is spread all over the world anyway, we thought we’d have a virtual hangout so we could get together and discuss questions, ideas, problems, and more!

    Read More >>

    CBAPI 1.7.1 Released

    Posted on Jul 22, 2020

    We are proud to announce that CbAPI 1.7.1 is now available for installation via Python’s PyPI. This release contains a variety of changes from bug fixes to exception enhancements. Check out what has changed below. We also want to thank all the collaborators on CBAPI that made this release possible. If you have any improvements or new ideas, feel free to make an issue or create a pull request at our CBAPI GitHub repo.

    Read More >>

    Enterprise EDR Access Level Changes

    Posted on Jul 22, 2020

    Overview There are changes to a few permissions that have been made to remove the ThreatHunter reference. This change comes following the renaming of ThreatHunter to Enterprise EDR. The permissions name changes are only visual and will have no effect on existing API keys which utilize the old permission names. If you need to create a new Access Level or API Key make sure to look for the following permissions.

    Read More >>

    We at VMware Carbon Black are working to eliminate offensive terminology from Carbon Black products and communities, including the Developer Network. Going forward, we will make the following language amendments: We will use the terms “approved” and “banned” going forward rather than the terms “whitelist” and “blacklist” We will use the terms “primary” and “secondary clone” or “minion” going forward rather than the terms “master” and “slave”. Original and replica will also be used in some instances.

    Read More >>

    We are happy to announce the 1.0 release of the Carbon Black Cloud Binary Toolkit. What is it The Binary Toolkit lets you integrate between Carbon Black Cloud Enterprise EDR and a binary analysis engine, like YARA. When the toolkit receives hashes of binaries encountered by your organization, it sets off a process where it fetches metadata about the binaries from the Unified Binary Store (UBS) and then sends the binaries through the analysis engine.

    Read More >>

    Using the new Jobs Service API

    Posted on Jun 16, 2020

    First, who should use the Job Service API? In May we released the Job Service API, an API that helps manage long-running tasks. This API is most useful for users managing large data sets where there is risk of an API request timing out before the task completes. The Job Service API enables asynchronous task execution so that jobs don’t time out, thus preventing data loss. For those managing smaller data sets, this API is less useful, and you can use regular API calls instead of using asynchronous API routes.

    Read More >>

    CBC Data Forwarder vs CBC Syslog

    Posted on Jun 15, 2020

    Do you need to forward Carbon Black Cloud data to your environment? There are two tools that exist to help forward Carbon Black Cloud data, the Carbon Black Cloud Data Forwarder or Carbon Black Cloud Syslog. The Carbon Black Cloud Data Forwarder is the recommended best practice as the tool is integrated into the Carbon Black Cloud and provides improved scaling for large volumes of data. The data forwarder is capable of forwarding both alerts and events to an S3 bucket.

    Read More >>

    Kicking off Developer Day 2020

    Posted on May 7, 2020

    Developer Day 2020 kicks off today with seven on-demand sessions for more than 2,300 registrants. This is the first time Developer Day has been held in a virtual setting and the VMware Carbon Black team is excited to welcome the largest group of developers we have ever had in attendance. With eight new members added to the Developer Relations team in the past year, VMware Carbon Black is focused on empowering this vast community of developers.

    Read More >>

    The Carbon Black Cloud Syslog Connector Version 1.0.2 has been officially released! The syslog connector lets administrators forward alert notifications and audit logs from their Carbon Black Cloud instance to local, on-premise systems, and: Generates pipe-delimited syslog messages with alert metadata identified by the streaming prevention system Aggregates data from one or more Carbon Black Cloud organizations into a single syslog stream Can be configured to use UDP, TCP, or encrypted (TCP over TLS) syslog protocols This release adds the following features:

    Read More >>

    Developer Day 2020: Register Now!

    Posted on May 5, 2020

    Every year, Developer Day hits capacity. With this year going virtual, no one gets wait-listed or turned away! Join us virtually on May 12th to get hands-on experience working with the Carbon Black Cloud open APIs and developer tools. During the event, the Developer Relations team will be available live in the virtual environment to answer your questions. Register now! Make sure to check the box for Developer Day and join us for the rest of the conference on May 13 + 14 for a deeper dive into our technology, company, and threat research.

