CarbonBlack Response captures information about events and data records for every endpoint and offers you the ability to respond and remediate attacks in real time, stopping active attacks and repairing the damage quickly.
This document provides information about the CarbonBlack Response connector, which facilitates automated interactions, with a CarbonBlack Response server using FortiSOAR™ playbooks. Add the CarbonBlack Response connector as a step in FortiSOAR™ playbooks and perform automated operations, such as isolating endpoints, getting information about files, and automatically getting details of a process running on an endpoint and blocking a particular MD5 hash, which provides you the ability to investigate and contain a file-based incident in a fully automated manner.
Connector Version: 2.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with CarbonBlack Response Versions: 6.0 and later
Following enhancements have been made to the CarbonBlack Response in version 2.0.0:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the CarbonBlack Response connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Hostname URL of the CarbonBlack Response server to which you will connect and perform the automated operations. If you do not specify the http or https protocol in this field, then by default the https protocol is used. |
API Key | API key that is configured for your account to access the CarbonBlack Response REST API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Sensor(s) Information | Retrieves details about all sensors (endpoints) or specific sensor(s) from the CarbonBlack Response server, based on the input parameters you have specified. | get_endpoint_info Investigation |
Isolate Sensor | Isolates sensor(s) on the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. | isolate_endpoint Containment |
Remove Isolation | Removes isolation on sensor(s) from the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. | unisolate_endpoint Remediation |
Get All Processes | Retrieves a list of all running processes along with its details from the CarbonBlack Response server, based on the sensor details you have specified. | get_processes Investigation |
Get Process Connections | Retrieves a list of connections for a specific sensor and process from the CarbonBlack Response server, based on the sensor and process details you have specified. | get_network_connections Investigation |
Terminate Process | Terminates a process running on an endpoint on the CarbonBlack Response server, based on the sensor and process details you have specified. | terminate_process Investigation |
Get File Information | Retrieves information about a file from the CarbonBlack Response server, based on the filehash you have specified. | get_file_info Investigation |
Hunt File | Hunts for a file retrieves details for that file from the CarbonBlack Response server, based on the file type and filehash you have specified. | hunt_file Investigation |
Get All Block Hashes | Retrieves a list of all blacklisted filehashes and their details from the CarbonBlack Response server. | get_hash_blacklist Investigation |
Block Hash | Blocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. | block_hash Containment |
Unblock Hash | Unblocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. | unblock_hash Remediation |
Delete File | Deletes a particular file from the CarbonBlack Response server, based on the sensor details and file path you have specified. | delete_file Containment |
Run Query | Runs a search query on the endpoint to retrieve the information of binary or process from the CarbonBlack Response server. | run_advance_search Investigation |
Search Alerts | Searches for alerts on the CarbonBlack Response server, based on the search query you have specified. | search_alert Investigation |
Update Alert | Updates the status of an alert on the CarbonBlack Response server, based on the input parameters you have specified. | update_alert Investigation |
Bulk Update Alerts | Updates the status of multiple alerts on the CarbonBlack Response server, based on the input parameters you have specified. | update_alert Investigation |
Get Watchlist | Retrieves a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) from the CarbonBlack Response server. | get_watchlist Investigation |
Parameter | Description |
---|---|
Filter Options | Options based on which the results retrieved from the CarbonBlack Response server will be filtered. You can choose from the following options: All: Retrieves a list along with the details of all sensors from the CarbonBlack Response server. Hostname: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the hostname you specify. IP Address: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the IP address you specify. Sensor ID: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the Sensor ID you specify. |
Value | Specify the value of the filter option you have selected. If you have selected All do not add any input to this field. For example if you select IP Address, then enter the IP address based on which you want to filter the sensor results retrieved from the CarbonBlack Response servers. |
The JSON output contains the details about all sensors or specific sensor(s) retrieved from the CarbonBlack Response server, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Input Type | Options based on which you want to isolate a sensor on the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host that you want to isolate on the CarbonBlack Response server. IP Address: Single IPv4 address of the host that you want to isolate on the CarbonBlack Response server. Process Name: Isolate all sensors on the CarbonBlack Response server on which the specified process name exists. Filehash: Isolate all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists. |
Value | Specify the value of the input type you have selected. For example, if you select IP Address, then enter the IPv4 address of the host that you want to isolate on the CarbonBlack Response server. |
The JSON output contains a list of isolated sensor(s) which are successfully isolated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Input Type | Options based on which you want to remove the isolation on sensor(s) from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host whose isolation you want to remove from the CarbonBlack Response server. IP Address: Single IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server. Process Name: Remove isolation for all sensors on the CarbonBlack Response server on which the specified process name exists. Filehash: Remove isolation for all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists. |
Value | Specify the value of the input type you have selected. For example, if you select IP Address, then enter the IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server. |
The JSON output contains a list of sensor(s) whose isolation is successfully removed from the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Sensor Details | Options based on which you want to retrieve running process information from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host for which you want to retrieve process information from the CarbonBlack Response server. IP Address: Single IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server. Sensor ID: ID of the sensor for which you want to retrieve process information from the CarbonBlack Response server. |
Value | Specify the value of the sensor details you have selected. For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server. |
The JSON output contains a list and details of all running processes on the specified sensor retrieved from the CarbonBlack Response server. The details of running processes include information such as process guid, parent, command line, created time, and username.
