REST API Reference CBR 7.8+
Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
The Carbon Black EDR API is a RESTful API. This means that the API can be consumed by practically any language.
Example client bindings and scripts are included for reference purposes.
In addition, customers have created alternative bindings for other languages as well:
- Elixir language bindings - REST API, Streaming API (Author: Redvers Davies)
The EDR REST API uses HTTP header authentication for all requests. See the REST API authentication reference for more details.
Process Data
Process Search
/api/v1/process
Process search. Parameters passed as a query string.
Supports: GET
Parameters
-
q
: REQUIRED Query string. Accepts the same data as the search box on the Process Search page. See the Query overview for the query syntax. -
rows
: OPTIONAL Return this many rows, 10 by default. -
start
: OPTIONAL Start at this row, 0 by default. -
sort
: OPTIONAL Sort rows by this field and order.last_update desc
by default. -
facet
: OPTIONAL Return facet results. ‘false’ by default, set to ‘true’ for facets. -
facet.field
: OPTIONAL facet field name to return. Multiplefacet.field
parameters can be specified in a query. -
cb.comprehensive_search
: OPTIONAL if set totrue
, CB will automatically fix the query and insert joins to make it comprehensive (reducing performance) -
cb.facet.fuzzy
: OPTIONAL if set totrue
, enable fuzzy faceting for performance (default is set in thecb.conf
file) -
cb.group
: OPTIONAL group by a field name. For example, if query parametercb.group=id
, search will return one result per processNote that results will still honor sorting specified by the search. Even within group, it will return result that is first in the sort order. For example, if sorted by regmod_count, it will return top processes and top process segment for each process with highest regmod_count
Grouping will be slower (sometimes much slower) than regular results. For example, in 100M document DB test, it took 1 minute to group result set of 100K.
Returns
JSON object with the following elements:
highlights
: a list of matching process IDs and the field that matched the query, with the textPREPREPRE
before the highlighted match andPOSTPOSTPOST
after the highlighted match.results
: a list of matching processes (see below for process object)terms
: a list of strings, each representing a token as parsed by the query parsertotal_results
: number of matching processesstart
: index of first rowelapsed
: clock time elapsed resolving this requestfacets
: a list of facet entries if requested. (see below for facet object)tagged_pids
: a list of process IDs in this result set that have one or more events tagged as part of an investigationfiltered
: count of results filtered due to security settingscomprehensive_search
: Some boolean queries may return incorrect results due to segmentation.comprehensive_search
will be set to False if the query may contain incorrect results due to segmentation. Setting thecb.comprehensive_search
query parameter totrue
(above) during the API query should perform the necessary joins to ensure the correct results.incomplete_results
: Set totrue
if there was a timeout when performing the search on the backend. This could indicate that some time partitions were unable to be searched or some minions could not return results in time.
Process Object
A process contains the following fields:
process_md5
: the md5 of the binary image backing the processprocess_name
: the name of the processstart
: the start time of the process in remote computer GMT timelast_update
: the time of the most recently received event for this process in remote computer GMT timehostname
: the hostname of the computer for this processmodload_count
: the count of modules loaded in this processregmod_count
: the count of registry modifications in this processfilemod_count
: the count of file modifications in this processnetconn_count
: count of network connections in this processchildproc_count
: the count of child processes launched by this processcrossproc_count
: the count of cross process events launched by this processgroup
: the CB Host group this sensor is assigned tosensor_id
: the internal CB id for the sensor on which the process executedid
: the internal CB process id for this process (processes are identified by this id and their segment id)segment_id
: the process segment id (processes are identified by this segment id and their process ID id)unique_id
: internal CB process id combining of the process id and segment idos_type
: operating system type of the computer for this process; one of windows, linux, osx
A complete example:
$ curl "http://192.168.206.151/api/v1/process?cb.urlver=1&rows=10&facet=false&facet.field=process_name&facet.field=group&facet.field=hostname&facet.field=parent_name&facet.field=path_full&facet.field=process_md5&start=0&rows=1&q=chrome.exe"
{
"all_segments": true,
"terms": [
"chrome.exe"
],
"total_results": 231,
"highlights": [
{
"name": "c:\\program files (x86)\\google\\chrome\\application\\PREPREPREchrome.exePOSTPOSTPOST",
"ids": [
"00000001-0000-1028-01d2-c24179cca1b8-015bc2a3ebe8",
"00000001-0000-1028-01d2-c24179cca1b8-015bc2a3ebe8",
"00000001-0000-0650-01d2-c273a7ba8b36-015bc3ed7ed8",
"00000001-0000-0650-01d2-c273a7ba8b36-015bc3ed7ed8",
"00000001-0000-020c-01d2-c273a79d8c63-015bc3ed7ed8",
"00000001-0000-020c-01d2-c273a79d8c63-015bc3ed7ed8",
"00000001-0000-08dc-01d2-c273a7b337f2-015bc3ed7ed8",
"00000001-0000-08dc-01d2-c273a7b337f2-015bc3ed7ed8",
"00000001-0000-1234-01d2-c273a77198f9-015bc3ed7ed8",
"00000001-0000-1234-01d2-c273a77198f9-015bc3ed7ed8",
"00000001-0000-0e4c-01d2-c273a780b4a2-015bc3ed7ed8",
"00000001-0000-0e4c-01d2-c273a780b4a2-015bc3ed7ed8",
"00000001-0000-12fc-01d2-c273a7c1de71-015bc3ed7ed8",
"00000001-0000-12fc-01d2-c273a7c1de71-015bc3ed7ed8",
"00000001-0000-0778-01d2-c273a7966030-015bc3ed7ed8",
"00000001-0000-0778-01d2-c273a7966030-015bc3ed7ed8",
"00000001-0000-12f8-01d2-c273a7ac0cb4-015bc3ed7ed8",
"00000001-0000-12f8-01d2-c273a7ac0cb4-015bc3ed7ed8",
"00000001-0000-121c-01d2-c273a7882eec-015bc3ed7ed8",
"00000001-0000-121c-01d2-c273a7882eec-015bc3ed7ed8"
]
},
{
"name": "PREPREPREchrome.exePOSTPOSTPOST",
"ids": [
"00000001-0000-1028-01d2-c24179cca1b8-015bc2a3ebe8",
"00000001-0000-0650-01d2-c273a7ba8b36-015bc3ed7ed8",
"00000001-0000-020c-01d2-c273a79d8c63-015bc3ed7ed8",
"00000001-0000-08dc-01d2-c273a7b337f2-015bc3ed7ed8",
"00000001-0000-1234-01d2-c273a77198f9-015bc3ed7ed8",
"00000001-0000-0e4c-01d2-c273a780b4a2-015bc3ed7ed8",
"00000001-0000-12fc-01d2-c273a7c1de71-015bc3ed7ed8",
"00000001-0000-0778-01d2-c273a7966030-015bc3ed7ed8",
"00000001-0000-12f8-01d2-c273a7ac0cb4-015bc3ed7ed8",
"00000001-0000-121c-01d2-c273a7882eec-015bc3ed7ed8"
]
}
],
"facets": {},
"results": [
{
"process_md5": "92b29e6be97f5b2c5894904d1447bbfe",
"sensor_id": 1,
"filtering_known_dlls": false,
"modload_count": 0,
"parent_unique_id": "00000001-0000-0ee8-01d2-7292dd56b66f-000000000001",
"cmdline": "\"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\" --type=utility --lang=en-US --no-sandbox --service-request-channel-token=8EEC283107F82FAA8460327787795CD2 --mojo-platform-channel-handle=4540 /prefetch:8",
"last_update": "2017-05-01T06:09:22.081Z",
"id": "00000001-0000-1028-01d2-c24179cca1b8",
"parent_name": "chrome.exe",
"parent_md5": "000000000000000000000000000000",
"group": "default group",
"parent_id": "00000001-0000-0ee8-01d2-7292dd56b66f",
"hostname": "win-ia9nq1gn8oi",
"filemod_count": 2,
"start": "2017-05-01T06:09:21.928Z",
"comms_ip": -1407842931,
"regmod_count": 0,
"interface_ip": -1407842931,
"process_pid": 4136,
"username": "WIN-IA9NQ1GN8OI\\bit9rad",
"terminated": true,
"emet_config": "",
"process_name": "chrome.exe",
"emet_count": 0,
"last_server_update": "2017-05-01T06:12:54.386Z",
"path": "c:\\program files (x86)\\google\\chrome\\application\\chrome.exe",
"netconn_count": 0,
"parent_pid": 3816,
"crossproc_count": 0,
"segment_id": 1493619174376,
"host_type": "workstation",
"processblock_count": 0,
"os_type": "windows",
"childproc_count": 0,
"unique_id": "00000001-0000-1028-01d2-c24179cca1b8-015bc2a3ebe8"
}
],
"tagged_pids": {},
"elapsed": 0.043354034423828125,
"start": 0,
"comprehensive_search": true,
"incomplete_results": false,
"filtered": {}
}
Faceting
The process search URL also supports faceting. Faceted search allows you to quickly filter through large collections of data by extracting the unique values from a group of fields. The EDR UI includes facet information for process and binary searches in the grey shaded box above the results list. Similarly, the API provides the ability to retrieve facet information through the Process API. Faceting can be combined with queries; by combining a process query with faceting, you can determine answers to questions such as “when do users most often launch Microsoft Word?”
The supported fields for facet search are:
process_md5
: the top unique process_md5s for the processes matching the searchhostname
: the top unique hostnames matching the searchgroup
: the top unique host groups for hosts matching this searchpath_full
: the top unique paths for the processes matching this searchparent_name
: the top unique parent process names for the processes matching this searchprocess_name
: the top unique process names for the processes matching this searchhost_type
: the distribution of host types matching this search: one of workstation, server, domain_controllerhour_of_day
: the distribution of process start times by hour of day in computer local timeday_of_week
: the distribution of process start times by day of week in computer local timestart
: the distribution of process start times by day for the last 30 daysusername_full
: the username context associated with the process
To request a facet search, submit a request to the Process API with at least two parameters: first,
set the facet
query parameter to true
. Then, indicate the list of fields that you want to query
for facets through a set of facet.field
query parameters. Each facet.field
parameter is set to one
of the values above (for example, hostname
). Make sure to set the rows
parameter to 0
unless
you want to retrieve the list of results for the query as well as the facet information.
The return value from the facet search is the top 200 key, value and percentage for the unique set of results matching the search query. If there are more than 200 unique values for the selected facets, the results will be truncated to 200. This limit cannot be adjusted via the API.
Return Facet Object
The facets
object is a list of dictionaries with the following keys. Each key is a list of facet results objects that contain the
key, value, and percentage information for each unique result of a given facet.
Each facet result object has three values:
name
: the facet valuevalue
: the count of occurrences of this valuepercent
: count / max(count) - the ratio of this value to the largest value in the result setratio
: count / sum(count) - the ratio of this value to the sum of all values in the result set
A complete example to answer “when do users most often launch Microsoft Word?":
$ curl "http://192.168.206.151/api/v1/process?q=process_name:winword.exe&facet=true&facet.field=hour_of_day&rows=0"
{
"terms": [
"process_name:winword.exe"
],
"total_results": 4,
"highlights": [],
"facets": {
"hour_of_day": [
{
"percent": 100,
"ratio": "50.0",
"name": "16",
"value": 2
},
{
"percent": 50,
"ratio": "25.0",
"name": "15",
"value": 1
},
{
"percent": 50,
"ratio": "25.0",
"name": "17",
"value": 1
}
]
},
"results": [],
"tagged_pids": {},
"elapsed": 0.015702009201049805,
"start": 0,
"filtered": {
"hour_of_day": []
}
}
Process Summary
/api/v1/process/(process_id)/(segment_id)
Gets basic process information for segment (segment_id) of process (process_id)
Supports: GET
Parameters
process_id
: REQUIRED the internal CB process id; this is theid
field in search resultssegment_id
: REQUIRED the process segment id, thesegment_id
field in search results.
