Fortinet black logo

CarbonBlack Response

CarbonBlack Response v2.0.0

2.0.0
Copy Link
Copy Doc ID afa5a55c-e83e-460a-b473-fda5f0bf547b:1

About the connector

CarbonBlack Response captures information about events and data records for every endpoint and offers you the ability to respond and remediate attacks in real time, stopping active attacks and repairing the damage quickly.

This document provides information about the CarbonBlack Response connector, which facilitates automated interactions, with a CarbonBlack Response server using FortiSOAR™ playbooks. Add the CarbonBlack Response connector as a step in FortiSOAR™ playbooks and perform automated operations, such as isolating endpoints, getting information about files, and automatically getting details of a process running on an endpoint and blocking a particular MD5 hash, which provides you the ability to investigate and contain a file-based incident in a fully automated manner.

Version information

Connector Version: 2.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with CarbonBlack Response Versions: 6.0 and later

Release Notes for version 2.0.0

Following enhancements have been made to the CarbonBlack Response in version 2.0.0:

  • Added the following operations: Get Sensor(s) Information, Get All Processes, Get Process Connections, Get All Block Hashes, Delete File, Search Alerts, Update Alert, Bulk Update Alerts and Get Watchlist.
  • Obsoleted the following operations: List Sensors and Get Process List.
  • Merged the Isolate Sensors by Process Name Match, Isolate Sensors by MD5 Match, and Isolate Sensors by Hostname/IP into a single operation named Isolate Sensor.
  • Merged Unisolate Sensors by Process name Match, Unisolate Sensors by MD5 Match, and Unisolate Sensors by Hostname/IP operations into a single operation named Remove Isolation.

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

  • You must have the IP address or Hostname URL of the CarbonBlack Response server to which you will connect and perform the automated operations and credentials to access that server.
  • You must have the API key used to access the CarbonBlack Response API.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the CarbonBlack Response connector and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or Hostname URL of the CarbonBlack Response server to which you will connect and perform the automated operations.
If you do not specify the http or https protocol in this field, then by default the https protocol is used.
API Key API key that is configured for your account to access the CarbonBlack Response REST API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Sensor(s) Information Retrieves details about all sensors (endpoints) or specific sensor(s) from the CarbonBlack Response server, based on the input parameters you have specified. get_endpoint_info
Investigation
Isolate Sensor Isolates sensor(s) on the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. isolate_endpoint
Containment
Remove Isolation Removes isolation on sensor(s) from the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. unisolate_endpoint
Remediation
Get All Processes Retrieves a list of all running processes along with its details from the CarbonBlack Response server, based on the sensor details you have specified. get_processes
Investigation
Get Process Connections Retrieves a list of connections for a specific sensor and process from the CarbonBlack Response server, based on the sensor and process details you have specified. get_network_connections
Investigation
Terminate Process Terminates a process running on an endpoint on the CarbonBlack Response server, based on the sensor and process details you have specified. terminate_process
Investigation
Get File Information Retrieves information about a file from the CarbonBlack Response server, based on the filehash you have specified. get_file_info
Investigation
Hunt File Hunts for a file retrieves details for that file from the CarbonBlack Response server, based on the file type and filehash you have specified. hunt_file
Investigation
Get All Block Hashes Retrieves a list of all blacklisted filehashes and their details from the CarbonBlack Response server. get_hash_blacklist
Investigation
Block Hash Blocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. block_hash
Containment
Unblock Hash Unblocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. unblock_hash
Remediation
Delete File Deletes a particular file from the CarbonBlack Response server, based on the sensor details and file path you have specified. delete_file
Containment
Run Query Runs a search query on the endpoint to retrieve the information of binary or process from the CarbonBlack Response server. run_advance_search
Investigation
Search Alerts Searches for alerts on the CarbonBlack Response server, based on the search query you have specified. search_alert
Investigation
Update Alert Updates the status of an alert on the CarbonBlack Response server, based on the input parameters you have specified. update_alert
Investigation
Bulk Update Alerts Updates the status of multiple alerts on the CarbonBlack Response server, based on the input parameters you have specified. update_alert
Investigation
Get Watchlist Retrieves a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) from the CarbonBlack Response server. get_watchlist
Investigation

operation: Get Sensor(s) Information

Input parameters

Parameter Description
Filter Options Options based on which the results retrieved from the CarbonBlack Response server will be filtered.
You can choose from the following options:
All: Retrieves a list along with the details of all sensors from the CarbonBlack Response server.
Hostname: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the hostname you specify.
IP Address: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the IP address you specify.
Sensor ID: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the Sensor ID you specify.
Value Specify the value of the filter option you have selected. If you have selected All do not add any input to this field.
For example if you select IP Address, then enter the IP address based on which you want to filter the sensor results retrieved from the CarbonBlack Response servers.

