carbonblack/cbapi-python carbonblack/cbapi-python

  • Stars
    star
    146
  • Rank 251,283 (Top 5 %)
  • Language
    Python
  • License
    Other
  • Created over 8 years ago
  • Updated 10 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
carbonblack/cbapi-python
github

carbonblack

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Carbon Black API - Python language bindings

Python bindings for Carbon Black REST API

Latest Version: 1.7.10

Notice:

  • The Carbon Black Cloud portion of CBAPI has moved to https://github.com/carbonblack/carbon-black-cloud-sdk-python. Any future development and bug fixes for Carbon Black Cloud APIs will be made there. Carbon Black EDR and App Control will remain supported at CBAPI
  • Carbon Black EDR (Endpoint Detection and Response) is the new name for the product formerly called CB Response.
  • Carbon Black App Control is the new name for the product formerly called CB Protection.

These are the Python bindings for the Carbon Black EDR and App Control REST APIs. To learn more about the REST APIs, visit the Carbon Black Developer Network Website at https://developer.carbonblack.com.

Please visit https://cbapi.readthedocs.io for detailed documentation on this API.

Support

  1. View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
  2. Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
  3. Report bugs and change requests to Carbon Black Support.

Requirements

The cbapi package is designed to work on Python 2.6.6 and above (including 3.x). If you're just starting out, we recommend using the latest version of Python 3.6.x or above.

All requirements are installed as part of pip install. The legacy cbapi (cbapi.CbApi) and legacy bit9api (cbapi.bit9Api) are still compatible with Python 2.x only.

Backwards Compatibility

Backwards compatibility with old scripts is maintained through the cbapi.legacy module. Old scripts that import cbapi.CbApi directly will continue to work.

New scripts should use the cbapi.CbResponseAPI (for EDR (CB Response)) and cbapi.CbProtectionAPI (for App Control (CB Protection)) API entry points.

Getting Started

There are two ways to get started:

  1. If you want to install the latest stable version of cbapi, simply install via pip:

     pip install cbapi

  2. If you want to change cbapi itself, then you will want to install cbapi in "develop" mode. Clone this repository, cd into cbapi-python then run setup.py with the develop flag:

     python setup.py develop

Sample Code

There are several examples in the examples directory for both EDR and App Control. For a quick start, see the following code snippets:

Carbon Black EDR

from cbapi.response.models import Process, Binary, Sensor, Feed, Watchlist, Investigation
from cbapi.response.rest_api import CbEnterpriseResponseAPI

import logging
logging.basicConfig(level=logging.DEBUG)

c=CbEnterpriseResponseAPI()

# read the first four bytes of the notepad.exe associated with the first process instance of notepad running
c.select(Process).where('process_name:notepad.exe').first().binary.file.read(4)

# if you want a specific ID, you can put it straight into the .select() call:
binary = c.select(Binary, "24DA05ADE2A978E199875DA0D859E7EB")

# isolate all sensors who ran executable_name.exe
sensors = set()
for proc in c.select(Process).where('process_name:executable_name.exe'):
    sensors.add(proc.sensor)

for s in sensors:
    s.network_isolation_enabled = True
    s.save()

Carbon Black App Control

from cbapi.protection.models import *
from cbapi.protection.rest_api import CbEnterpriseProtectionAPI

p=CbEnterpriseProtectionAPI()

# Select the first file instance
fi = p.select(FileInstance).first()

# print that computer's hostname
fi.computer.name

# change the policy ID
fi.computer.policyId = 3
fi.computer.save()

API Token

In order to perform any queries via the API, you will need to get the API token for your CB user. See the documentation on the Developer Network website on how to acquire the API token for CB Response or CB Protection.

Once you acquire your API token, place it in one of the default credentials file locations:

  • /etc/carbonblack/
  • ~/.carbonblack/
  • /current_working_directory/.carbonblack/

For distinction between credentials of different Carbon Black products, use the following naming convention for your credentials files:

  • credentials.response for EDR (CB Response)
  • credentials.protection for App Control (CB Protection)

For example, if you use a Carbon Black Cloud product, you should have created a credentials file in one of these locations:

  • /etc/carbonblack/credentials.response
  • ~/.carbonblack/credentials.response
  • /current_working_directory/.carbonblack/credentials.response

Credentials found in a later path will overwrite earlier ones.