Returns
A JSON object with the following structure:
process
: a process summary object with metadata for the selected processsiblings
: a list of process summary objects for the first 15 sibiling processeschildren
: a list of process summary objects for each child processparent
: a process summary object with metadata for the parent process
Each process summary object contains the following structure:
process_md5
: the MD5 of the executable backing this processsensor_id
: the sensor id of the host this process executed ongroup
: the sensor group the sensor was assigned toparent_id
: the Carbon Black process id of the parent processprocess_name
: the name of this process, e.g., svchost.exepath
: the full path of the executable backing this process, e.g., c:\windows\system32\svchost.exelast_update
: the time of the last event received from this process, as recorded by the remote hoststart
: the start time of this process, as recorded by the remote hosthostname
: the hostname of the computer this process executed onid
: the internal CB process id of this processsegment_id
: the segment id of this processos_type
: operating system type of the computer for this process; one of windows, linux, osx
A complete example:
GET http://192.168.206.154/api/v1/process/2032659773721368929/1
{
"process": {
"process_md5": "517110bd83835338c037269e603db55d",
"sensor_id": 2,
"group": "Default Group",
"start": "2013-09-19T22:07:07Z",
"process_name": "taskhost.exe",
"segment_id": 1,
"last_update": "2013-09-19T22:09:07Z",
"cmdline": "taskhost.exe $(arg0)",
"hostname": "WIN-EP7RMLTCLAJ",
"parent_id": "5856845119039539348",
"path": "c:\\windows\\system32\\taskhost.exe",
"id": "2032659773721368929",
"os_type": "windows"
},
"siblings": [
{
"process_md5": "c78655bc80301d76ed4fef1c1ea40a7d",
"sensor_id": 2,
"group": "Default Group",
"parent_id": "5856845119039539348",
"process_name": "svchost.exe",
"segment_id": 1,
"last_update": "2013-09-19T22:34:49Z",
"start": "2013-09-10T04:10:07Z",
"hostname": "WIN-EP7RMLTCLAJ",
"path": "c:\\windows\\system32\\svchost.exe",
"id": "5286285292765095481",
"os_type": "windows"
},
],
"children": [],
"parent": {
"process_md5": "24acb7e5be595468e3b9aa488b9b4fcb",
"sensor_id": 2,
"group": "Default Group",
"parent_id": "4245649408199694328",
"process_name": "services.exe",
"segment_id": 1,
"last_update": "2013-09-19T22:09:07Z",
"start": "2013-09-10T04:09:51Z",
"hostname": "WIN-EP7RMLTCLAJ",
"path": "c:\\windows\\system32\\services.exe",
"id": "5856845119039539348",
"os_type": "windows"
}
}
Process Summary (No Siblings)
/api/v2/process/(process_id)/(segment_id)
Gets basic process information for segment (segment_id) of process (process_id) - without sibling process information. The v2
version of this API is faster as retrieving the sibling process information requires additional requests to the Solr datastore.
Supports: GET
Parameters
process_id
: REQUIRED the internal CB process id; this is theid
field in search resultssegment_id
: REQUIRED the process segment id, thesegment_id
field in search results. If the segment ID is0
, then summary information for the process is aggregated and returned (for example, thefilemod_count
will be the sum of all file modifications for all segments in the process)
Returns
A JSON object represnting the metadata associated with the process.
Process Segment Details
/api/v1/process/(process_id)/segment
Supports: GET
Parameters
process_id
: REQUIRED the internal CB process id; this is theid
field in search results
Returns
A JSON object with the following structure:
process
: A dictionary containing:segments
: A list of segments, each containing:last_server_update
: The last date/time when the server pushed events into this segmentevent_counts
: The number of events for each event type stored in this segmentunique_id
: The full process ID + segment number associated with this event segmentlast_update
: The last event (represented in sensor date/time) stored in this segment
elapsed
: The time spent by Solr executing this query
A complete example:
GET http://192.168.206.154/api/v1/process/00000001-0000-0ee8-01d2-7292dd56b66f/segment
{
"process": {
"segments": [
{
"last_server_update": "2017-05-01T02:42:59.072Z",
"event_counts": {
"netconn": 2,
"filemod": 76,
"crossproc": 3
},
"unique_id": "00000001-0000-0ee8-01d2-7292dd56b66f-015bc1e3ae46",
"last_update": "2017-05-01T02:43:27.865Z"
},
{
"last_server_update": "2017-05-01T17:55:30.992Z",
"event_counts": {
"childproc": 11,
"netconn": 1,
"crossproc": 1,
"filemod": 58,
"regmod": 1,
"modload": 1
},
"unique_id": "00000001-0000-0ee8-01d2-7292dd56b66f-015bc5272e1b",
"last_update": "2017-05-01T17:55:48.606Z"
},
{
"last_server_update": "2017-05-01T17:56:43.457Z",
"event_counts": {
"childproc": 3
},
"unique_id": "00000001-0000-0ee8-01d2-7292dd56b66f-015bc5284937",
"last_update": "2017-05-01T17:55:44.975Z"
}
]
},
"elapsed": 0.0039560794830322266
}
Process Event Details
/api/v1/process/(process_id)/(segment_id)/event
/api/v2/process/(process_id)/(segment_id)/event
(introduced in EDR 5.1)/api/v3/process/(process_id)/(segment_id)/event
(introduced in EDR 5.2)/api/v4/process/(process_id)/(segment_id)/event
(introduced in EDR 6.1)
Gets the events for the process with CB process id (process_id) and segment id (segment_id).
There are slight differences in the returned payload between the v1
, v2
, v3
, and v4
endpoints.
These differences will be discussed in detail in the “Returns” section below.
Supports: GET
Parameters
process_id
: REQUIRED the internal CB process id; this is theid
field in search resultssegment_id
: REQUIRED the process segment id; this is thesegment_id
field in search results. If this is set to0
, the API will merge all segments in results (subject toCoreServicesMaxEventResultsPerProcess
incb.conf
, set to 10,000 by default)cb.event_start
: OPTIONAL return events starting with this offset. If not provided, offset will be 0 (returns events starting from the beginning)cb.event_count
: OPTIONAL. If not provided, number of returned events will be up to config valueCoreServicesMaxEventResultsPerProcess
Returns
A JSON object with the following structure:
process
: a process summary object with metadata and events for the selected processelapsed
: the clock time required to get this structure
The process object may contain the following entries.
process_md5
: the MD5 of the executable backing this processsensor_id
: the sensor id of the host this process executed ongroup
: the sensor group the sensor was assigned toparent_id
: the Carbon Black process id of the parent processprocess_name
: the name of this process, e.g., svchost.exepath
: the full path of the executable backing this process, e.g., c:\windows\system32\svchost.execmdline
: the command line of the processlast_update
: the time of the last event received from this process, as recorded by the remote hoststart
: the start time of this process, as recorded by the remote hosthostname
: the hostname of the computer this process executed onid
: the internal CB process id of this processsegment_id
: the segment id of this processregmod_complete
: a pipe-delimited list of regmod stringsfilemod_complete
: a pipe-delimited list of filemod stringsmodload_complete
: a pipe-delimited list of modload stringsnetconn_complete
: a pipe-delimited list of netconn strings (changed inv2
)childproc_complete
: a pipe-delimited list of childproc strings (changed inv3
)crossproc_complete
: a pipe-delimited list of crossproc stringos_type
: operating system type of the computer for this process; one of windows, linux, osxblock_type
: possible values are 0 (not blocked) or 1 (blocked due to isolation). Most netconns will haveblock_type:0
. Netconns that were attempted by an endpoint that has been isolated from the EDR console will haveblock_type:1
.
Each xxx_complete record is a string similar to:
2013-09-19 22:07:07.000000|f404e59db6a0f122ab26bf4f3e2fd0fa|c:\\windows\\system32\\dxgi.dll"
The pipe character (|
) delimits the fields.
filemod_complete
"1|2013-09-16 07:11:58.000000|c:\\documents and settings\\administrator\\local settings\\temp\\hsperfdata_administrator\\3704|||false"
- field 0: operation type, an integer 1, 2, 4 or 8
- 1: Created the file
- 2: First wrote to the file
- 4: Deleted the file
- 8: Last wrote to the file
- field 1: event time
- field 2: file path
- field 3: if operation type (field 0) is 8, last write, this value is the md5 of the file after the last write
- field 4: file type, if known, an integer
- 1: PE
- 2: Elf
- 3: UniversalBin
- 8: EICAR
- 16: OfficeLegacy
- 17: OfficeOpenXml
- 48: Pdf
- 64: ArchivePkzip
- 65: ArchiveLzh
- 66: ArchiveLzw
- 67: ArchiveRar
- 68: ArchiveTar
- 69: Archive7zip
- field 5: boolean “true” if event is flagged as potential tamper attempt; “false” otherwise
modload_complete
2013-09-19 22:07:07.000000|f404e59db6a0f122ab26bf4f3e2fd0fa|c:\\windows\\system32\\dxgi.dll"
- field 0: event time
- field 1: MD5 of the loaded module
- field 2: Full path of the loaded module
regmod_complete
"2|2013-09-19 22:07:07.000000|\\registry\\user\\s-1-5-19\\software\\microsoft\\sqmclient\\reliability\\adaptivesqm\\manifestinfo\\version"
- field 0: operation type, an integer 1, 2, 4 or 8
- 1: Created the registry key
- 2: First wrote to the registry key
- 4: Deleted the key
- 8: Deleted the value
- field 1: event time
- field 3: the registry key path
netconn_complete
There are two different formats for netconn_complete
. The v1
API returns an array of pipe delimited strings:
"2013-09-16 07:11:59.000000|-1979811809|80|6|dl.javafx.com|true"
- field 0: event time
- field 1: IP address as a 32-bit signed long (host byte order), local for inbound and remote for outbound as indicated by field 5
- field 2: port, local for inbound and remote for outbound as indicated by field 5
- field 3: protocol: 6 is TCP, 17 is UDP
- field 4: domain name associated with the IP address, from the client’s perspective at the time of the network connection
- field 5: boolean “true” if the connection was outbound; “false” if the connection was inbound
The v2
API and newer return an array of JSON objects:
[{"domain": "login.live.com",
"proto": 6,
"local_port": 49240,
"timestamp": "2017-01-11T16:20:04.892Z",
"local_ip": 167772448,
"direction": "true",
"remote_port": 80,
"remote_ip": -2080555708},
...
]
Where the protocol field is the same as above (6 for TCP, 17 UDP), and the IP addresses are expressed as 32-bit signed longs in host byte order.
The v4
version of this API introduces support for IPv6 addresses. The v4
API returns all IP addresses in the JSON objects as strings; IPv4 addresses will be sent as dotted quad strings instead of integers, and IPv6 addresses are represented as strings.
childproc_complete
There are two different formats for childproc_complete
. The v1
and v2
APIs return an array of pipe delimited strings:
"2014-01-23 09:19:08.331|8832db0c-6b84-fc4b-0000-000000000001|51138beea3e2c21ec44d0932c71762a8|c:\windows\system32\rundll32.exe|6980|true|false"
- field 0: event time
- field 1: unique_id of the child process
- field 2: md5 of the child process
- field 3: path of the child process
- field 4: PID of child process
- field 5: boolean “true” if child process started; “false” if terminated
- field 6: boolean “true” if event is flagged as potential tamper attempt; “false” otherwise
The v3
API and newer return an array of JSON objects:
[{"userName": "",
"processId": "00000003-0000-0178-01d2-6c44464bec2f-00000001",
"end": "2017-01-11T19:57:44.066000Z",
"commandLine": "",
"pid": 376,
"is_suppressed": false,
"is_tampered": false,
"path": "c:\\windows\\system32\\taskeng.exe",
"type": "end",
"md5": "16c467fe69bfcffb7568271f23217821"},
...
]
The new JSON object is similar to the old pipe delimited string, with one important exception. EDR 5.2 introduced the concept of suppressed processes. To reduce the load on the server associated with large numbers of “empty” processes (processes with no events other than modload events), EDR 5.2 no longer produces process documents for these “empty” processes by default.