    Read More >>

    Announcing Our New Product Names

    Posted on Feb 10, 2020

    As of January 2020, we have renamed all of our products as part of our transition into the VMware Security Business Unit. This blog post outlines each of the new products and maps them to their legacy names. Our API documentation will be updated over the coming months to reflect the new names. This will not affect any API or Integration code. Carbon Black Cloud Products CB Defense is now called Endpoint Standard CB LiveOps is now called Audit and Remediation CB ThreatHunter is now called Enterprise Endpoint Detection and Response, or Enterprise EDR On-Premise Products CB Response is now called Carbon Black Endpoint Detection and Response, or Carbon Black EDR CB Protection is now called Carbon Black App Control

    Read More >>

    Have trouble finding documentation? Need more resources? Want a different API? Let us know how we can help.

    Read More >>

    As Carbon Black happily transformed into the Security Business Unit of VMware, it created the opportunity to evaluate our brand and simplify. The platform and your products are not changing, but the name of the platform is. The first step is happening today, October 28th, as your login screen and much of our website are moving away from the CB Predictive Security Cloud. Do not be alarmed when you see the text change to VMware Carbon Black Cloud or Carbon Black Cloud, depending on where it’s being used.

    Read More >>

    Carbon Black Cloud API Enhancements

    Posted on Sep 30, 2019

    We have exposed new enhancements to the Alerts and Devices Platform APIs, giving you more efficient control over the devices and data in your organizations. The most current documentation on these APIs is available at the Platform APIs page. Enhanced Alerts API & Use Case Workflows We have extended the capabilities of the Alerts API by improving the methods of retrieving alerts and adding functionality to manage the workflows. With the addition of the Search Request pathway in the Alerts API, you can now filter on dozens of fields, including creation time, category, type, status, tag, and more, allowing you to more efficiently call the API.

    Read More >>

    The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Enterprise EDR. The app has been published to Splunk’s application exchange, SplunkBase and is available for download now on Splunkbase under CB Response App for Splunk. The Enterprise EDR App for Splunk allows a Splunk Administrator to connect to and pull Enterprise EDR notifications from the Carbon Black Cloud. This is the first phase and establishes the foundation of the integration to ensure notifications are properly pulled and ingested into Splunk.

    Read More >>

    Calling all API Developers!

    Posted on Jan 22, 2019

    Research Study for API Developers We want to learn more about you! Share about your process creating API integrations. Tell us about your background, daily duties, biggest contributions, and greatest challenges. These insights will enhance our ability to align our product development with what you need. Please fill in your email and availability in the following form and you will be contacted shortly. Loading... Note: If the Google form failed to load, please follow this link: form.

    Read More >>

    CbAPI 1.4.0 Released

    Posted on Jan 10, 2019

    We are proud to announce that CbAPI 1.4.0 is now available for installation via Python’s PyPI. This release includes compatibility with Carbon Black Cloud Enterprise EDR and the new APIs available in Carbon Black Cloud’s Enterprise EDR. Currently, the Process Search API is exposed. As of version 1.4.0, there are three available model objects: Process Event Tree Install The Python CbAPI works with Python 2.x and 3.x, however we do recommend using Python 3.

    Read More >>

    Featuring Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense This year at CB Connect 2018, we had our first ever Developer Day to recognize our vibrant partner and developer ecosystem. We had an amazing group of 100 developers attend, culminating in a hackathon. Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense, was an attendee and speaker at Developer Day and submitted his own project, cbinterface, to the hackathon.

    Read More >>

    Highlights from Developer Day

    Posted on Oct 22, 2018

    Cb Connect Day 0: Carbon Black hosted over a hundred developers at the first ever Developer Day. This community of developers is the engine that extends our platform to integrate with other products/tools/services to build a stronger security stack for organizations. Our attendees flew in from all over the world - Australia, Norway, Turkey, and many other locations with the objective of learning more about our APIs, use cases around extensibility of our platform, watching live technical demonstrations, and to see where we’re going with the Carbon Black Cloud.

    Read More >>

    CB Connect 2018 Developer Day

    Posted on Sep 24, 2018

    SOLD OUT – Developer Day Due to high demand Developer Day at CB Connect is now sold out. Join the waitlist today to secure a spot should spaces open up. The waitlist is on a first-come first-serve basis, and you will be notified via email if you are selected to participate. CB Connect is Carbon Black’s premier customer and partner event of the year. CB Connect heads to New York City this fall for an action-packed, two-day conference about the future of endpoint security.