Output

The JSON output contains the details about all sensors or specific sensor(s) retrieved from the CarbonBlack Response server, based on the input parameters you have specified.

Following image displays a sample output:

Sample output of the Get Sensor(s) Information operation

operation: Isolate Sensor

Input parameters

Parameter Description
Input Type Options based on which you want to isolate a sensor on the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host that you want to isolate on the CarbonBlack Response server.
IP Address: Single IPv4 address of the host that you want to isolate on the CarbonBlack Response server.
Process Name: Isolate all sensors on the CarbonBlack Response server on which the specified process name exists.
Filehash: Isolate all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists.
Value Specify the value of the input type you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host that you want to isolate on the CarbonBlack Response server.

Output

The JSON output contains a list of isolated sensor(s) which are successfully isolated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Isolate Sensor operation

operation: Remove Isolation

Input parameters

Parameter Description
Input Type Options based on which you want to remove the isolation on sensor(s) from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host whose isolation you want to remove from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server.
Process Name: Remove isolation for all sensors on the CarbonBlack Response server on which the specified process name exists.
Filehash: Remove isolation for all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists.
Value Specify the value of the input type you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server.

Output

The JSON output contains a list of sensor(s) whose isolation is successfully removed from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Remove Isolation operation

operation: Get All Processes

Input parameters

Parameter Description
Sensor Details Options based on which you want to retrieve running process information from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host for which you want to retrieve process information from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server.
Sensor ID: ID of the sensor for which you want to retrieve process information from the CarbonBlack Response server.
Value Specify the value of the sensor details you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server.

Output

The JSON output contains a list and details of all running processes on the specified sensor retrieved from the CarbonBlack Response server. The details of running processes include information such as process guid, parent, command line, created time, and username.

Following image displays a sample output:

Sample output of the Get All Processes operation

operation: Get Process Connections

Input parameters

Parameter Description
Sensor Details Options based on which you want to specify the endpoint for which you want to retrieve process connection information from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host for which you want to retrieve process connections information from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server.
Value Specify the value of the sensor details you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server
Process Details Options based on which you want to specify the process for which you want to retrieve process connection information from the CarbonBlack Response server.
You can choose from the following options:
Process Name: Name of the process for which you want to retrieve process connections information from the CarbonBlack Response server.
Process ID: ID of the process for which you want to retrieve process connections information from the CarbonBlack Response server.
Value Specify the value of the process details you have selected.
For example, if you select Process Name, then enter the name of the process for which you want to get network connections from the CarbonBlack Response server.

Output

The JSON output contains a list of network connections for a specific process running on the specified sensor retrieved from the CarbonBlack Response server. The details of the process include information such as direction, carbon black process id, pid, domain ,port, ip address, and process name.

Following image displays a sample output:

Sample output of the Get Process Connections operation

operation: Terminate Process

Input parameters

Parameter Description
Sensor Details Options based on which you want to specify the endpoint on which you want to terminate the process on the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host for which you want to terminate the process on the CarbonBlack Response server.
IP Address: Single IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server.
Value Specify the value of the sensor details you have selected.
For example if you select IP Address, then enter the IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server
Process Details Options based on which you want to specify the which process you want to terminate on the CarbonBlack Response server.
You can choose from the following options:
Process Name: Name of the process that you want to terminate on the CarbonBlack Response server.
Process ID: ID of the process that you want to terminate on the CarbonBlack Response server.
Value Specify the value of the process details you have selected.
For example if you select Process Name, then enter the name of the process that you want to terminate on the CarbonBlack Response server.

Output

The JSON output contains a list process IDs that were terminated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Terminate Process operation

operation: Get File Information

Input parameters

Parameter Description
Filehash Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server.

Note: To get a result for this operation, you must provide inputs only in the form of process and binary MD5 hash values.

Output

A JSON output contains information such as, last seen, host count, timestamp, and product version for the specified file retrieved from the CarbonBlack Response server, based on the filehash value you have specified.