Processes that have been eliminated will still be tracked as a child process of the parent process, with an
entry in the childproc_complete
array with the is_suppressed
value set to true
. Non-suppressed processes as
seen above will have empty userName
and commandLine
values, as these can be obtained from the process document
itself. Suppressed processes will have non-empty values for the userName
and commandLine
keys.
crossproc_complete
"ProcessOpen|2014-01-23 09:19:08.331|00000177-0000-0258-01cf-c209d9f1c431|204f3f58212b3e422c90bd9691a2df28|c:\windows\system32\lsass.exe|1|2097151|false"
- field 0: type of cross-process access: RemoteThread if remote thread creation; ProcessOpen if process handle open with access privileges
- field 1: event time
- field 2: unique_id of the targeted process
- field 3: md5 of the targeted process
- field 4: path of the targeted process
- field 5: sub-type for ProcessOpen, “1” for handle open to process; “2” for handle open to thread in process
- field 6: requested access priviledges
- field 7: boolean “true” if event is flagged as potential tamper attempt; “false” otherwise
A complete example:
GET http://192.168.206.154/api/v1/process/2032659773721368929/1/event
{"process":
{"process_md5": "517110bd83835338c037269e603db55d",
"sensor_id": 2,
"group": "Default Group",
"start": "2013-09-19T22:07:07Z",
"process_name": "taskhost.exe",
"segment_id": 1,
"os_type": "windows",
"regmod_complete": [
"2|2013-09-19 22:07:07.000000|\\registry\\user\\s-1-5-19\\software\\microsoft\\sqmclient\\reliability\\adaptivesqm\\manifestinfo\\version",
"2|2013-09-19 22:09:07.000000|\\registry\\machine\\software\\microsoft\\reliability analysis\\rac\\wmilasttime"
],
"parent_id": "5856845119039539348",
"cmdline": "taskhost.exe $(arg0)",
"filemod_complete": [
"2|2013-09-19 22:07:07.000000|c:\\programdata\\microsoft\\rac\\statedata\\racmetadata.dat|",
"2|2013-09-19 22:07:07.000000|c:\\programdata\\microsoft\\rac\\temp\\sql4475.tmp|",
"2|2013-09-19 22:07:07.000000|c:\\programdata\\microsoft\\rac\\temp\\sql4486.tmp|",
"2|2013-09-19 22:09:07.000000|c:\\programdata\\microsoft\\rac\\statedata\\racwmidatabookmarks.dat|",
"2|2013-09-19 22:09:07.000000|c:\\programdata\\microsoft\\rac\\publisheddata\\racwmidatabase.sdf|",
"4|2013-09-19 22:09:07.000000|c:\\programdata\\microsoft\\rac\\temp\\sql4486.tmp|",
"2|2013-09-19 22:09:07.000000|c:\\programdata\\microsoft\\rac\\statedata\\racdatabase.sdf|",
"4|2013-09-19 22:09:07.000000|c:\\programdata\\microsoft\\rac\\temp\\sql4475.tmp|"
],
"hostname": "WIN-EP7RMLTCLAJ",
"modload_complete": [
"2013-09-19 22:07:07.000000|517110bd83835338c037269e603db55d|c:\\windows\\system32\\taskhost.exe",
"2013-09-19 22:07:07.000000|3556d5a8bf2cc508bdab51dec38d7c61|c:\\windows\\system32\\ntdll.dll",
"2013-09-19 22:07:07.000000|7a6326d96d53048fdec542df23d875a0|c:\\windows\\system32\\kernel32.dll",
"2013-09-19 22:07:07.000000|9c75cb8b98610f0cd85d99bb5876308b|c:\\windows\\system32\\sqlcese30.dll",
"2013-09-19 22:07:07.000000|e5744d18c88737c6356d0a8d6d49d512|c:\\windows\\system32\\sqlceqp30.dll",
"2013-09-19 22:07:07.000000|021287c2050fd5db4a8b084e2c38139c|c:\\windows\\system32\\winsatapi.dll",
"2013-09-19 22:07:07.000000|f404e59db6a0f122ab26bf4f3e2fd0fa|c:\\windows\\system32\\dxgi.dll",
"2013-09-19 22:07:07.000000|da1b7075260f3872585bfcdd668c648b|c:\\windows\\system32\\dwmapi.dll",
"2013-09-19 22:07:07.000000|497bfeddaf3950dd909c3b0c5558a25d|c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"2013-09-19 22:07:07.000000|5d8e6c95156ed1f79a63d1eade6f9ed5|c:\\windows\\system32\\setupapi.dll",
"2013-09-19 22:07:07.000000|2a86e54b441ad41557f75dc5609b9793|c:\\windows\\system32\\sspicli.dll",
"2013-09-19 22:07:07.000000|d6f630c1fd7f436316093ae500363b19|c:\\windows\\system32\\xmllite.dll"
],
"path": "c:\\windows\\system32\\taskhost.exe",
"last_update": "2013-09-19T22:09:07Z",
"id": "2032659773721368929"
},
"elapsed": 0.0126001834869
}
Process Preview
/api/v1/process/(process_id)/(segment_id)/preview?q=(query)
Process preview. Requires process_id and segment id.
Supports: GET
Parameters
process_id
: REQUIRED the internal CB process id, theid
field in search resultssegment_id
: REQUIRED the process segment id; this is thesegment_id
field in search results.query
: OPTIONAL a process query string. If present, preview results will highlight matching terms
Returns
A process preview structure with the following fields:
process_md5
: the MD5 of the executable backing this processsensor_id
: the sensor id of the host this process executed ongroup
: the sensor group the sensor was assigned toprocess_name
: the name of this process, e.g., svchost.exepath
: the full path of the executable backing this process, e.g., c:\windows\system32\svchost.exelast_update
: the time of the last event received from this process, as recorded by the remote hoststart
: the start time of this process, as recorded by the remote hosthostname
: the hostname of the computer this process executed onid
: the internal CB process id of this processsegment_id
: the segment id of this processregmod_complete
: a pipe-delimited summary list of regmod strings (see spec above)filemod_complete
: a pipe-delimited summary list of filemod strings (see spec above)modload_complete
: a pipe-delimited summary list of modload strings (see spec above)netconn_complete
: a pipe-delimited summary list of netconn strings (see spec above)childproc_complete
: a pipe-delimited list of summary childproc strings (see spec above)crossproc_complete
: a pipe-delimited list of summary crossproc string (see spec above)modload_count
: the total count of modules loaded in this processregmod_count
: the total count of registry modifications in this processfilemod_count
: the total count of file modifications in this processnetconn_count
: total count of network connections in this processchildproc_count
: the total count of child processes launched by this processcrossproc_count
: the total count of cross process events launched by this processos_type
: operating system type of the computer for this process; one of windows, linux, osx
If a query string is provided, the endpoint will highlight all matching strings. Highlighted results will
be surrounded with PREPREPRE
and POSTPOSTPOST
to designate the start and end of a matching substring.
Where the full process API endpoint will return all xxx_complete
records in the process (possibly 10s of thousands),
the preview endpoint will have 10s of events for this process.
A complete example:
GET http://192.168.206.132/api/v1/process/7078511340675742078/1/preview/?q=windows
{
"parent_name": "",
"hostname": "J-8205A0C27A0C4",
"group": "Default Group",
"process_md5": "5e7f3968069d32b26af0d7af0ec5dd97",
"netconn_count": 1,
"process_name": "svchost.exe",
"last_update": "2013-10-07T15:07:09Z",
"cmdline": "\"c:\\docume~1\\admini~1\\locals~1\\temp\\rad17929.tmp\\svchost.exe\" ",
"start": "2013-10-07T15:07:09Z",
"sensor_id": 1,
"modload_count": 15,
"modload_complete": [
"2013-10-07 15:07:09.000000|27d9ed8cb8b62d1e0a8e5ace6cf52e2f|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\ntdll.dll",
"2013-10-07 15:07:09.000000|c24b983d211c34da8fcc1ac38477971d|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\kernel32.dll",
"2013-10-07 15:07:09.000000|355edbb4d412b01f1740c17e3f50fa00|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\msvcrt.dll",
"2013-10-07 15:07:09.000000|bab489a5fe26f2d0c910cf7af7e4cf92|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\advapi32.dll",
"2013-10-07 15:07:09.000000|b979d9d1c8073da21a7f80345f306a1d|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\rpcrt4.dll",
"2013-10-07 15:07:09.000000|7459c16cc3ef4651cab7c9260e43fc58|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\secur32.dll",
"2013-10-07 15:07:09.000000|67156d5a9ac356dc99d7bccb388e3316|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\wsock32.dll",
"2013-10-07 15:07:09.000000|2ccc474eb85ceaa3e1fa1726580a3e5a|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\ws2_32.dll",
"2013-10-07 15:07:09.000000|9789e95e1d88eeb4b922bf3ea7779c28|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\ws2help.dll",
"2013-10-07 15:07:09.000000|b4138e99236f0f57d4cf49bae98a0746|c:\\PREPREPREwindowsPOSTPOSTPOST\\system32\\mswsock.dll"
],
"path": "c:\\documents and settings\\administrator\\local settings\\temp\\rad17929.tmp\\svchost.exe",
"regmod_count": 0,
"filemod_count": 0,
"segment": "",
"id": "7078511340675742078",
"unique_id": "623bec8f-8f8d-397e-0000-000000000001",
"os_type": "windows"
}
Process Analysis
The 7.5.0 release of VMware Carbon Black EDR introduces a new set of API endpoints (v6/process) to assist in the analysis of processes and their events. The endpoints share a new strategy to load, process, and return small portions of process data at one time. The strategy allows greater efficiency. On average the endpoints are faster and more predictable. There is a tradeoff in API usage. The new endpoints work differently as a whole compared to process/v5. Your code will need to adapt to the new conventions.
Stream API
Process events are now viewed using the metaphor of a stream, much like streaming video online. The whole timeline of events exists on the server, not all events are viewed at once. A stream tracks your position as you view individual pages of events. You can seek forward and backward by any number of events. You can also jump forward and backward by any number of process segments. If you know a particular segment id, you can jump directly to it.
Streams are stateful. They must be created, used, then deleted. Streams are referenced by their STREAM_ID
.
Create a Stream
To create a stream, you need a PROCESS_ID
and SEGMENT_ID
. By default, the new stream will expire after StreamTTLSecs
(a cb.conf option). You may specify persistent: true to prevent the stream from expiring automatically. Streams do not store much state - only a handful of fields are stored to track stream progress. Nevertheless, it is a good idea to delete streams when you are done with them.
Request
curl -X POST "$SERVER/api/v6/process/stream" \
-H "X-Auth-Token: $TOKEN" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d"
{
\"process_id\": \"$PROCESS_ID\",
\"segment_id\": \"$SEGMENT_ID\",
\"persistent\": true # or false
}"
Response
{
"stream_id": "727cdaed-fc91-4f48-a00b-08dfe6aec4da",
"status_fw": "ready",
"status_bw": "ready",
"ref_segment_id": 1621882944903,
"cur_segment_id": 1621882944903,
"head_as_ref_segment_offset": 0,
"head_as_cur_segment_offset": 0,
"events": []
}
Use a Stream
Once you have obtained a STREAM_ID
, you can perform several operations. First, consider your current position. When you create a stream, the initial position will be the first event of the segment you provided. If you request ten rows, you’ll get back ten rows starting from your current position. The position does not move unless you perform a seek or jump operation. If you seek by 10 rows and request 10 rows in one call, you’ll move the stream position forward by ten rows, and then get back ten rows starting from your new position.
Several status fields are returned after each operation. status_fw/status_bw are of particular interest. For instance, status_fw will be “ready” if you could perform the same operation again without reaching the end of the process. It will be “current” if you have reached the end of the process. It will be “complete” if you have reached the end of the process, and the process is terminated (there will never be more events). In the latter two cases you may retrieve fewer events than you requested. The status will be “void” if the operation moved the position out of bounds, e.g. there are only 100 events but you tried to seek forward by one thousand.
Requests
# View ten rows
curl -X GET "$SERVER/api/v6/process/stream/$STREAM_ID?rows=10"\
-H "X-Auth-Token: $TOKEN"
# Seek forward by ten rows
curl -X GET "$SERVER/api/v6/process/stream/$STREAM_ID?seek&by=10&rows=10" \
-H "X-Auth-Token: $TOKEN"
# Seek backward by ten rows
curl -X GET "$SERVER/api/v6/process/stream/$STREAM_ID?seek&by=-10&rows=10" \
-H "X-Auth-Token: $TOKEN"
# Jump forward by one segment
curl -X GET "$SERVER/api/v6/process/stream/$STREAM_ID?jump&by=1&rows=10" \
-H "X-Auth-Token: $TOKEN"
# Jump backward by one segment
curl -X GET "$SERVER/api/v6/process/stream/$STREAM_ID?jump&by=-1&rows=10" \
-H "X-Auth-Token: $TOKEN"
# Jump to a specific segment
curl -X GET "$SERVER/api/v6/process/stream/$STREAM_ID?jump&to=$SEGMENT_ID&rows=10" \
-H "X-Auth-Token: $TOKEN"
Sometimes you want to view events of a certain type, or events that mach certain criteria. You may use the following PATCH request to modify the criteria that are used to filter events in the stream. The criteria structure may specify fields mentioned in Facet Fields below. Multiple values per field are allowed.
# Filter a Stream
curl -X PATCH "$SERVER/api/v6/process/stream/$STREAM_ID?&rows=10" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '
{
"criteria": {
"event_type": [
"filemod"
],
"directory": [
"/var/run",
"/tmp"
]
}
}'
The query argument end_time
may be used with the above requests to omit all events with a timestamp occurring after the specified time.
end_time=YYYY-MM-DDThh:mm:ss.sssZ
Data will be returned in the following format. Events may contain additional binary info, alliance hit information, and on demand hit information if threat intelligence has been configured appropriately.