The credentials are stored in INI format. The name of each credential profile is enclosed in square brackets, followed by key-value pairs providing the necessary credential information::

[default]
url=https://localhost
token=abcdef0123456789abcdef
ssl_verify=False

[prod]
url=https://cbserver.prod.corp.com
token=aaaaaa
ssl_verify=True

[otheruser]
url=https://localhost
token=bbbbbb
ssl_verify=False

The possible options for each credential profile are:

  • url: The base URL of the Carbon Black server. This should include the protocol (https) and the hostname, and nothing else.
  • token: The API token for the user ID. More than one credential profile can be specified for a given server, with different tokens for each.
  • ssl_verify: True or False; controls whether the SSL/TLS certificate presented by the server is validated against the local trusted CA store.
  • org_key: The organization key. This is required to access the Carbon Black Cloud, and can be found in the console. The format is 123ABC45.
  • proxy: A proxy specification that will be used when connecting to the CB server. The format is: http://myusername:[email protected]:8001/ where the hostname of the proxy is proxy.company.com, port 8001, and using username/password myusername and mypassword respectively.
  • ignore_system_proxy: If you have a system-wide proxy specified, setting this to True will force cbapi to bypass the proxy and directly connect to the CB server.

Future versions of cbapi may provide the ability to "pin" the TLS certificate so as to provide certificate verification on self-signed or internal CA signed certificates.

More Repositories

1

binee

Binee: binary emulation environment
Go
477
star
2

tau-tools

A repo containing tools developed by Carbon Black's Threat Research Team: Threat Analysis Unit
PowerShell
221
star
3

active_c2_ioc_public

Active C2 IoCs
94
star
4

cb-event-forwarder

Subscribe to raw VMware Carbon Black EDR event feed and forward to another system, such as Splunk.
JavaScript
73
star
5

cbfeeds

Carbon Black Feeds
Python
66
star
6

carbon-black-cloud-sdk-python

VMware Carbon Black Cloud Python SDK
Python
37
star
7

excel4-tests

Carbon Black TAU Excel 4 Macro Analysis
36
star
8

cb-yara-connector

Analyze binaries collected in VMware Carbon Black EDR against Yara rules.
Python
36
star
9

cbc-syslog

Syslog Connector for the Carbon Black Cloud
Python
28
star
10

community

Community Sharing Repository for Carbon Black and Bit9 Platforms
Python
26
star
11

cb-taxii-connector

Connector for pulling and converting STIX information from TAXII Service Providers into CB Feeds.
Python
14
star
12

cbc-binary-toolkit

Binary Toolkit for the Carbon Black Cloud
Python
13
star
13

cb-integration

Carbon Black integration Python utility library
Python
12
star
14

cb-threatexchange-connector

Carbon Black - Facebook Threat Exchange Connector
Python
12
star
15

intellij-rpmspec

An IntelliJ plugin for RPM SPEC file support
Kotlin
12
star
16

mockc2

An interactive mock C2 server
Go
11
star
17

cb-lastline-connector

Carbon Black - LastLine Binary Detonation Connector
Python
11
star
18

cb-threatconnect-connector

VMware Carbon Black EDR - ThreatConnect Threat Intelligence Connector.
Python
8
star
19

cb-airgap-feed

Import Cb Collective Defense Cloud Intelligence Feeds to air-gapped VMware Carbon Black EDR servers
Python
6
star
20

cb-infoblox-connector

CB Connector for Infoblox Secure DNS
Python
5
star
21

cb-threatconnect-playbooks

Carbon Black Response and ThreatHunter Playbooks for ThreatConnect
4
star
22

cb-virustotal-connector

Cb Response integration with VirusTotal
Python
4
star
23

cb-fortisandbox-connector

A binary analysis connector using fortisandbox.
Python
3
star
24

cb-defense-splunk-app

Cb Defense App and Add-On for Splunk
Python
3
star
25

cb-isight-connector

Connector for pulling iSIGHT IOCs into a Carbon Black feed
Python
3
star
26

cb-cyphort-connector

Carbon Black - Cyphort Binary Detonation Connector
Python
2
star
27

cb-vmray-connector

VMRAY Connector
Python
2
star
28

cb-wildfire-connector

Carbon Black - Palo Alto Network WildFire binary detonation connector
Python
1
star
29

cb-fireeye-connector

Carbon Black FireEye Connector
Python
1
star
30

stacktrace-js

Generate, parse, and enhance JavaScript stack traces in all web browsers, internally forked/hosted from https://github.com/stacktracejs/stacktrace-js
JavaScript
1
star
31

cb-checkpoint-connector

Checkpoint Threat Emulation connector
Python
1
star