Following image displays a sample output:

Sample output of the  Get File Information operation

operation: Hunt File

Input parameters

Parameter Description
File Type Type of file you want to hunt for on the CarbonBlack Response server.
You can choose from the following options: Process or Binary.
Filehash Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server.
Start Record From (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0.
Number of Records (Optional) Number of records that you want this operation to return. The default is set to 10.

Output

The JSON output contains information such as sensor id, hostname, process id, and path of the file, retrieved from the CarbonBlack Response server, based on the file type and filehash value you have specified.

Following image displays a sample output:

Sample output of the Hunt File operation

operation: Get All Block Hashes

Input parameters

None

Output

A JSON output contains a list of all blacklisted filehashes and their details retrieved from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Get All Block Hashes operation

operation: Block Hash

Input parameters

Parameter Description
Filehash Filehash value (MD5 hash value only) for the file that you want to block on the CarbonBlack Response server.

Output

The JSON contains a Success message if the specified MD5 value is successfully blocked across the endpoints on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Block Hash (MD5) operation

operation: Unblock Hash

Input parameters

Parameter Description
Filehash Filehash value (MD5 hash value only) for the file that you want to unblock on the CarbonBlack Response server.

Output

The JSON contains a Success message if the specified MD5 value is successfully unblocked across the endpoints on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Unblock Hash (MD5) operation

operation: Delete File

Input parameters

Parameter Description
Input Type Options based on which you want to delete a file from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host on which you want to delete a file from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server.
Sensor ID: ID of the sensor on which you want to delete a file from the CarbonBlack Response server.
Value Specify the value of the input type you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server.
File Path Full path of the file that you want to delete from the CarbonBlack Response server.

Output

The JSON output contains a Success message if the specified file is successfully deleted from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Delete File operation

operation: Run Query

Input parameters

Parameter Description
Query Type Type of query that you want to run on the CarbonBlack Response server.
You can choose from the following options: Process or Binary.
CarbonBlack Query Query to be run on the CarbonBlack Response server.
Start Record From (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0.
Number of Records (Optional) Number of records that you want this operation to return. The default is set to 10.

Output

The JSON output depends on the query that you run on the CarbonBlack Response server.

For example, if you run the following query: query = “process_name:win *.exe” with query_type = “process”, then the JSON output will contain a list of the processes and details of each process such as sensor id, process pid, hostname, md5, and parent name.

Following image displays a sample output:

Sample output of the Run Query operation

operation: Search Alerts

Input parameters

Parameter Description
CarbonBlack Query Query to be run on the CarbonBlack Response server based on which you want to retrieve alerts from the CarbonBlack Response server.
Status Status of the alert that you are searching for on the CarbonBlack Response server.
You can select from the following options: All, In Progress, Unresolved, Resolved, and False Positive.
Sort By Sort the results retrieved from the CarbonBlack Response server based on this option.
You can choose from the following options: Severity, Most Recent, Least Recent, Alert Name Ascending or Alert Name Descending.
Start Record From (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0.
Number of Records (Optional) Number of records that you want this operation to return. The default is set to 10.

Output

The JSON output contains details of the alerts such as unique id, md5, watchlist name, alert type, status, or observed host retrieved from the CarbonBlack Response server, based on the input parameters you have specified.

Following image displays a sample output:

Sample output of the Search Alerts operation

operation: Update Alert

Input parameters

Parameter Description
Unique ID Unique ID of the alert whose status you want to update on the CarbonBlack Response server.
Status Status to which you want the specified alert to be updated on the CarbonBlack Response server.
You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved.

Output

The JSON output contains a Success message if the status of the specified alert is successfully updated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Update Alert operation

operation: Bulk Update Alerts

Input parameters

Parameter Description
Alert IDs Comma-separated list of unique IDs of alerts whose status you want to update on the CarbonBlack Response server.
Status Status to which you want the specified alerts to be updated on the CarbonBlack Response server.
You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved.

Output

The JSON output contains a Success message if the status of all the specified alerts are successfully updated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Bulk Update Alerts operation

operation: Get Watchlist

Input parameters

Parameter Description
Watchlist ID Unique ID of the watchlist whose details you want to retrieve from the CarbonBlack Response server.
Note: If you do not specify any watchlist ID, then this operation will retrieve a list of all available watchlists from the CarbonBlack Response server.

Output

The JSON output a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) retrieved from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Get Watchlist operation

Included playbooks

The Sample - CarbonBlack-Response - 2.0.0 playbook collection comes bundled with the CarbonBlack Response connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CarbonBlack Response connector.