Response
{
"stream_id": "508c8e5b-5ffd-40a0-97cc-b31414298667",
"status_fw": "ready",
"status_bw": "ready",
"ref_segment_id": 1621882944903,
"cur_segment_id": 1621882944903,
"head_as_ref_segment_offset": 0,
"head_as_cur_segment_offset": 0,
"events": [
{
"type": "childproc",
"time": "2021-05-24 19:01:56.564000",
"data": {
"md5": "b6fe756bf9828f05bd6c4d300f93ab91",
"path": "/usr/libexec/nm-dispatcher",
"commandLine": "",
"userName": "",
"sha256": "",
"pid": 26885,
"processId": "00000001-0000-6905-01d7-50cf4455dc1e-000000000001",
"is_tampered": false,
"type": "start",
"start": "2021-05-24T19:01:56.564000Z"
},
"segment_id": 1621882944903,
"binary_info": {
"digsig_result": null,
"digsig_publisher": null
},
"alliance_hits": null,
"ondemand_feeds": null,
"ondemand_classification": null
}
]
}
Delete a Stream
You should take care to delete persistent streams you create. You may also delete transient streams (those that expire due to being created with “persistent”: false).
Request
curl -X POST "$SERVER/api/v6/process/stream/$STREAM_ID" \
-H "X-Auth-Token: $TOKEN" \
-H "Accept: application/json"
Response
{
"result": "success"
}
Summary Stream API
The summary stream API can be used to obtain an overview of the event types represented in the whole process. It works similarly to the v5 route of the same name with one difference. Batches of segment summary info are streamed from the server in a single HTTP request using the ndjson format. You can handle each incoming batch while the request is ongoing.
Request
# Retrieve batches of summary data pertaining to the segments of a process
curl -X GET "$SERVER/api/v6/process/$PROCESS_ID/$SEGMENT_ID/segment" \
-X "Accept: application/x-ndjson"
Response
Notice each line is a JSON document with its own batch of segment summary data.
{"elapsed":2.1457672119140625e-06,"process":{"segments":[{"unique_id":"00000001-0000-0001-01d6-eea15d60d4c4-0179b1c541a3","segment_id":1622185165219,"last_update":"2021-05-28T06:59:12.748Z","last_server_update":"2021-05-28T06:59:25.288Z","event_counts":{"filemod":7}},{"unique_id":"00000001-0000-0001-01d6-eea15d60d4c4-0179b1c62cce","segment_id":1622185225422,"last_update":"2021-05-28T07:00:01.775Z","last_server_update":"2021-05-28T07:00:25.492Z","event_counts":{"filemod":35}}]}}
{"elapsed":2.6226043701171875e-06,"process":{"segments":[{"unique_id":"00000001-0000-0001-01d6-eea15d60d4c4-0179b257a6ac","segment_id":1622194759340,"last_update":"2021-05-28T09:38:59.097Z","last_server_update":"2021-05-28T09:39:19.424Z","event_counts":{"childproc":1}}]}}
Bulk API
The bulk API provides information about large portions of a process. It consolidates two previous features: alliance feed hits and on demand feed hits. It introduces one new feature: event faceting across all events. Some limitations have been introduced to ensure these features can be used reliably.
- Processing begins at the specified
SEGMENT_ID
- Processing ends after a configurable timeout (
BulkDataTimeoutSecs
in cb.conf) - Processing ends if an
end_time
is provided (seeend_time
format specification above)
The API response will indicate if the result is partial due to timeout. Reaching the specified end_time
is not considered a timeout. The API may handle a process with few segments in one call. A larger process with thousands of segments may need to be processed in chunks. In fact the EDR Console uses a combination of SEGMENT_ID
and END_TIME
to limit processing to the timeline window selection.
Request
curl -X GET "$SERVER/api/v6/process/$PROCESS_ID/$SEGMENT_ID/bulk?end_time=$END_TIME" \
-H "X-Auth-Token: $TOKEN" \
-H "Accept: application/json"
Response
{
"alliance_hits": {...},
"on_demand_hits": {
"threatintel": {...}
},
"facets": {
"terms": [...],
"num_found": n,
"processed_segments": n
},
"partial_results": false
}
The following is an example of what can be expected in facets
:
{
"terms": [
{
"field": "event_type",
"values": [
{
"id": "modload",
"name": "modload",
"total": 46
},
{
"id": "crossproc",
"name": "crossproc",
"total": 2
}
]
},
{
"field": "directory",
"values": [
{
"id": "c:\\windows\\syswow64",
"name": "c:\\windows\\syswow64",
"total": 40
},
{
"id": "c:\\windows\\system32",
"name": "c:\\windows\\system32",
"total": 6
},
{
"id": "c:\\users\\user1\\downloads\\dir_1\\file_x",
"name": "c:\\users\\user1\\downloads\\dir_1\\file_x",
"total": 1
},
{
"id": "c:\\windows\\dir_2\\file_y",
"name": "c:\\windows\\dir_2\\file_y",
"total": 1
}
]
}
],
"num_found": 48,
"processed_segments": 1
}
There are two properties in addition to terms: num_found
indicates the number of filterable items found and processed_segments
is the number of segments that were searched to find all the items.
Facet Fields
The following are valid values for the event_type
field: filemod, childproc, netconn, regmod, processblock. Note that childproc includes events of types exec, fork, and other_exec as well as childproc.
The following fields are possible for each event type:
- filemod
- directory
- filemod_action
- filemod_filetype
- childproc
- directory
- childproc_filepath
- childproc_md5
- childproc_sha256
- netconn
- ipv4_address
- ipv6_address
- domain
- ja3_fingerprint
- ja3s_fingerprint
- regmod
- regmod_action
- regmod_hive
- processblock
- directory
- crossproc
- directory
- modload
- directory
Metadata API
The metadata API will return all non-event fields of the process.
Request
curl -X GET "$SERVER/api/v6/process/$PROCESS_ID/metadata" \
-H "X-Auth-Token: $TOKEN" \
-H "Accept: application/json"
Response
{
"process_metadata": {
"unique_id": "00000008-0000-1778-01d7-531d279b5c07-0179aedb558a",
"sensor_id": 8,
"hostname": "tl-750-rhel83-w",
"group": "default group",
"os_type": "windows",
"host_type": "workstation",
"interface_ip": 181100788,
"comms_ip": 181100788,
"parent_unique_id": "00000008-0000-04b0-01d7-4ccd83f8de79-000000000001",
"start": "2021-05-27T17:24:31.436Z",
"day_of_week": 4,
"hour_of_day": 13,
"process_pid": [
6008
],
"parent_pid": 1200,
"process_md5": "ccee2e1a4672697747d199fb7e0caa37",
"process_sha256": "f75345665bf69e4a5beb0525b80b714f1b2d8b25a7ece8c88f48607b46f5d7f9",
"cmdline": [
"\"C:\\Users\\user_1\\Downloads\\dir_1\\dir_2\\file_x.exe\" "
],
"uid": "s-1-5-21-601375543-4271196527-4255210300-1001",
"username": [
"TL-750-RHEL83-W\\user_1"
],
"parent_name": "explorer.exe",
"path": "c:\\users\\user_1\\downloads\\dir_1\\dir_2\\file_x.exe",
"process_name": "file_x.exe",
"logon_type": 2,
"creation_observed": false,
"alliance_score_srsthreat": 100,
"alliance_link_srsthreat": "https://services.bit9.com/Services/extinfo.aspx?ak=b8b4e631d4884ad1c56f50e4a5ee9279&sg=0313e1735f6cec221b1d686bd4de23ee&md5=ccee2e1a4672697747d199fb7e0caa37",
"alliance_data_srsthreat": [
"ccee2e1a4672697747d199fb7e0caa37"
],
"alliance_updated_srsthreat": "2021-05-26T23:19:19Z",
"facet_id": 201654,
"last_update": "2021-05-27T17:24:31.518Z",
"last_server_update": "2021-05-27T17:24:40.553Z",
"terminated": false,
"server_added_timestamp": "2021-05-27T17:24:40.553Z",
"id": "00000008-0000-1778-01d7-531d279b5c07",
"parent_id": "00000008-0000-04b0-01d7-4ccd83f8de79",
"segment_id": 1622136280458,
"filtering_known_dlls": false,
"tampered": false,
"has_emet_event": false,
"has_emet_config": false
}
}
Segment Verification API
Several v6 API endpoints require valid segment IDs. This API may be used to verify the existence of those segment IDs. If the provided SEGMENT_ID
exists, it will be returned unchanged.
Request
curl -X GET "$SERVER/api/v6/process/$PROCESS_ID/$SEGMENT_ID/verify" \
-H "X-Auth-Token: $TOKEN" \
-H "Accept: application/json"
Response
{
"segment_id": $SEGMENT_ID
}
If the provided SEGMENT_ID
does not exist, the id of the earliest available segment will be returned instead.
Request
curl -X GET "$SERVER/api/v6/process/$PROCESS_ID/$INVALID_SEGMENT_ID/verify" \
-H "X-Auth-Token: $TOKEN" \
-H "Accept: application/json"
Response
{
"segment_id": $EARLIEST_SEGMENT_ID
}
Event Suppression Status
You may encounter a childproc event while browsing an event stream. To determine if the childproc is suppressed (or not), use this API endpoint. This operation will timeout after SuppressionStatusCheckTimeoutSecs
(a cb.conf option).
Request
curl -X GET "$SERVER/api/v6/process/suppression_status?parent_guid=$PARENT_GUID&childproc_guid=$CHILDPROC_GUID&childproc_md5=$CHILDPROC_MD5" \
-H "X-Auth-Token: $TOKEN" \
-H "Accept: application/json"
Response
{
"is_suppressed": false,
"timeout": false
}
Binary Data
Binary Search
/api/v1/binary
Binary search. Parameters passed as query string.
Supports: GET
Parameters
q
: REQUIRED Query string. Accepts the same data as the search box on the Binary Search page. See the Query overview for details on the query syntax.rows
: OPTIONAL Return this many rows, 10 by default.start
: OPTIONAL Start at this row, 0 by default.sort
: OPTIONAL Sort rows by this field and order.server_added_timestamp desc
by default.facet
: OPTIONAL Return facet results. ‘false’ by default, set to ‘true’ for facets.facet.field
: OPTIONAL facet field name to return. Multiplefacet.field
parameters can be specified in a query.
Returns
JSON object with the following elements:
results
: a list of matching binaries (see below for binary object)terms
: a list of strings, each representing a token as parsed by the query parsertotal_results
: number of matching binariesstart
: index of first rowelapsed
: clock time elapsed resolving this requesthighlights
: a list of highlight objects matching the query string. Format the same as the process event object.facets
: a list of facet entries if requested. (see below for facet object)
Binary Object
A binary object contains the following fields:
md5
: the md5 hash of this binaryserver_added_timestamp
: the first time this binary was received on the server in the server GMT timeorig_mod_len
: Filesize in bytescopied_mod_len
: Bytes copied from remote host, if file is > 25MB this will be less thanorig_mod_len
observed_filename
: The set of unique filenames this binary has been seen asis_executable_image:
‘true’ or ‘false’ - ‘true’ if an EXEis_64bit
: ‘true’ or ‘false’ - ‘true’ if x64product_version
: If present, Product version from FileVersionInformationproduct_name
: If present, Product name from FileVersionInformationfile_Version
: If present, File version from FileVersionInformationcompany_name
: If present, Company name from FileVersionInformationinternal_name
: If present, Internal name from FileVersionInformationproduct_name
: If present, Product name from FileVersionInformationlegal_copyright
: If present, Legal copyright from FileVersionInformationlegal_trademark
: If present, Legal trademark from FileVersionInformationfile_desc
: If present, File description from FileVersionInformationoriginal_filename
: If present, Original filename from FileVersionInformationprivate_build
: If present, Private build from FileVersionInformationspecial_build
: If present, Special build from FileVersionInformationsigned
: Digital signature status: One ofSigned
,Unsigned
,Expired
,Bad Signature
,Invalid Signature
,Invalid Chain
,Untrusted Root
,Explicit Distrust
digsig_result
: Digital signature status: One ofSigned
,Unsigned
,Expired
,Bad Signature
,Invalid Signature
,Invalid Chain
,Untrusted Root
,Explicit Distrust
digsig_result_code
: HRESULT_FROM_WIN32 for the result of the digital signature operation via WinVerifyTrustdigsig_sign_time
: If signed, the timestamp of the signature in GMTdigsig_publisher
: If signed and present, the publisher namedigsig_prog_name
: If signed and present, the program namedigsig_issuer
: If signed and present, the issuer namedigsig_subject
: If signed and present, the subjectalliance_score_virustotal
: If enabled and the hit count > 1, the number of VirusTotal hits for this md5os_type
: operating system type of this binary; one of windows, linux, osxhost_count
: count of unique endpoints which have ever reported this binary
Faceting
The binary search URL also supports faceting. Faceted search allows you to quickly filter through large collections of data by extracting the unique values from a group of fields. The EDR UI includes facet information for process and binary searches in the grey shaded box above the results list. Similarly, the API provides the ability to retrieve facet information through the Process API. Faceting can be combined with queries.