    Read More >>

    The Endpoint Standard REST API provides a RESTful API for CbDefense, which means that it can be consumed by practically any language. Postman is a REST API Development Environment that allows users to interact with a REST API in a quick & easy way. This is a quick tutorial on how to use Postman to interact with the CbDefense REST API. Requirements Access to your Endpoint Standard instance. A connector configured on CbDefense or the ability to create a connector.

    Read More >>

    The Carbon Black Developer Network is proud to announce the second major public release of our Endpoint Standard Add-On for splunk. This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. var player; var time_update_interval; function onYouTubeIframeAPIReady() { player = new YT.

    Read More >>

    The Carbon Black Developer Network is proud to announce the first public release of our new Splunk App for Endpoint Standard. This app is available for download now from Splunkbase under CB Defense Add-On for Splunk. This first release includes pre-built visualizations from Cb, that provide an overview of Endpoint Standard environments as well as dashboards to search through threat and policy notifications, view and manipulate device status, etc. Endpoint Standard Overview Dashboard Comprehensive Overview of your Endpoint Standard data in Splunk view total detections, policy actions, rare applications triage threats by severity Threat Search geoip map of threats based on severity additional table of threat information searchable (SPL) to isolate threat events of interest Policy Action Search geoip map of Policy Actions by reputation tabular display of policy activities searchable (SPL) to isolate policy events of interest Login Map (Splunk) geoip map and table of Logins (attempted and successful) to Splunk instances Device Search powered by the devicesearch custom search command uses the Endpoint Standard REST API to retrieve device status information geoip map of devices by external IPs + table of the same enter a device query to filter results like ‘hostname:WIN-1984VBRULES’ or ‘ipAddress:172.

    Read More >>

    We have discovered a critical issue with certain versions of the EDR Binary Detonation integrations released in the last month. A patch that was rolled out to the Binary Detonation integrations in September erroneously submitted corrupt files to the binary detonation providers, potentially resulting in invalid responses from the analysis platform. No sensitive information was leaked as part of this bug. Specifically, the first five bytes of the file were missing on every submission of a file to a binary detonation appliance.

    Read More >>

    Cb Reporting released

    Posted on Aug 8, 2017

    We are pleased to announce the release of an updated Cb Reporting script. https://github.com/carbonblack/cb-reporting/blob/master/incident_report.py The incident report script is an example python program that demonstrates how to build a basic incident report using the Cb API bindings for python. The incident report uses the Cb API to trace information about the lifetime of a process of interest: Target process event information: module loads, cross process interactions, file modifications, registry modifications (windows) as well as intelligence feed hits, and the hosts/paths on which the target was seen The tree of execution that lead to the target process - binary information about each A list of processes that have written to the target process/binary, details about each The child processes of the target process + corresponding binaries The only dependencies are on the Jinja2 templating engine module for python (2.

    Read More >>

    The Carbon Black Developer Network is proud to announce the first public release of our new Splunk Add-On for Endpoint Standard (formerly CB Response). This add-on is available for download now from Splunkbase under CB Defense Add-On for Splunk and integrates Splunk with your Endpoint Standard console, forwarding alerts from Endpoint Standard right into your Splunk instance. This add-on is now compatible with both Splunk on-premise and Splunk cloud. Requirements This app requires Endpoint Standard and Splunk version 6.

    Read More >>

    The latest Syslog Connector can be found here. The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Endpoint Standard. This connector allows you to forward alert notifications from your Endpoint Standard cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Endpoint Standard streaming prevention system.

    Read More >>

    The latest Syslog Connector can be found here. The Carbon Black Developer Network is proud to announce the first public release of our syslog connector for Endpoint Standard. This connector allows you to forward alert notifications from your Endpoint Standard cloud instance into local, on-premise SIEM systems that accept industry standard syslog notifications. By default, it will generate pipe-delimited syslog messages containing the key metadata associated with any alert identified by the Endpoint Standard streaming prevention system.