  • Block Hash
  • Bulk Update Alerts
  • Delete File
  • Get All Block Hashes
  • Get All Processes
  • Get File Information
  • Get Process Connections
  • Get Sensor(s) Information
  • Get Watchlist
  • Hunt File
  • Isolate Sensor
  • Remove Isolation
  • Run Query
  • Search Alerts
  • Terminate Process
  • Unblock Hash
  • Update Alert

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next

About the connector

CarbonBlack Response captures information about events and data records for every endpoint and offers you the ability to respond and remediate attacks in real time, stopping active attacks and repairing the damage quickly.

This document provides information about the CarbonBlack Response connector, which facilitates automated interactions, with a CarbonBlack Response server using FortiSOAR™ playbooks. Add the CarbonBlack Response connector as a step in FortiSOAR™ playbooks and perform automated operations, such as isolating endpoints, getting information about files, and automatically getting details of a process running on an endpoint and blocking a particular MD5 hash, which provides you the ability to investigate and contain a file-based incident in a fully automated manner.

Version information

Connector Version: 2.0.0

Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later

Compatibility with CarbonBlack Response Versions: 6.0 and later

Release Notes for version 2.0.0

Following enhancements have been made to the CarbonBlack Response in version 2.0.0:

Installing the connector

For the procedure to install a connector, click here.

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, select the CarbonBlack Response connector and click Configure to configure the following parameters:

Parameter Description
Server URL IP address or Hostname URL of the CarbonBlack Response server to which you will connect and perform the automated operations.
If you do not specify the http or https protocol in this field, then by default the https protocol is used.
API Key API key that is configured for your account to access the CarbonBlack Response REST API.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

Function Description Annotation and Category
Get Sensor(s) Information Retrieves details about all sensors (endpoints) or specific sensor(s) from the CarbonBlack Response server, based on the input parameters you have specified. get_endpoint_info
Investigation
Isolate Sensor Isolates sensor(s) on the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. isolate_endpoint
Containment
Remove Isolation Removes isolation on sensor(s) from the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. unisolate_endpoint
Remediation
Get All Processes Retrieves a list of all running processes along with its details from the CarbonBlack Response server, based on the sensor details you have specified. get_processes
Investigation
Get Process Connections Retrieves a list of connections for a specific sensor and process from the CarbonBlack Response server, based on the sensor and process details you have specified. get_network_connections
Investigation
Terminate Process Terminates a process running on an endpoint on the CarbonBlack Response server, based on the sensor and process details you have specified. terminate_process
Investigation
Get File Information Retrieves information about a file from the CarbonBlack Response server, based on the filehash you have specified. get_file_info
Investigation
Hunt File Hunts for a file retrieves details for that file from the CarbonBlack Response server, based on the file type and filehash you have specified. hunt_file
Investigation
Get All Block Hashes Retrieves a list of all blacklisted filehashes and their details from the CarbonBlack Response server. get_hash_blacklist
Investigation
Block Hash Blocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. block_hash
Containment
Unblock Hash Unblocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. unblock_hash
Remediation
Delete File Deletes a particular file from the CarbonBlack Response server, based on the sensor details and file path you have specified. delete_file
Containment
Run Query Runs a search query on the endpoint to retrieve the information of binary or process from the CarbonBlack Response server. run_advance_search
Investigation
Search Alerts Searches for alerts on the CarbonBlack Response server, based on the search query you have specified. search_alert
Investigation
Update Alert Updates the status of an alert on the CarbonBlack Response server, based on the input parameters you have specified. update_alert
Investigation
Bulk Update Alerts Updates the status of multiple alerts on the CarbonBlack Response server, based on the input parameters you have specified. update_alert
Investigation
Get Watchlist Retrieves a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) from the CarbonBlack Response server. get_watchlist
Investigation

operation: Get Sensor(s) Information

Input parameters

Parameter Description
Filter Options Options based on which the results retrieved from the CarbonBlack Response server will be filtered.
You can choose from the following options:
All: Retrieves a list along with the details of all sensors from the CarbonBlack Response server.
Hostname: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the hostname you specify.
IP Address: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the IP address you specify.
Sensor ID: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the Sensor ID you specify.
Value Specify the value of the filter option you have selected. If you have selected All do not add any input to this field.
For example if you select IP Address, then enter the IP address based on which you want to filter the sensor results retrieved from the CarbonBlack Response servers.