The supported fields for facet search are:
product_name_facet
: the top unique product names for the binaries matching the searchfile_version_facet
: the top unique file versions for the binaries matching the searchalliance_score_virustotal
: the distribution of VirusTotal scores for binaries matching the searchdigsig_result
: the distribution of signature status results for binaries matching the searchcompany_name_facet
: the top unique company names for the binaries matching the searchdigsig_publisher_facet
: the top unique publisher names for the binaries matching the searchproduct_name_facet
: the top unique company anmes for the binaries matching the searchdigsig_sign_time
: the distribution of signature times per month for the last 48 months for binaries matching the searchserver_added_timestamp
: the distribution of server_added_timestamps per day for the last 30 daysobserved_filename_facet
: the top unique observed filenames for the binaries matching the searchhost_count
hostname
group
To request a facet search, submit a request to the Process API with at least two parameters: first,
set the facet
query parameter to true
. Then, indicate the list of fields that you want to query
for facets through a set of facet.field
query parameters. Each facet.field
parameter is set to one
of the values above (for example, hostname
). Make sure to set the rows
parameter to 0
unless
you want to retrieve the list of results for the query as well as the facet information.
The return value from the facet search is the top 200 key, value and percentage for the unique set of results matching the search query. If there are more than 200 unique values for the selected facets, the results will be truncated to 200. This limit cannot be adjusted via the API.
Return Facet Object
The facets
object is a list of dictionaries with the following keys. Each key is a list of facet results objects that contain the
key, value, and percentage information for each unique result of a given facet.
Each facet result object has three values:
name
: the facet valuevalue
: the count of occurrences of this valuepercent
: count / max(count) - the ratio of this value to the largest value in the result setratio
: count / sum(count) - the ratio of this value to the sum of all values in the result set
A complete example:
GET http://192.168.206.151/api/binary?q=notepad.exe
{
"total_results": 1,
"facets": {},
"elapsed": 0.046832799911499023,
"start": 0,
"results": [
{
"md5": "F2C7BB8ACC97F92E987A2D4087D021B1",
"digsig_result": "Signed",
"observed_filename": [
"c:\\windows\\system32\\notepad.exe"
],
"product_version": "6.1.7600.16385",
"signed": "Signed",
"digsig_sign_time": "2009-07-14T10:17:00Z",
"orig_mod_len": 193536,
"is_executable_image": true,
"is_64bit": true,
"digsig_publisher": "Microsoft Corporation",
"file_version": "6.1.7600.16385 (win7_rtm.090713-1255)",
"company_name": "Microsoft Corporation",
"internal_name": "Notepad",
"product_name": "Microsoft\u00ae Windows\u00ae Operating System",
"digsig_result_code": "0",
"timestamp": "2013-08-16T11:26:48.321Z",
"copied_mod_len": 193536,
"server_added_timestamp": "2013-08-16T11:26:48.321Z",
"legal_copyright": "\u00a9 Microsoft Corporation. All rights reserved.",
"original_filename": "NOTEPAD.EXE",
"file_desc": "Notepad",
"os_type": "windows"
}
],
"terms": [
"notepad.exe"
],
"highlights": [
{
"name": "PREPREPRENOTEPAD.EXEPOSTPOSTPOST",
"ids": [
"F2C7BB8ACC97F92E987A2D4087D021B1"
]
},
{
"name": "c:\\windows\\system32\\PREPREPREnotepad.exePOSTPOSTPOST",
"ids": [
"F2C7BB8ACC97F92E987A2D4087D021B1"
]
}
],
}
Download Binary
/api/v1/binary/(md5)
Download the binary with this md5 hash.
Supports: GET
Parameters
md5
: REQUIRED the md5 hash of the binary
Returns A zipfile with the binary bytes and a text file with metadata.
Retrieve Binary Icon
/api/v1/binary/(md5)/icon
Returns the icon for the binary with the provided md5
Supports: GET
Parameters
md5
: REQUIRED the md5 of the binary
Returns A PNG with the icon. If the icon is not found, it returns the default Windows icon.
Retrieve Binary Metadata
/api/v1/binary/(md5)/summary
Returns the metadata for the binary with the provided md5
Supports: GET
Parameters
md5
: REQUIRED the md5 of the binary
Returns
A structure with the following fields:
md5
: the md5 hash of this binaryserver_added_timestamp
: the first time this binary was received on the server in the server GMT timeorig_mod_len
: Filesize in bytescopied_mod_len
: Bytes copied from remote host, if file is > 25MB this will be less thanorig_mod_len
observed_filename
: A list of strings, one per unique filename this binary has been seen asis_executable_image:
‘true’ or ‘false’ - ‘true’ if an EXEis_64bit
: ‘true’ or ‘false’ - ‘true’ if x64product_version
: If present, Product version from FileVersionInformationproduct_name
: If present, Product name from FileVersionInformationfile_Version
: If present, File version from FileVersionInformationcompany_name
: If present, Company name from FileVersionInformationinternal_name
: If present, Internal name from FileVersionInformationproduct_name
: If present, Product name from FileVersionInformationlegal_copyright
: If present, Legal copyright from FileVersionInformationlegal_trademark
: If present, Legal trademark from FileVersionInformationfile_desc
: If present, File description from FileVersionInformationoriginal_filename
: If present, Original filename from FileVersionInformationprivate_build
: If present, Private build from FileVersionInformationspecial_build
: If present, Special build from FileVersionInformationsigned
: Digital signature status: One ofSigned
,Unsigned
,Expired
,Bad Signature
,Invalid Signature
,Invalid Chain
,Untrusted Root
,Explicit Distrust
digsig_result
: Digital signature status: One ofSigned
,Unsigned
,Expired
,Bad Signature
,Invalid Signature
,Invalid Chain
,Untrusted Root
,Explicit Distrust
digsig_result_code
: HRESULT_FROM_WIN32 for the result of the digital signature operation via WinVerifyTrustdigsig_sign_time
: If signed, the timestamp of the signature in GMTdigsig_publisher
: If signed and present, the publisher namedigsig_prog_name
: If signed and present, the program namedigsig_issuer
: If signed and present, the issuer namedigsig_subject
: If signed and present, the subjectalliance_score_virustotal
: If enabled and the hit count >= 1, the number of VirusTotal hits for this md5alliance_score_srs
: If enabled and available, the Carbon Black Software Reputation Service (SRS) score, normalized to a CB scorealliance_score_tis
: If enabled and available, the Carbon Black Threat Indicators Service (TIS) score, normalized to a CB scorealliance_score_*
: 0 or more other scores, applied by configuring feeds.endpoint
: list of 0 or more hostname,sensorid tuples on which this binary was observed. The | character serves as the delimiter between the hostname and the sensorid.group
: list of 0 or more sensor groups (by name) in which this binary was observedos_type
: operating system type of the computer for this process; one of windows, linux, osx
A complete example:
GET http://192.168.206.154/api/binary/1C8B787BAA52DEAD1A6FEC1502D652f0/summary
{
"product_version_facet": "8.00.7600.16385",
"digsig_result": "Signed",
"observed_filename": [
"c:\\windows\\system32\\mshtml.dll"
],
"product_version": "8.00.7600.16385",
"product_name_facet": "Windows\u00ae Internet Explorer",
"signed": "Signed",
"digsig_sign_time": "2010-11-21T03:36:00Z",
"orig_mod_len": 8988160,
"is_executable_image": false,
"is_64bit": true,
"observed_filename_facet": [
"c:\\windows\\system32\\mshtml.dll"
],
"file_version_facet": "8.00.7600.16385 (win7_rtm.090713-1255)",
"digsig_publisher": "Microsoft Corporation",
"file_version": "8.00.7600.16385 (win7_rtm.090713-1255)",
"company_name": "Microsoft Corporation",
"internal_name": "MSHTML",
"_version_": 1446430562211332096,
"product_name": "Windows\u00ae Internet Explorer",
"digsig_result_code": "0",
"timestamp": "2013-09-17T13:14:37.636Z",
"company_name_facet": "Microsoft Corporation",
"copied_mod_len": 8988160,
"server_added_timestamp": "2013-09-17T13:14:37.636Z",
"md5": "1C8B787BAA52DEAD1A6FEC1502D652F0",
"legal_copyright": "\u00a9 Microsoft Corporation. All rights reserved.",
"digsig_publisher_facet": "Microsoft Corporation",
"original_filename": "MSHTML.DLL.MUI",
"file_desc": "Microsoft (R) HTML Viewer",
"os_type": "windows",
"group": [
"Default Group",
"Domain Controllers"
],
"endpoint": [
"DC01|17",
"XP-KIOSK-32|1002",
"XP-KIOSK-87|688"
]
}
Alerts
Search Alerts
/api/v2/alert
Alert search
Supports: GET
, POST
Parameters
q
: OPTIONAL Query string. Accepts the same data as the alert search box on the Triage Alerts page. See the Query overview for the query syntax.rows
: OPTIONAL Return this many rows, 10 by default.start
: OPTIONAL Start at this row, 0 by default.sort
: OPTIONAL Sort rows by this field and order.facets
: OPTIONAL Return facet results. ‘false’ by default, set to ‘true’ for facets.
Returns
- JSON dictionary describing the alert search results
{
"terms": [],
"results": [
{
"username": "SYSTEM",
"alert_type": "watchlist.hit.ingress.process",
"sensor_criticality": 3,
"modload_count": 58,
"report_score": 1,
"watchlist_id": "Binary_0545A3EB959QQQ4790D267BFB8C1ACA4",
"sensor_id": 2,
"feed_name": "virustotalconnector",
"created_time": "2017-10-11T14:16:06.074Z",
"report_ignored": false,
"ioc_type": "md5",
"watchlist_name": "Binary_0545A3EB959QQQ4790D267BFB8C1ACA4",
"ioc_confidence": 0.5,
"alert_severity": 0.675,
"crossproc_count": 2,
"group": "default group",
"hostname": "win-559j1nqvfgj",
"filemod_count": 0,
"comms_ip": "192.119.22.22",
"netconn_count": 0,
"interface_ip": "192.168.22.2",
"status": "Unresolved",
"process_path": "c:\\program files (x86)\\google\\update\\googleupdate.exe",
"description": "[1 / 66] VirusTotal report for 0545A3EB959CFA4790D267BFB8C1ACA4",
"process_name": "googleupdate.exe",
"process_unique_id": "00000002-0000-0cdc-01d3-429b633fda36-015f0bcadb87",
"process_id": "00000002-0000-0cdc-01d3-429b633fda36",
"link": "https://www.virustotal.com/file/69061e33acb7587d773d05000390f9101f71dfd6eed7973b551594eaf3f04193/analysis/1507720618/",
"_version_": 1580970924950159360,
"regmod_count": 7,
"md5": "0545a3eb959cfa4790d267bfb8c1aca4",
"segment_id": 197843847,
"total_hosts": "0",
"feed_id": 24,
"ioc_value": "0545a3eb959cfa4790d267bfb8c1aca4",
"os_type": "windows",
"childproc_count": 4,
"unique_id": "611b825e-f555-4841-91fe-39cb15e05106",
"feed_rating": 3
}
],
"elapsed": 0.007166147232055664,
"comprehensive_search": true,
"all_segments": true,
"total_results": 350,
"highlights": [],
"facets": {},
"start": 0,
"incomplete_results": false,
"filtered": {}
}
Update/Resolve Alerts
POST /api/v1/alert/(alertid)
Alert update and resolution
Supports: POST
Parameters
unique_id
: REQUIRED Unique ID of alert to updatestatus
: REQUIRED Status of the alert, as a string
Returns
- JSON dictionary describing alert
Bulk Update Alerts
POST /api/v1/alerts
Updating Alerts requires an API key with Global Administrator privileges. Multiple Alerts can be updated in bulk using the same call.
The only property that can be modified in a threat report is the is_ignored
property.
Setting is_ignored
to True for an Alert carries through to
the threat report that generated the Alert. Any further hits on IOCs contained within that report will no longer trigger an Alert.
Payload
To modify multiple alerts at once, either specify the list of Alert
IDs in the ids
dictionary, or submit a query (using the URL-encoded version of the
query string) in the query
string.
Specify the operation to perform by using either the set_ignored
, requested_status
,
or assigned_to
keys. If the assigned_to
key is present, then the requested_status
should be provided as well.
The possible values for requested_status
are Resolved
, Unresolved
, In Progress
,
or False Positive
.
For example:
{
"query": "cb.urlver=1&cb.fq.status=unresolved&sort=alert_severity%20desc&rows=10",
"alert_ids": ["id1", "id2", ...]],
"requested_status": "Resolved",
"set_ignored": true,
"assigned_to": "ahnold"
}
Returns
HTTP 200 result code if changes applied successfully.