Following image displays a sample output:
Parameter | Description |
---|---|
Sensor Details | Options based on which you want to specify the endpoint for which you want to retrieve process connection information from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host for which you want to retrieve process connections information from the CarbonBlack Response server. IP Address: Single IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server. |
Value | Specify the value of the sensor details you have selected. For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server |
Process Details | Options based on which you want to specify the process for which you want to retrieve process connection information from the CarbonBlack Response server. You can choose from the following options: Process Name: Name of the process for which you want to retrieve process connections information from the CarbonBlack Response server. Process ID: ID of the process for which you want to retrieve process connections information from the CarbonBlack Response server. |
Value | Specify the value of the process details you have selected. For example, if you select Process Name, then enter the name of the process for which you want to get network connections from the CarbonBlack Response server. |
The JSON output contains a list of network connections for a specific process running on the specified sensor retrieved from the CarbonBlack Response server. The details of the process include information such as direction, carbon black process id, pid, domain ,port, ip address, and process name.
Following image displays a sample output:
Parameter | Description |
---|---|
Sensor Details | Options based on which you want to specify the endpoint on which you want to terminate the process on the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host for which you want to terminate the process on the CarbonBlack Response server. IP Address: Single IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server. |
Value | Specify the value of the sensor details you have selected. For example if you select IP Address, then enter the IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server |
Process Details | Options based on which you want to specify the which process you want to terminate on the CarbonBlack Response server. You can choose from the following options: Process Name: Name of the process that you want to terminate on the CarbonBlack Response server. Process ID: ID of the process that you want to terminate on the CarbonBlack Response server. |
Value | Specify the value of the process details you have selected. For example if you select Process Name, then enter the name of the process that you want to terminate on the CarbonBlack Response server. |
The JSON output contains a list process IDs that were terminated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server. |
Note: To get a result for this operation, you must provide inputs only in the form of process and binary MD5 hash values.
A JSON output contains information such as, last seen, host count, timestamp, and product version for the specified file retrieved from the CarbonBlack Response server, based on the filehash value you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
File Type | Type of file you want to hunt for on the CarbonBlack Response server. You can choose from the following options: Process or Binary. |
Filehash | Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server. |
Start Record From | (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0. |
Number of Records | (Optional) Number of records that you want this operation to return. The default is set to 10. |
The JSON output contains information such as sensor id, hostname, process id, and path of the file, retrieved from the CarbonBlack Response server, based on the file type and filehash value you have specified.
Following image displays a sample output:
None
A JSON output contains a list of all blacklisted filehashes and their details retrieved from the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash value (MD5 hash value only) for the file that you want to block on the CarbonBlack Response server. |
The JSON contains a Success
message if the specified MD5 value is successfully blocked across the endpoints on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash value (MD5 hash value only) for the file that you want to unblock on the CarbonBlack Response server. |
The JSON contains a Success
message if the specified MD5 value is successfully unblocked across the endpoints on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Input Type | Options based on which you want to delete a file from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host on which you want to delete a file from the CarbonBlack Response server. IP Address: Single IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server. Sensor ID: ID of the sensor on which you want to delete a file from the CarbonBlack Response server. |
Value | Specify the value of the input type you have selected. For example, if you select IP Address, then enter the IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server. |
File Path | Full path of the file that you want to delete from the CarbonBlack Response server. |
The JSON output contains a Success
message if the specified file is successfully deleted from the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Query Type | Type of query that you want to run on the CarbonBlack Response server. You can choose from the following options: Process or Binary. |
CarbonBlack Query | Query to be run on the CarbonBlack Response server. |
Start Record From | (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0. |
Number of Records | (Optional) Number of records that you want this operation to return. The default is set to 10. |
The JSON output depends on the query that you run on the CarbonBlack Response server.
For example, if you run the following query: query = “process_name:win *.exe”
with query_type = “process”
, then the JSON output will contain a list of the processes and details of each process such as sensor id, process pid, hostname, md5, and parent name.