    Read More >>

    CbAPI 1.2.0 Released

    Posted on Jun 22, 2017

    We are proud to announce that CbAPI 1.2 is now available for installation via Python’s PyPI. This release includes compatibility with Endpoint Standard and the new APIs available in Carbon Black App Control 8.0. Documentation is available on https://cbapi.readthedocs.io and you can install it now via pip: pip install --upgrade cbapi Happy hunting!

    Read More >>

    Changelog Fixed issue where ip addresses and hashes weren’t being validated for single entries This version of the TAXII Connector was built with libtaxii version 1.1.110 and STIX version 1.2.0.2

    Read More >>

    Changelog New Features Added support for observables within a list Added support for DATA_SET collection types Added ability to configure default risk score per feed Added support for indicator observables Source code and RPM can be found on GitHub This version of the TAXII connector was built on the EclecticIQ client cabby STIX parsing is done by python-stix version 1.2.0.2 Cybox parsing is performed using cybox-python version 2.1.0.13

    Read More >>

    EDR App for Splunk 2.0.5 Released

    Posted on Apr 7, 2017

    Changelog Bug Fixes Added clearer error message when unable to connect to EDR Fix bug when installed in a distributed search head environment Download the Splunk app on Splunkbase under CB Response App for Splunk

    Read More >>

    CbAPI 1.0.1 Released

    Posted on Jan 11, 2017

    We are proud to announce that CbAPI 1.0 is now available for installation via Python’s PyPI. cbapi provides a straightforward interface to the App Control and EDR REST APIs. This library provides a Pythonic layer to access the raw power of the REST APIs of both products, making it trivial to do the easy stuff and handling all of the “sharp corners” behind the scenes for you. If you haven’t seen or worked with cbapi since its 0.

    Read More >>

    Cb Event Forwarder 3.3.2 Released

    Posted on Jan 4, 2017

    Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.2 New Features report_title is now retrieved via the EDR REST API for feed hits performance increases all around updated UI Added tests for RabbitMQ stressing #64 Added process_path for all events if one exists. TLS RabbitMQ Support (thanks to Red Canary) Post Processing With the addition of feed_title, post processing needs to be enabled by supplying cb_server_url, api_verify_ssl and api_token # # Post Processing Options # # Supported post processing: # # 1) report_title in feed hits # # Post processing requires cb_server_url, api_verify_ssl, and api_token to be set.

    Read More >>

    CB Event Forwarder 3.3.0 Released

    Posted on Oct 19, 2016

    Download https://github.com/carbonblack/cb-event-forwarder/releases/tag/3.3.0 New Features HTTP output plugin output (thanks to eSentire) Output Changes In addition, new fields were added to the output (thanks to Red Canary): Process start message (procstart or process): parent_path: Path to the parent process parent_create_time: Parent process creation time parent_md5: Parent process binary MD5 hash expect_followon_w_md5: In certain cases, the MD5 for the new process isn’t available at the time the message is generated.

    Read More >>

    EDR App for Splunk 2.0.0 Released

    Posted on Sep 27, 2016

    The EDR App for Splunk allows administrators to leverage the industry’s leading EDR solution to see, detect and take action upon endpoint activity from directly within Splunk. Once installed, the App will allow administrators to access many of the powerful features of Carbon Black, such as process and binary searches from within and in conjunction with Splunk. When used along side Splunk’s Enterprise Security, the EDR App for Splunk also provides Adaptive Response Actions to take action automatically based on the result of Correlation Searches and on an ad-hoc basis on Notable Events surfaced within Splunk ES.

    Read More >>

    The Cb Community Repository

    Posted on Aug 4, 2016

    We encourage everyone to release their code publicly on GitHub but on the other hand understand that contributions come in all shapes and sizes. Some contributions, like Red Canary’s Surveyor or Bobby Argenbright’s Forager tool, warrant their own repository (and in some cases, their own cool icon!) However, other contributions may be a single script or a few lines of API code. To help collect these smaller contributions into one place, we’ve created the new Carbon Black Developer Community GitHub organization, available at https://github.

    Read More >>

    CB Event Forwarder 3.2.3 Released

    Posted on Aug 3, 2016

    This release is a minor bugfix release that fixed the following issues: Source and destination IP addresses are sometimes flipped in the LEEF output Unique ID for Alerts was incorrectly used to calculate the Process link (link_process) In addition, two changes were made in this release: A link_sensor is now generated for all raw endpoint events The list of Watchlist, Feed, and Binarystore events is expanded to any EDR event type that starts with watchlist.