Administrative APIs
Server License
/api/v1/license
License status and application
Supports: GET
, POST
Parameters
- Carbon Black-provided license (POST)
Returns
- A GET returns the current license status, as defined below:
A license status dictionary has the following structure:
license_valid
: boolean indication as to if the licence is valid. A valid license may be expired or unexpired.license_end_date
: YYYY-MM-DD date on which the license expireslicensed_sensor_count
: number of sensors that can be used with this server while staying compliant with license.server_token
: unique identifier for this particular server instancelicense_expired
: boolean indicator as to if the license is expiredlicensed_sensor_count_exceeded
: boolean indicator as to if the server is currently servicing more sensors than it is licensed foractual_sensor_count
: count of sensors serviced during previous day (midnight to midnight)license_request_block
: an opaque request block to be provided to Carbon Black for license renewal
App Control Integration
/api/v1/settings/global/platformserver
Get and set the configuration details of the Carbon Black App Control server. These details are used for CB Enterprise Response Server integration with the App Control Server.
Supports: GET
, POST
Parameters, Returns
A GET returns a JSON dictionary as defined below. A POST accepts a JSON dictionary with one or more keys as defined below.
server_url
: OPTIONAL the base server IP or DNS name. The protocol and the URI are not included.ssl_certificate_verify
: OPTIONAL indication as to if Carbon Black server should verify the Platform Server SSL certificate; valid values are ‘true’ and ‘false’watchlist_export
: OPTIONAL indication as to if the Carbon Black server should export, via HTTPS POST, watchlist hits to the Platfrom Server; valid values are ‘true’ and ‘false’auth_token
: OPTIONAL authorization token used by the Carbon Black server to authenticate against the Platform Server.
The auth_token
field is never returned via HTTP GET for security purposes.
Banning
Note: In EDR 7.7 these API routes were changed to use the term banned
. See earlier verions for prior route URLs.
Ban Binary by Hash
/api/v1/banning/bannedlist
Ban - prevent execution of a specified md5 hash
Supports: GET
, POST
Provides a method to get all banned hashes or allows for creation of new banned hashes.
Returns
- (
GET /api/v1/banning/bannedlist
) returns a list of banned hashes, with each list entry describing one banned hash - (
POST /api/v1/banning/bannedlist
)
A banned record contains the following structure
username
: username who banned the recordtext
: text description of banned recordmd5hash
: the banned hashblock_count
: total number of blocks on the banned listlast_block_sensor_id
: the last sensor id which prevented the hash from executinglast_block_time
: the last time the hash was blocked or prevented from being executedtimestamp
: date and time the record was bannedlast_block_hostname
: last hostname to block this hash
A GET response example:
GET /api/v1/banning/bannedlist
[
{
"username": "cb",
"audit": [
{
"username": "cb",
"timestamp": "2015-10-21 00:10:10.369349-07:00",
"text": "Auto-Ban From Watchlist",
"enabled": true,
"user_id": 1
}
],
"text": "Auto-Ban From Watchlist",
"md5hash": "35e664e41174ce70e910b85bcd685136",
"block_count": 0,
"user_id": 1,
"last_block_sensor_id": null,
"enabled": true,
"last_block_time": null,
"timestamp": "2015-10-21 00:10:10.369349-07:00",
"last_block_hostname": null
}
]
A POST request body example:
{
"md5hash": "f41d8cd98f00b214e9800998ecf8427e",
"text": "autoban from watchlist",
"last_ban_time": "0",
"ban_count": "0",
"last_ban_host": "0",
"enabled": "True"
}
Watchlists & Feeds
New to EDR 6.3
Two new API endpoints have been introduced as a replacement for /watchlist/action
and /feed/action
.
The old APIs are now deprecated. Our API examples should be updated to show use of new action_type
API call instead, as UI is now using.
action_type
is now specified as a key-word instead of a number:
Action to number mapping
0 | Email
1 | Syslog
2 | HTTPPost (unused by the new action_type API)
3 | Alert
Watchlist Operations
Watchlist enumeration, creation, modification, and deletion
Parameters
id
: OPTIONAL the watchlist id
Using the optional ‘id’ parameter, a caller may create a watchlist with a specific, known id. This can be useful as the watchlist id is included as part of the underlying process or binary document and therefore can be used as as search criteria.
Returns
- With no
id
parameter (GET /api/v1/watchlist
) returns a list of watchlists, with each list entry describing one watchlist - With an
id
parameter (GET /api/v1/watchlist/<id>
) returns the watchlist record for the matching id - With no
id
parameter (POST /api/v1/watchlist
) returns the watchlist record for the newly created watchlist - With an
id
parameter (PUT /api/v1/watchlist/<id>
) returns the watchlist record for the newly updated watchlist
A watchlist record has the following structure:
id
: the id of this watchlistalliance_id
: the id of this watchlist on the Carbon Black Alliance server; this value is internal to Carbon Blackfrom_alliance
: boolean indication as to if this watchlist was provided by the Carbon Black Alliance Serverdate_added
: the date this watchlist was created on this Enterprise Serverindex_type
: the type of watchlist. Valid values are ‘modules’ and ‘events’ for binary and process watchlists, respectivelylast_hit
: timestamp of the last time this watchlist triggered a matchlast_hit_count
: count of lifetime watchlist matchesname
: name of this watchlistsearch_query
: the raw Carbon Black query that this watchlist matches
Get Watchlists
Retrieves a JSON array of all Watchlists.
Supports: GET
Request
GET <host>/api/v1/watchlist
GET https://test.carbonblack.io/api/v1/watchlist
Response
[
{
"last_execution_result": 0,
"last_hit_count": 1,
"description": null,
"search_query": "cb.urlver=1&q=is_executable_image%3Afalse&sort=server_added_timestamp%20desc",
"enabled": true,
"search_timestamp": "2019-05-09T14:20:06.234Z",
"name": "Newly Loaded Modules",
"index_type": "modules",
"last_execution_time_ms": "36",
"date_added": "2016-07-12 19:19:35.874613+00:00",
"total_hits": "57243",
"group_id": -1,
"total_tags": "57243",
"id": "2",
"last_hit": "2019-05-08 04:20:06.538442+00:00",
"readonly": false
}
]
Get Watchlist by ID
Get details for a single watchlist.
Supports: GET
Request
GET <host>/api/v1/watchlist/<id>
GET https://test.carbonblack.io/api/v1/watchlist/2
Response
[
{
"last_execution_result": 0,
"last_hit_count": 1,
"description": null,
"search_query": "cb.urlver=1&q=is_executable_image%3Afalse&sort=server_added_timestamp%20desc",
"enabled": true,
"search_timestamp": "2019-05-09T14:20:06.234Z",
"name": "Newly Loaded Modules",
"index_type": "modules",
"last_execution_time_ms": "36",
"date_added": "2016-07-12 19:19:35.874613+00:00",
"total_hits": "57243",
"group_id": -1,
"total_tags": "57243",
"id": "2",
"last_hit": "2019-05-08 04:20:06.538442+00:00",
"readonly": false
}
]
Create a new Watchlist
Creates a new Watchlist within EDR, if successful, it will respond with the ID of the new watchlist.
Supports: POST
Request
POST <host>/api/v1/watchlist
POST https://test.carbonblack.io/api/v1/watchlist/
Body
{
"name":"sm-test-postman",
"search_query":"q=process_name%3Achrome.exe",
"description":"",
"index_type":"events"
}
Response
{
"id": 710
}
Update a Watchlist
Updates a Watchlist that is specified using ID.
You can use the enabled
parameter in the body to enable/disable the watchlist.
Note: The watchlist_id value will increase by one each time the search_query is updated. For example, if you update a watchlist with a watchlist_id of 709, it will increment the watchlist_id to 710 when the PUT operation for updating search_query is successful. If the PUT operation is for updating search_query the parameters `move_actions_from_watchlist_id` and `search_query` are required.
Supports: PUT
Request
PUT <host>/api/v1/watchlist/<id>
PUT https://test.carbonblack.io/api/v1/watchlist/709
Body
{
"enabled":true,
"name": "watchlist_name",
"description": "let's update the description",
"search_query":"q=process_name%3Achrome.exe",
"move_actions_from_watchlist_id": <id>,
"index_type":"events"
}
Response
{
"id": "<id>"
}
Delete a Watchlist
Delete a Watchlist that is specified using ID.
Supports: DELETE
Request
DELETE https://test.carbonblack.io/api/v1/watchlist/709
Response
{
"result": "success"
}
Get Watchlist Action Types
Retrieves a JSON array of actions that are enabled or disabled for a single watchlist.
Required permissions: Viewer in any group
Supports: GET
Request
GET <host>/api/v1/watchlist/<id>/action_type
GET https://test.carbonblack.io/api/v1/watchlist/2/action_type
Response
[
{
"enabled": false,
"action_type": "email"
},
{
"enabled": false,
"action_type": "syslog"
},
{
"enabled": true,
"action_type": "alert"
}
]
Get Specific Action for a Watchlist (id)
Retrieves current status (enabled or not) of the action_type
specified for this watchlist for the current user.
Required permissions: Analyst in any group
Supports: GET
Request
GET <host>/api/v1/watchlist/<id>/action_type/<action>
GET https://test.carbonblack.io/api/v1/watchlist/2/action_type/email
Options for action_type
: syslog
, email
, alert
(this is not an exhaustive list, more options could be available).
Response
{
"enabled": false
}
Change Specific Action Status for a Watchlist (id)
PUT will enable or disable a specific action_type for this watchlist and current user.
Required permissions: Analyst in any group
Supports: PUT
Request
PUT <host>/api/v1/watchlist/<id>/action_type/<action>
PUT https://test.carbonblack.io/api/v1/watchlist/2/action_type/email
Options for action_type
: syslog
, email
, alert
(this is not an exhaustive list, more options could be available).
Body
{
"enabled":true
}
Response
{
"result": "success"
}
Feed Operations
/api/v1/feed/(id)
Feed enumeration, creation, modification, and deletion
Supports: GET
, PUT
, POST
, DELETE
Parameters
id
: OPTIONAL the feed id
Returns
- With no id parameter (
GET /api/v1/feed
) returns a list of configured feeds, with each list entry describing one feed - With no id parameter (
POST /api/v1/feed
) returns the feed record for the newly created feed - With an id parameter (
PUT /api/v1/feed/<id>
) returns the feed record for the newly updated feed
A feed record has the following structure:
provider_url
: URL associated with the feed as a whole; this is a human-consumable link to more information about the feed provider and is not consumed by the Carbon Black serverdisplay_name
: Name of the feed as displayed in the Carbon Black web consolename
: internal name of the feed; must be alphanumeric. used when searching e.g. alliance_score_feedname:[10 to *]feed_url
: url of the feed itself; must begin with one offile://
,http://
, orhttps://
enabled
: boolean indicator as to if the feed is enabledsummary
: human-consumable summary of the feedtech_data
: human-consumable technical summary of the feedvalidate_server_cert
: boolean indicator as to if the Carbon Black server should verify the feed server certificate. only applies to feeds provided via HTTPSid
: internal id of the feed; this id is used during feed modification and deletionicon
: base64-encoded icon representing the feedmanually_added
: boolean indicator as to if the feed was added manually. If logical false, this means the feed was provided by the Carbon Black Allianceorder
: a numeric hint as to the display order in the Carbon Black web consoleuse_proxy
: boolean indicator as to if the Carbon Black server should use a web proxy when retrieving the feed contents
Get Feeds
Retrieves a JSON array of all Feeds.
Supports: GET
Request
GET <host>/api/v1/feed
GET https://test.carbonblack.io/api/v1/feed
Response
[
{
"provider_url": "https://www.bit9.com/solutions/cloud-services/",
"ssl_client_crt": null,
"local_rating": null,
"requires_who": null,
"icon_small": "",
"id": 9,
"category": "Bit9 + Carbon Black First Party",
"display_name": "Bit9 Software Reputation Service Trust",
"use_proxy": null,
"feed_url": "https://api.alliance.carbonblack.com/feed/SRSTrust",
"username": null,
"validate_server_cert": null,
"ssl_client_key": null,
"manually_added": false,
"password": null,
"icon": "",
"provider_rating": 3,
"name": "SRSTrust",
"tech_data": "It is necessary to share MD5s of observed binaries with the Carbon Black Alliance to use this feed",
"requires": null,
"enabled": true,
"summary": "The Cb Reputation Trust feed provides a level of software trustworthness",
"requires_what": null,
"order": 2
}
]
Get Feed by ID
Get details for a single feed.