Output

The JSON output contains the details about all sensors or specific sensor(s) retrieved from the CarbonBlack Response server, based on the input parameters you have specified.

Following image displays a sample output:

Sample output of the Get Sensor(s) Information operation

operation: Isolate Sensor

Input parameters

Parameter Description
Input Type Options based on which you want to isolate a sensor on the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host that you want to isolate on the CarbonBlack Response server.
IP Address: Single IPv4 address of the host that you want to isolate on the CarbonBlack Response server.
Process Name: Isolate all sensors on the CarbonBlack Response server on which the specified process name exists.
Filehash: Isolate all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists.
Value Specify the value of the input type you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host that you want to isolate on the CarbonBlack Response server.

Output

The JSON output contains a list of isolated sensor(s) which are successfully isolated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Isolate Sensor operation

operation: Remove Isolation

Input parameters

Parameter Description
Input Type Options based on which you want to remove the isolation on sensor(s) from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host whose isolation you want to remove from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server.
Process Name: Remove isolation for all sensors on the CarbonBlack Response server on which the specified process name exists.
Filehash: Remove isolation for all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists.
Value Specify the value of the input type you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server.

Output

The JSON output contains a list of sensor(s) whose isolation is successfully removed from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Remove Isolation operation

operation: Get All Processes

Input parameters

Parameter Description
Sensor Details Options based on which you want to retrieve running process information from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host for which you want to retrieve process information from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server.
Sensor ID: ID of the sensor for which you want to retrieve process information from the CarbonBlack Response server.
Value Specify the value of the sensor details you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server.

Output

The JSON output contains a list and details of all running processes on the specified sensor retrieved from the CarbonBlack Response server. The details of running processes include information such as process guid, parent, command line, created time, and username.

Following image displays a sample output:

Sample output of the Get All Processes operation

operation: Get Process Connections

Input parameters

Parameter Description
Sensor Details Options based on which you want to specify the endpoint for which you want to retrieve process connection information from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host for which you want to retrieve process connections information from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server.
Value Specify the value of the sensor details you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server
Process Details Options based on which you want to specify the process for which you want to retrieve process connection information from the CarbonBlack Response server.
You can choose from the following options:
Process Name: Name of the process for which you want to retrieve process connections information from the CarbonBlack Response server.
Process ID: ID of the process for which you want to retrieve process connections information from the CarbonBlack Response server.
Value Specify the value of the process details you have selected.
For example, if you select Process Name, then enter the name of the process for which you want to get network connections from the CarbonBlack Response server.

Output

The JSON output contains a list of network connections for a specific process running on the specified sensor retrieved from the CarbonBlack Response server. The details of the process include information such as direction, carbon black process id, pid, domain ,port, ip address, and process name.

Following image displays a sample output:

Sample output of the Get Process Connections operation

operation: Terminate Process

Input parameters

Parameter Description
Sensor Details Options based on which you want to specify the endpoint on which you want to terminate the process on the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host for which you want to terminate the process on the CarbonBlack Response server.
IP Address: Single IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server.
Value Specify the value of the sensor details you have selected.
For example if you select IP Address, then enter the IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server
Process Details Options based on which you want to specify the which process you want to terminate on the CarbonBlack Response server.
You can choose from the following options:
Process Name: Name of the process that you want to terminate on the CarbonBlack Response server.
Process ID: ID of the process that you want to terminate on the CarbonBlack Response server.
Value Specify the value of the process details you have selected.
For example if you select Process Name, then enter the name of the process that you want to terminate on the CarbonBlack Response server.

Output

The JSON output contains a list process IDs that were terminated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Terminate Process operation

operation: Get File Information

Input parameters

Parameter Description
Filehash Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server.

Note: To get a result for this operation, you must provide inputs only in the form of process and binary MD5 hash values.

Output

A JSON output contains information such as, last seen, host count, timestamp, and product version for the specified file retrieved from the CarbonBlack Response server, based on the filehash value you have specified.

Following image displays a sample output:

Sample output of the  Get File Information operation

operation: Hunt File

Input parameters

Parameter Description
File Type Type of file you want to hunt for on the CarbonBlack Response server.
You can choose from the following options: Process or Binary.
Filehash Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server.
Start Record From (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0.
Number of Records (Optional) Number of records that you want this operation to return. The default is set to 10.