    Read More >>

    What a difference a year makes! Almost a year ago, we released a bunch of new features in cbapi to help developers become more productive with the Carbon Black EDR REST API. Since then, we’ve changed the name of the company, created an entirely new Developer Network website, created a new, even easier-to-use and more powerful Python API, and most importantly, merged the APIs for both EDR and App Control into the same code base!

    Read More >>

    CB Event Forwarder 3.2.0 Released

    Posted on Jun 27, 2016

    The Carbon Black Developer Network is proud to announce a new major release of the Carbon Black Event Forwarder, 3.2.0. The Carbon Black Event Forwarder is a standalone service that will listen on the Carbon Black enterprise bus and export events (both watchlist/feed hits as well as raw endpoint events, if configured) in a normalized JSON or LEEF format. The events can be saved to a file, delivered to a network service or archived automatically to an Amazon AWS S3 bucket.

    Read More >>

    The 1.2.4 release of the ThreatConnect connector adds one feature: Added proxy support

    Read More >>

    The EDR product was developed as an “API-first” application. Every action in the product can be performed programmatically through the API. In fact, the entire Carbon Black EDR web user interface is implemented on top of the API — the web user interface is a JavaScript application that calls API calls straight from your web browser (check out the Chrome Developer Tools screencast if you’re interested in more details). To expose the power of this API in Python applications, the first version of the cbapi module was published on August 21, 2013 on GitHub.

    Read More >>

    CB Event Forwarder 3.1.4 Released

    Posted on Apr 25, 2016

    The 3.1.4 release of cb-event-forwarder adds two features: updated code to support go 1.6.1 The following keys within ioc_attr and netconns will now be present in the top level dictionary and normalized for QRadar. local_ip -> src, local_port -> srcPort, protocol -> proto, remote_ip -> dst, remote_port -> dstPort.

    Read More >>

    Splunk App for EDR 0.9.1 Released

    Posted on Apr 15, 2016

    The 0.9.1 release of the Splunk App for EDR adds new features New ‘Overview’ dashboard to summarize watchlist hits and feed hits New Carbon Black Data model New `cb` macro Get the app on splunkbase: Special thanks to Michael Haag for his code contribution.

    Read More >>

    CbAPI 0.8.1 Released

    Posted on Apr 14, 2016

    The latest release of CbAPI 0.8.1 fixes two incompatibilities with the Carbon Black Enterprise Response server version 5.1.1. All users are recommended to update cbapi via pip by running: pip install --upgrade cbapi

    Read More >>

    TAXII Connector 1.4 for EDR Released

    Posted on Apr 13, 2016

    Changelog CbTAXII version 1.4 now uses the Python requests library for HTTP/HTTPS connections to TAXII servers. This enhances the compatibility of the TAXII connector to a wider variety of TAXII servers. In addition, you can now optionally disable SSL certificate validation for a specific TAXII server by setting the sslverify option: # by default, we validate SSL certificates. Turn this off by setting sslverify=false sslverify=false This version of CbTAXII was built with libtaxii version 1.

    Read More >>

    Changelog This version of the WildFire connector upgrades the WildFire API to the latest version, fixing compatibility problems with both the cloud and on-premise WildFire appliances. The old API used by previous versions of the WildFire connector is no longer supported or available, so all users of the WildFire connector must upgrade for the connector to function. Also included in this release: Fixes to high CPU usage. The connector should now use a very small CPU% when running.

    Read More >>

    CB Event Forwarder 3.1.3 Released

    Posted on Apr 5, 2016

    The 3.1.3 release of cb-event-forwarder adds two features: Allow S3 configuration to specificy a prefix (sub-folder) Decode the search query for feed hits where ioc_type is query and fixes the following issues LEEF output does not escape CR (Carriage Return) characters Pre start script should redirect output

    Read More >>

    Carbon Black is proud to announce the launch of our new Carbon Black Developer Network web site! Carbon Black is committed to providing open APIs and enabling all customers to integrate Carbon Black’s products into their security technology stack. As part of that commitment, Carbon Black’s Developer Relations team has created this site to provide the security community the technical documentation required to build best-in-class defenses against today’s advanced threats.