Supports: GET
Request
GET <host>/api/v1/feed/<id>
GET https://test.carbonblack.io/api/v1/feed/9
Response
{
"category": "Bit9 + Carbon Black First Party",
"provider_url": "https://www.bit9.com/solutions/cloud-services/",
"provider_rating": 3,
"display_name": "Bit9 Software Reputation Service Trust",
"name": "SRSTrust",
"feed_url": "https://api.alliance.carbonblack.com/feed/SRSTrust",
"requires_what": null,
"use_proxy": null,
"enabled": true,
"summary": "The Cb Reputation Trust feed provides a level of software trustworthness",
"tech_data": "It is necessary to share MD5s of observed binaries with the Carbon Black Alliance to use this feed",
"local_rating": null,
"requires_who": null,
"validate_server_cert": null,
"icon_small": "",
"manually_added": false,
"order": 2,
"requires": null,
"id": 9,
"icon":""
}
Get Feed Action Types
Retrieves a JSON array of actions that are enabled or disabled for a single feed.
Required permissions: Viewer in any group
Supports: GET
Request
GET <host>/api/v1/feed/<id>/action_type
GET https://test.carbonblack.io/api/v1/feed/2/action_type
Response
[
{
"enabled": false,
"action_type": "email"
},
{
"enabled": true,
"action_type": "syslog"
},
{
"enabled": true,
"action_type": "alert"
}
]
Get Specific Action for a Feed (id)
Retrieves current status (enabled or not) of the action_type
specified for this feed for the current user.
Required permissions: Analyst in any group
Supports: GET
Request
GET <host>/api/v1/feed/<id>/action_type/<action>
GET https://test.carbonblack.io/api/v1/feed/9/action_type/email
Options for action_type
: syslog
, email
, alert
(this is not an exhaustive list, more options could be available).
Response
{
"enabled": false
}
Change Specific Action Status for a Feed (id)
PUT will enable or disable a specific action_type for this feed and current user.
Required permissions: Analyst in any group
Supports: PUT
Request
PUT <host>/api/v1/feed/<id>/action_type/<action>
PUT https://test.carbonblack.io/api/v1/feed/9/action_type/email
Options for action_type
: syslog
, email
, alert
(this is not an exhaustive list, more options could be available).
Body
{
"enabled":true
}
Response
{
"result": "success"
}
Threat Reports
Search Threat Reports
GET /api/v1/threat_report
Each Feed contains zero or more Threat Reports. The Search Threat Report API route allows you to search the content of these threat reports. For more information on creating EDR Threat Intelligence Feeds, see the Threat Intelligence Feed Reference.
Parameters
q
: REQUIRED Query string. Accepts the same data as the search box on the Threat Report page. See the Query overview for the query syntax.rows
: OPTIONAL Return this many rows, 10 by default.start
: OPTIONAL Start at this row, 0 by default.sort
: OPTIONAL Sort rows by this field and order.last_update desc
by default.facet
: OPTIONAL Return facet results. ‘false’ by default, set to ‘true’ for facets.
Returns
- JSON dictionary describing the threat report search results
Bulk Modify Threat Reports
POST /api/v1/threat_report
Modifying threat reports require an API key with Global Administrator privileges. Multiple threat reports can be ignored/enabled in bulk using the same call.
The only property that can be modified in a threat report is the is_ignored
property.
By setting is_ignored
to True for a threat report, any further hits on IOCs contained
within that report will no longer trigger an Alert.
Payload
To modify multiple reports at once, either specify the list of Threat Report
IDs in the ids
dictionary, or submit a query (using the URL-encoded version of the
query string described in the above section “Search Threat Reports”) in the query
string.
{
"ids": {
"<feed_id>": ["<report_id>", [...]]
},
"query: "<url-encoded query string>",
"updates": {
"is_ignored": true|false,
}
}
where either “ids” or “query” must be present, and “updates” is always required.
Returns
- Returns an HTTP 200 return code if the threat reports were modified successfully.
Sensors/Endpoints
Retrieve/Modify Sensor Details
/api/v1/sensor/(id)?hostname=(hostname)&ip=(ipaddr)&groupid=(groupid)&inactive_filter_days=(int)
Sensor / remote client details
Supports: GET
for all variations, PUT
for /api/v1/sensor/(id)
to update sensor information.
Note: In EDR 7.1 and later, the fields able to be updated using PUT are limited to network_isolation_enabled
,
restart_queued
, uninstall
, liveresponse_init
, group_id
, notes
and event_log_flush_time
.
Note: The default field used for sorting is last_checkin_time
. While the api is being used to page through all
sensors with this default sorting, it is possible that sensors will continue to check in, which will change the
results. This means that as successive pages of data are retrieved, new sensors may have moved to the top of the
list, thereby pushing sensors from a previous page of results into the next page of results and causing it to
appear that those sensors are being duplicated in the results. To overcome this possible source of confusion,
a different sorting mechanism can be specified (e.g., sort.col=computer_name
).
Parameters
id
: OPTIONAL the sensor idhostname
: OPTIONAL returns the sensor registration(s) with matching hostnameipaddr
: OPTIONAL returns the sensor registration(s) with specified IP addressgroupid
: OPTIONAL retruns the sensor registration(s) in the specified sensor group idinactive_filter_days
: OPTIONAL only returns sensors that have been inactive for less than the specified number of days
Returns
- With no parameters (
GET /api/v1/sensor
) returns a list of sensor structures, one per registered sensor. - With a sensor id, (
GET /api/v1/sensor/12
) returns a sensor structure for the specified sensor. - With a query string, (
GET /api/v1/sensor?hostname=foo
) returns a list of all sensors matching criteria
Sensor query strings are case-sensitive substring searches, for both hostname
and ip
fields. If both
hostname
and ip
fields are specified, only ip
is used.
A sensor structure has the following fields:
id
: the sensor id of this sensorbuild_id
: the sensor version installed on this endpoint. From the/api/builds/
endpointbuild_version_string
: Human-readable string of the sensor versionuptime
: Endpoint uptime in secondssystemvolume_total_size
: size, in bytes, of system volume of endpoint on which sensor in installedsystemvolume_free_size
: bytes free on the system volumeos_environment_display_string
: Human-readable string of the installed OSos_environment_id
: the operating system installed on this computer. From the internal table.physical_memory_size
: size in bytes of physical memorycomputer_dns_name
: the DNS name of the endpoint on which the sensor is installedcomputer_name
: NetBIOS name of this computersensor_health_message
: Human-readable string indicating sensor’s self-reported statuscomputer_sid
: Machine SID of this hostevent_log_flush_time
: See below.last_checkin_time
: Last communication with this computer in server-local time and zonenetwork_adapters
: A pipe-delimited list list of IP,MAC pairs for each network interfacesensor_health_status
: self-reported health score, from 0 to 100. Higher numbers betterregistration_time
: Time this sensor originally registered in server-local time and zonenext_checkin_time
: Next expected communication from this computer in server-local time and zoneboot_id
: A sequential counter of boots since the sensor was installedgroup_id
: The sensor group id this sensor is assigned todisplay
: Deprecateduninstall
: when set, indicates sensor will be directed to uninstall on next checkinparity_host_id
: Carbon Black Platform Agent Host Id; zero indicates Agent is not installednetwork_isolation_enabled
: Boolean representing network isolation request status. See below for details.is_isolating
: Boolean representing sensor-reported isolation status. See below for details.
If event_log_flush_time
is set, the server will instruct the sensor to immediately send all data before this date,
ignoring all other throttling mechansims. To force a host current, set this value to a value far in the future.
When the sensor has finished sending it’s queued data, this value will be null.
Network isolation is requested by setting network_isolation_enabled
to true
. When the sensor receives the request and enables isolation, is_isolating
will be set to true
. The combination of the two parameters creates the following potential states:
Phase | network_isolation_enabled |
is_isolating |
State |
---|---|---|---|
0 | False | False | normal state, isolation neither requested nor active |
1 | True | False | Isolation requested but not yet active |
2 | True | True | Isolation requested and active |
3 | False | True | Isolation disabled, but still active |
Transitions between states 0 to 1 and states 2 to 3 will be delayed by a few minutes, based on sensor checkin interval and online status.
A complete example:
GET http://192.168.206.154/api/v1/sensor/1
{
"systemvolume_total_size": "42939584512",
"os_environment_display_string": "Windows XP Professional Service Pack 3",
"sensor_uptime": "638",
"physical_memory_size": "536330240",
"build_id": 1,
"uptime": "666",
"computer_dns_name": "j-8205a0c27a0c4",
"id": 1,
"systemvolume_free_size": "40167079936",
"sensor_health_message": "Healthy",
"build_version_string": "003.002.000.30829",
"computer_sid": "S-1-5-21-1715567821-507921405-682003330",
"event_log_flush_time": null,
"computer_name": "J-8205A0C27A0C4",
"last_checkin_time": "2013-09-10 07:08:37.378860-07:00",
"license_expiration": "1990-01-01 00:00:00-08:00",
"network_adapters": "192.168.206.156,000c298a3613|",
"sensor_health_status": 100,
"registration_time": "2013-09-10 06:49:21.261157-07:00",
"next_checkin_time": "2013-09-10 07:09:07.368285-07:00",
"notes": null,
"os_environment_id": 1,
"boot_id": "5",
"cookie": 1291426991,
"group_id": 1,
"display": true,
"uninstall": false,
"network_isolation_enabled": false,
"is_isolating": false
}
http://192.168.206.132/api/v1/sensor?hostname=A0C4
[
{
"systemvolume_total_size": "42939584512",
"os_environment_display_string": "Windows XP Professional Service Pack 3",
"sensor_uptime": "480763",
"physical_memory_size": "536330240",
"build_id": 1,
"uptime": "480862",
"event_log_flush_time": null,
"computer_dns_name": "j-8205a0c27a0c4",
"id": 1,
"power_state": 0,
"uninstalled": null,
"systemvolume_free_size": "40083230720",
"status": "Online",
"num_eventlog_bytes": "22717",
"sensor_health_message": "Healthy",
"build_version_string": "004.000.000.30910",
"computer_sid": "S-1-5-21-1715567821-507921405-682003330",
"next_checkin_time": "2013-10-07 07:54:36.909657-07:00",
"node_id": 0,
"cookie": 556463980,
"computer_name": "J-8205A0C27A0C4",
"license_expiration": "1990-01-01 00:00:00-08:00",
"network_adapters": "192.168.206.156,000c298a3613|",
"sensor_health_status": 100,
"registration_time": "2013-02-04 06:40:04.632053-08:00",
"restart_queued": false,
"notes": null,
"num_storefiles_bytes": "446464",
"os_environment_id": 1,
"boot_id": "8",
"last_checkin_time": "2013-10-07 07:54:06.919446-07:00",
"group_id": 1,
"display": true,
"uninstall": false,
"network_isolation_enabled": false,
"is_isolating": false
}
]
Download Sensor Installer
/api/v1/group/<groupid>/installer/windows/exe
/api/v1/group/<groupid>/installer/windows/msi
/api/v1/group/<groupid>/installer/osx
/api/v1/group/<groupid>/installer/linux
Download a zip archive including a sensor installer for Windows, Mac OS X or Linux.
Supports: GET
Parameters None
Returns
- (Windows) ZIP archive including a signed Windows EXE or MSI sensor installer and settings file
- (Mac OS X) ZIP archive including a signed OSX PKG sensor installer and settings file
- (Linux) compressed tarball (tar.gz) archive including a Linux sensor installer and settings file
Get Sensor Statistics
/api/v1/sensor/statistics
Get global sensor statistics
Supports: GET
Parameters None
Note: Backlog counts are as of sensor check-in time. Any bytes pushed post-check-in, in response to a server directive, are not accounted for. This means total backlog appears artificially high and will never reach zero while sensors are active.Returns
Returns a JSON dictionary with fields as follows:
sensor_count
: total registered sensorsactive_sensor_count
: number of sensors active within the last 24 hoursnum_eventlog_bytes
: total backlog, in bytes, of eventlogs on active sensors. See notes.num_storefile_bytes
: total backlog, in bytes, of binary files (store files) on active sensors. See notes.
Ingress Approving
For more details on Ingress filters please go to our Ingress Filter Details page.
Note: In EDR 7.7 these API routes were changed to use the term approvedlist
. See earlier verions for prior route URLs.
api/v1/ingress_approvedlist
api/v1/ingress_approvedlist/{id}
api/v1/ingress_approvedlist/legacy
Supports: GET
, POST
, PUT
, DELETE
Get, update, create, or delete exclusions. A PUT will update an existing Ingress Filter, while a POST will attempt to create a new Ingress Filter.