Output

The JSON output contains information such as sensor id, hostname, process id, and path of the file, retrieved from the CarbonBlack Response server, based on the file type and filehash value you have specified.

Following image displays a sample output:

Sample output of the Hunt File operation

operation: Get All Block Hashes

Input parameters

None

Output

A JSON output contains a list of all blacklisted filehashes and their details retrieved from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Get All Block Hashes operation

operation: Block Hash

Input parameters

Parameter Description
Filehash Filehash value (MD5 hash value only) for the file that you want to block on the CarbonBlack Response server.

Output

The JSON contains a Success message if the specified MD5 value is successfully blocked across the endpoints on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Block Hash (MD5) operation

operation: Unblock Hash

Input parameters

Parameter Description
Filehash Filehash value (MD5 hash value only) for the file that you want to unblock on the CarbonBlack Response server.

Output

The JSON contains a Success message if the specified MD5 value is successfully unblocked across the endpoints on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Unblock Hash (MD5) operation

operation: Delete File

Input parameters

Parameter Description
Input Type Options based on which you want to delete a file from the CarbonBlack Response server.
You can choose from the following options:
Hostname: Name of the host on which you want to delete a file from the CarbonBlack Response server.
IP Address: Single IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server.
Sensor ID: ID of the sensor on which you want to delete a file from the CarbonBlack Response server.
Value Specify the value of the input type you have selected.
For example, if you select IP Address, then enter the IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server.
File Path Full path of the file that you want to delete from the CarbonBlack Response server.

Output

The JSON output contains a Success message if the specified file is successfully deleted from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Delete File operation

operation: Run Query

Input parameters

Parameter Description
Query Type Type of query that you want to run on the CarbonBlack Response server.
You can choose from the following options: Process or Binary.
CarbonBlack Query Query to be run on the CarbonBlack Response server.
Start Record From (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0.
Number of Records (Optional) Number of records that you want this operation to return. The default is set to 10.

Output

The JSON output depends on the query that you run on the CarbonBlack Response server.

For example, if you run the following query: query = “process_name:win *.exe” with query_type = “process”, then the JSON output will contain a list of the processes and details of each process such as sensor id, process pid, hostname, md5, and parent name.

Following image displays a sample output:

Sample output of the Run Query operation

operation: Search Alerts

Input parameters

Parameter Description
CarbonBlack Query Query to be run on the CarbonBlack Response server based on which you want to retrieve alerts from the CarbonBlack Response server.
Status Status of the alert that you are searching for on the CarbonBlack Response server.
You can select from the following options: All, In Progress, Unresolved, Resolved, and False Positive.
Sort By Sort the results retrieved from the CarbonBlack Response server based on this option.
You can choose from the following options: Severity, Most Recent, Least Recent, Alert Name Ascending or Alert Name Descending.
Start Record From (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0.
Number of Records (Optional) Number of records that you want this operation to return. The default is set to 10.

Output

The JSON output contains details of the alerts such as unique id, md5, watchlist name, alert type, status, or observed host retrieved from the CarbonBlack Response server, based on the input parameters you have specified.

Following image displays a sample output:

Sample output of the Search Alerts operation

operation: Update Alert

Input parameters

Parameter Description
Unique ID Unique ID of the alert whose status you want to update on the CarbonBlack Response server.
Status Status to which you want the specified alert to be updated on the CarbonBlack Response server.
You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved.

Output

The JSON output contains a Success message if the status of the specified alert is successfully updated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Update Alert operation

operation: Bulk Update Alerts

Input parameters

Parameter Description
Alert IDs Comma-separated list of unique IDs of alerts whose status you want to update on the CarbonBlack Response server.
Status Status to which you want the specified alerts to be updated on the CarbonBlack Response server.
You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved.

Output

The JSON output contains a Success message if the status of all the specified alerts are successfully updated on the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Bulk Update Alerts operation

operation: Get Watchlist

Input parameters

Parameter Description
Watchlist ID Unique ID of the watchlist whose details you want to retrieve from the CarbonBlack Response server.
Note: If you do not specify any watchlist ID, then this operation will retrieve a list of all available watchlists from the CarbonBlack Response server.

Output

The JSON output a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) retrieved from the CarbonBlack Response server.

Following image displays a sample output:

Sample output of the Get Watchlist operation

Included playbooks

The Sample - CarbonBlack-Response - 2.0.0 playbook collection comes bundled with the CarbonBlack Response connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CarbonBlack Response connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.

Previous
Next