    Read More >>

    CB Event Forwarder 3.1.2 Released

    Posted on Jan 29, 2016

    The 3.1.2 release of cb-event-forwarder adds two features: You can now send arbitrary messages for debugging/testing purposes through the forwarder to the output location. This is only available when the cb-event-forwarder is started with the -debug command line switch. Messages sent via this mechanism are also logged for audit purposes. S3: You can now explicitly specify the location of the AWS credential file to use for authentication in the credential_profile option in the [s3] section of the configuration file.

    Read More >>

    CbAPI now available on PyPI

    Posted on Jan 15, 2016

    We have just published the Python EDR bindings to the central Python packaging repository, PyPI. The recommended way to install the cbapi Python module is now via the standard Python pip package: $ pip install cbapi The current version of cbapi on PyPI is 0.8.0. We will announce new releases here as they become available. Happy hunting!

    Read More >>

    CB Event Forwarder 3.1.0 Released

    Posted on Dec 24, 2015

    cb-event-forwarder 3.1.0 The 3.1.0 release of cb-event-forwarder adds the following features over 3.0.0: “Deep links” into the Cb server UI are now optionally available in the output These links allow you to directly access the relevant sensor, binary, or process context for each event output by the cb-event-forwarder. The new variable cb_server_url has been added to the configuration file to support this new feature. Set this variable to the base URL of the Carbon Black web UI.

    Read More >>

    CB Event Forwarder 3.0.0 Released

    Posted on Dec 10, 2015

    Major new features in 3.0 Vastly improved performance & reliability New monitoring infrastructure; the service has a JSON-based API to retrieve diagnostics on its processing. See the README for more details. In general, the new cb-event-forwarder 3.0 is designed to be a drop-in replacement for previous versions of the event forwarder. There are a few bug fixes, configuration changes and enhancements of note. The most important change is that the service is now managed by the “upstart” system in CentOS 6.

    Read More >>

    New cbapi release - Summer 2015

    Posted on Jul 13, 2015

    July 13, 2015 Major release with new features. New functions added to cbapi in this release include: Extended API - an easier way to use the cbapi binary_search_iter - Query the binary datastore the same as binary_search, but returns an iterator over the results… for binary in binary_search_iter(...) process_search_iter - Same as above, but for process_search process_search_and_events_iter - Provides the event data for every process returned by process_search_iter User management functions user_add_from_data - Adds a new authorized user into Cb user_enum - Enumerates Cb’s user database user_info - Retrieves information about one user from Cb output_user_activity - Retrieves login activity from the Cb server user_del - Deletes a user from Cb Feed API - see examples, such as feed_action_add.

    Read More >>

    Carbon Black SDK release

    Posted on Jan 1, 0001

    CB SDK RELEASE The Carbon Black SDK provides a framework for easilly creating arbitrary connectors and integrations with Carbon Black products. The cb-integration project provides python libraries for generic integrations, a specialized framework for binary analysis connectors. See the source code in the cb-integration repo for implementation details. The CBSDK is cross platform, and should work on any environment that has docker 1.7+ and docker-compose. At its core, the CBSDK provides a lightweight linux container, for connectors - that can be pulled from dockerhub with: $ docker pull cbdevnetwork/cbsdk .

    Read More >>

    CB Event Forwarder 4.0.0 Beta

    Posted on Jan 1, 0001

    4.0.0 BETA PRERELEASE In general, the new cb-event-forwarder 4.0 is designed to be a (nearly) drop-in replacement for previous versions of the event forwarder, supporting the same features (along with a number of oft-requested enhancements, suggestions and bugfixes) merely using a new configuration format - YAML. configuration format changed to yaml - old configurations will not work :/ architectural overhaul plugins - output new format option format: template and provide a template to format the output CbR event messages multiple-input multiple-output pipeline for events can consume events from multiple CbR mq systems in input: can output to multiple event types & formats in output: (optional) event filtering (between input and output, for all events seen by the forwarder) at the event-forwarder using golang’s templating language simply provide a filter : { template : {{return KEEP or DROP to keep or drop a message}}} output format updates and tweaks very similar to previous format , standardization of alert/feeds/watchlist.

    Read More >>