Parameters
id
: OPTIONAL the exclusion id
Returns
id
: Optional - Unique filter identifier, in order to allow future updates. Can be any string, but should contain only alfanumeric digits and dashes (e.g. uuid). This is read-only field and honored only during initial POST.create_timestamp
: Date of creation of this filter. This is read-only field.modify_timestamp
: Date of last modification of this filter. This is read-only field.create_user_id
: ID of user that created this filter. This is a read-only field.modify_user_id
: ID of user that last modified this filter. This is a read-only field.version
: Optional - version of the filter (not used yet).priority
: Optional - Priority of the filter. Higher priority filters are guaranteed to be used first. Negative priorities can be used as well. Default priority is 0.internal
: This field is not yet used. Can be omitted.enabled
: Optional - True enables the filter. Defaults to True.filter_on_sensor
: True to push this filter to sensor. If filter was was pushed to sensor, it will not be enforced on the server. Only certain filters can be pushed to sensors today without loss of functionality. Defaults to False.filter_on_server
: True to filter on server. Defaults to True. If false, server will treat this filter as pass-through (disabled).”track_metrics
: Optional - True to capture metrics for this filter even when disabled. Defaults to True. If we are metering disabled filter, we will resort to metering small sample set to reduce performance impact.hit_rate
: Read-Only - measured 15-min hit rate for a given filter as a rate (e.g. 0.01 equals to 1% hit rate). This metric will be available only for filters that are enabled or have trackMetrics turned on. Also, this metrics counts hit rate of the process, based on pathFilters, commandLineFilters and md5Filters. It doesn’t take into the account the individual event hit rate.name
: Name of this filterdescription
: Description of this filteros_mask
: Optional - Which OS should this filter apply to (bitfield mask: 1:windows, 2:osx, 4:linux). Defaults to 7 (all OSs)global
: Optional - True to apply to all sensor groups. Defaults to truegroup_ids
: Optional - List of sensor group Ids where this filter applies to (if global == false). Defaults to empty list. Note: group_ids is ignored if global is set to true.sensor_ids
: Optional - Array of sensor ids where filter applies (applies to all sensors in selected groups if empty). Note: sensor_ids field is ignored if global is set to true.path_filters
: Optional - Array of process path filters to use (supports globbing or regex patterns).cmdline_filters
: Optional - Array of command line filters to use. Can use regex patterns (cannot use globbing patterns)md5_filters
: Optional - Array of MD5 checksums. Processes matching these MD5s will be filtered.descendant_filtering_level
: Optional - 0 = filter only matched process, 1 = matched process and immediate children, 2 = matched up to second level of descendants etc. Special value -1 matches all descendants. If not provided, defaults to 0 (matched process only)"filter_all_events
: Optional - If true, all events will be excluded for a given process (respecting descendant levels). If false, filters (below) will be applied to each event type. Defaults to true"regmod_filters
: Optional - Filters are applied to the given event field. Can use regex patternsmodload_filters
: Optional - Filters are applied to the given event field. Can use regex patternsfilemod_filters
: Optional - Filters are applied to the given event field. Can use regex patternsnon_binary_filemod_filters
: Optional - Filters are applied to the given event field. Can use regex patternsnetconn_filters
: Optional - Filters are applied to the given event field. Can use regex patternscrossproc_filters
: Optional - Filters are applied to the given event field. Can use regex patterns
Examples
Request:
GET /api/v1/ingress_approvedlist/
Response:
[
{
"group_ids": [
1,
2
],
"create_user_id": 1,
"path_filters": [
"c:\\\\test_dir"
],
"modify_user_id": 1,
"enabled": true,
"filter_on_sensor": false,
"create_timestamp": "2017-04-11T04:05:23.973Z",
"filter_all_events": true,
"modify_timestamp": "2017-04-11T04:05:24.050Z",
"hit_rate": 0.0,
"id": "1"
},
{
"group_ids": [
1,
2
],
"create_user_id": 1,
"modify_user_id": 1,
"enabled": true,
"filter_on_sensor": false,
"create_timestamp": "2017-04-11T04:44:06.695Z",
"filter_all_events": true,
"command_line_filters": [
"notepad.exe"
],
"modify_timestamp": "2017-04-11T04:44:06.866Z",
"id": "2"
}
]
Request:
GET /api/v1/ingress_approvedlist/{id}
Response:
{
"group_ids": [
1,
2
],
"create_user_id": 1,
"path_filters": [
"c:\\\\test_dir"
],
"modify_user_id": 1,
"enabled": true,
"filter_on_sensor": false,
"create_timestamp": "2017-04-11T04:05:23.973Z",
"filter_all_events": true,
"modify_timestamp": "2017-04-11T04:05:24.050Z",
"hit_rate": 0.0,
"id": "1"
}
Request:
POST /api/v1/ingress_approvedlist
Request Payload:
[
{
"id":"1",
"enabled":true,
"filter_on_sensor":false,
"group_ids":[
1,
2
],
"path_filters":[
"c:\\\\test_dir"
],
"filter_all_events":true
}
]
Response
[
"1"
]
PUT api/v1/ingress_approvedlist/test2
Request Payload Example
[
{
"os_mask":1,
"global": false,
"group_ids": [1, 2],
"path_filters":["*\\unimportant.exe", "*\\really_unimportant.exe"]
}
]
EDR Cloud IP Approving
New to EDR 6.3: Cloud customers can now approve IP addresses via the /approvedlist
endpoint. This is a useful security feature that restricts access to EDR Cloud to specific IP addresses. Access to the EDR Cloud Console and API requests will route through this service.
Workflow
Approving API Routes
List Approved IP addresses
This API request lists all approved IP addresses. If no addresses have been configured, an empty response will be provided.
Request
curl -X GET "https://cbrc.carbonblack.io/api/v1/approvedlist/entries" -H "accept: application/json" -H "X-Auth-Token: <YOUR_TOKEN>"
Response
[
{
"ipaddr": "192.168.0.1",
"id": 4
}
]
Add a new IP address
This request allows you to upload a new IP address. The POST request body requires an ipaddr
with an optional CIDR block. Example 192.168.0.1
or with CIDR 0.0.0.0/0
. Once successfully uploaded, the request will respond with an ID that uniquely identifies the IP address entry.
Warning: Make sure your IP address is correct before you add it. All API requests will also have to originate from approved IP(s). The changes after adding an IP get applied after up to 30s.
Request
curl -X POST "https://cbrc.carbonblack.io/api/approvedlist/entries" -H "accept: application/json" -H "X-Auth-Token: <YOUR_TOKEN>" -H "Content-Type: application/json" -d "{\"ipaddr\": \"192.168.0.1\"}"
Response
ID of the IP address added
New to EDR 7.7
Bulk add new IP addresses
This request allows you to upload a list of new IP address. The POST request body requires an ipaddr
with an optional CIDR block. Example 192.168.0.1
or with CIDR 0.0.0.0/0
. Once successfully uploaded, the request will respond with IDs that uniquely identifies the IP address entries.
Warning: Make sure your IP(s) is correct before you add it. All API requests will also have to originate from approved IP(s). The changes after adding IP(s) get applied after up to 30s.
Request
curl -X POST "https://cbrc.carbonblack.io/api/v1/approvedlist/entries" -H "accept: application/json" -H "X-Auth-Token: <YOUR_TOKEN>" -H "Content-Type: application/json" -d "{\"ipaddr\": [\"192.168.0.1\", \"192.168.0.2\"]}"
Response
IDs of the IP addresses added
Delete an IP address
This request allows you to delete an IP address. The DELETE request requires the unique ID of the IP address you would like to delete.
Warning: Make sure your IP is correct before you delete it. All API requests will also have to originate from approved IP(s). The changes after deleting an IP get applied after up to 30s. Deleting an IP from which the API requests originate can result in getting locked out.
Request
curl -X DELETE "https://cbrc.carbonblack.io/api/v1/approvedlist/entries/<ID>" -H "accept: application/json" -H "X-Auth-Token: <YOUR_TOKEN>"
Response
204 NO CONTENT
View Status of IP Approving
This request shows the status of the IP approving service. It is false
by default.
Request
curl -X GET "https://cbrc.carbonblack.io/api/approvedlist/enabled" -H "accept: application/json" -H "X-Auth-Token: <YOUR_TOKEN>"
Response
{
"state": false
}
Change Status of IP Approving
This request changes the status of the IP approving service. The PATCH request body requires the state
to be either true
or false
to enable or disable the service.
Request
curl -X PATCH "https://cbrc.carbonblack.io/api/approvedlist/enabled" -H "accept: application/json" -H "X-Auth-Token: <YOUR_TOKEN>" -H "Content-Type: application/json" -d "{ \"state\": true}"
Response
204 NO CONTENT
Apply Settings
Apply settings feature is deprecated. The changes from the APIs for example adding IP(s), deleting IP(s) are applied automatically after up to 30s.
Time Partitioning
/api/v1/storage/events/partition
Supports: GET
Returns list of partitions
This method will return list of partitions as JSON. Each partition will have name and status, as well as info block stating: location, size, document counts, schema, etc. Note: Cold partitions will not list numDocs, maxDocs and deletedDocs.
Parameters None
Examples
Response:
{
"cbevents_2017_03_18_1807":{
"status":"warm",
"info":{
"sizeInBytes":6132115,
"startDate":"2017-03-18T18:07:50.758813Z",
"partitionId":97639495827456,
"endDate":"2017-04-07T18:18:31.493403Z",
"deletedDocs":0,
"maxDoc":1432,
"userMounted":false,
"isLegacy":false,
"segmentCount":7,
"numDocs":1432,
"dir":"/var/cb/data/solr5/cbevents/cbevents_2017_03_18_1807",
"schema":"cbevents_v1"
},
"name":"cbevents_2017_03_18_1807"
},
"writer":{
"status":"hot",
"info":{
"sizeInBytes":825878,
"startDate":"2017-04-10T18:18:29.834738Z",
"partitionId":97769770844160,
"endDate":null,
"deletedDocs":0,
"maxDoc":355,
"userMounted":false,
"isLegacy":false,
"segmentCount":9,
"numDocs":355,
"dir":"/var/cb/data/solr5/cbevents/cbevents_2017_04_10_1818",
"schema":"cbevents_v1"
},
"name":"writer"
},
"cbevents_2017_04_07_1818":{
"status":"warm",
"info":{
"sizeInBytes":20464833,
"startDate":"2017-04-07T18:18:27.821121Z",
"partitionId":97752783781888,
"endDate":"2017-04-10T18:18:33.612997Z",
"deletedDocs":0,
"maxDoc":2780,
"userMounted":false,
"isLegacy":false,
"segmentCount":10,
"numDocs":2780,
"dir":"/var/cb/data/solr5/cbevents/cbevents_2017_04_07_1818",
"schema":"cbevents_v1"
},
"name":"cbevents_2017_04_07_1818"
},
"cbevents_2017_02_19_2012":{
"status":"warm",
"info":{
"sizeInBytes":71,
"startDate":"2017-02-19T20:12:10.312043Z",
"partitionId":97487102279680,
"endDate":"2017-03-15T18:07:34.821787Z",
"deletedDocs":0,
"maxDoc":0,
"userMounted":false,
"isLegacy":false,
"segmentCount":0,
"numDocs":0,
"dir":"/var/cb/data/solr5/cbevents/cbevents_2017_02_19_2012",
"schema":"cbevents_v1"
},
"name":"cbevents_2017_02_19_2012"
},
"cbevents_2017_03_15_1807":{
"status":"warm",
"info":{
"sizeInBytes":41374250,
"startDate":"2017-03-15T18:07:30.854679Z",
"partitionId":97622507585536,
"endDate":"2017-03-18T18:07:54.721176Z",
"deletedDocs":0,
"maxDoc":2378,
"userMounted":false,
"isLegacy":false,
"segmentCount":10,
"numDocs":2378,
"dir":"/var/cb/data/solr5/cbevents/cbevents_2017_03_15_1807",
"schema":"cbevents_v1"
},
"name":"cbevents_2017_03_15_1807"
}
}
/api/v1/storage/events/new_partition
Supports: POST
Creates new time partition. This will force roll-over current hot partition into warm partition (by renaming it to a time-stamped name) and create a new hot partition (“writer”).
Paramaters None
Returns
results
: String of the outcome when creating a new partition
/api/v1/storage/events/<partition_name>/mount
Supports: POST
Parameters
partition_name
: The name of the partition
Mounts partition with name <partition_name>
. This will mount “cold” partition into “warm” partition. Partition has to exist on disk and returned as cold in by the /api/v1/storage/events/partition
API
Paramaters
partition_name
: The name of the partition
Returns
results
: String of the outcome when mounting a new partition
/api/v1/storage/events/<partition_name>/unmount
Supports POST
Unmounts partition with name <partition_name>
. This will unmount “warm” partition into “cold” partition. Partition has to be mounted at the time and returned as cold in by the /api/v1/storage/events/partition
API
Parameters
partition_name
: The name of the partition
Returns
results
: String of the outcome when unmounting the partition
/api/v1/storage/events/<partition_name>
Supports DELETE
Unmounts and deletes partition with name <partition_name>
. This will delete partition with the specified name. If partition is “warm”, it will be unmounted first. Deleted partitions are removed from disk and cannot be mounted again.
If partition is “hot” (writer partition) call returns error.
Parameters
partition_name
: The name of the partition
Returns
results
: String of the outcome when deleting the partition
Last modified on August 15, 2023