Following image displays a sample output:
Parameter | Description |
---|---|
CarbonBlack Query | Query to be run on the CarbonBlack Response server based on which you want to retrieve alerts from the CarbonBlack Response server. |
Status | Status of the alert that you are searching for on the CarbonBlack Response server. You can select from the following options: All, In Progress, Unresolved, Resolved, and False Positive. |
Sort By | Sort the results retrieved from the CarbonBlack Response server based on this option. You can choose from the following options: Severity, Most Recent, Least Recent, Alert Name Ascending or Alert Name Descending. |
Start Record From | (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0. |
Number of Records | (Optional) Number of records that you want this operation to return. The default is set to 10. |
The JSON output contains details of the alerts such as unique id, md5, watchlist name, alert type, status, or observed host retrieved from the CarbonBlack Response server, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Unique ID | Unique ID of the alert whose status you want to update on the CarbonBlack Response server. |
Status | Status to which you want the specified alert to be updated on the CarbonBlack Response server. You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved. |
The JSON output contains a Success
message if the status of the specified alert is successfully updated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Alert IDs | Comma-separated list of unique IDs of alerts whose status you want to update on the CarbonBlack Response server. |
Status | Status to which you want the specified alerts to be updated on the CarbonBlack Response server. You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved. |
The JSON output contains a Success
message if the status of all the specified alerts are successfully updated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Watchlist ID | Unique ID of the watchlist whose details you want to retrieve from the CarbonBlack Response server. Note: If you do not specify any watchlist ID, then this operation will retrieve a list of all available watchlists from the CarbonBlack Response server. |
The JSON output a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) retrieved from the CarbonBlack Response server.
Following image displays a sample output:
The Sample - CarbonBlack-Response - 2.0.0
playbook collection comes bundled with the CarbonBlack Response connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CarbonBlack Response connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
CarbonBlack Response captures information about events and data records for every endpoint and offers you the ability to respond and remediate attacks in real time, stopping active attacks and repairing the damage quickly.
This document provides information about the CarbonBlack Response connector, which facilitates automated interactions, with a CarbonBlack Response server using FortiSOAR™ playbooks. Add the CarbonBlack Response connector as a step in FortiSOAR™ playbooks and perform automated operations, such as isolating endpoints, getting information about files, and automatically getting details of a process running on an endpoint and blocking a particular MD5 hash, which provides you the ability to investigate and contain a file-based incident in a fully automated manner.
Connector Version: 2.0.0
Compatibility with FortiSOAR™ Versions: 4.10.3-161 and later
Compatibility with CarbonBlack Response Versions: 6.0 and later
Following enhancements have been made to the CarbonBlack Response in version 2.0.0:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the CarbonBlack Response connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | IP address or Hostname URL of the CarbonBlack Response server to which you will connect and perform the automated operations. If you do not specify the http or https protocol in this field, then by default the https protocol is used. |
API Key | API key that is configured for your account to access the CarbonBlack Response REST API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Sensor(s) Information | Retrieves details about all sensors (endpoints) or specific sensor(s) from the CarbonBlack Response server, based on the input parameters you have specified. | get_endpoint_info Investigation |
Isolate Sensor | Isolates sensor(s) on the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. | isolate_endpoint Containment |
Remove Isolation | Removes isolation on sensor(s) from the CarbonBlack Response server based on Hostname, IP Address, Process Name or Filehas(MD5) you have specified. | unisolate_endpoint Remediation |
Get All Processes | Retrieves a list of all running processes along with its details from the CarbonBlack Response server, based on the sensor details you have specified. | get_processes Investigation |
Get Process Connections | Retrieves a list of connections for a specific sensor and process from the CarbonBlack Response server, based on the sensor and process details you have specified. | get_network_connections Investigation |
Terminate Process | Terminates a process running on an endpoint on the CarbonBlack Response server, based on the sensor and process details you have specified. | terminate_process Investigation |
Get File Information | Retrieves information about a file from the CarbonBlack Response server, based on the filehash you have specified. | get_file_info Investigation |
Hunt File | Hunts for a file retrieves details for that file from the CarbonBlack Response server, based on the file type and filehash you have specified. | hunt_file Investigation |
Get All Block Hashes | Retrieves a list of all blacklisted filehashes and their details from the CarbonBlack Response server. | get_hash_blacklist Investigation |
Block Hash | Blocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. | block_hash Containment |
Unblock Hash | Unblocks a particular file on the CarbonBlack Response server, based on the filehash (MD5 only) you have specified. | unblock_hash Remediation |
Delete File | Deletes a particular file from the CarbonBlack Response server, based on the sensor details and file path you have specified. | delete_file Containment |
Run Query | Runs a search query on the endpoint to retrieve the information of binary or process from the CarbonBlack Response server. | run_advance_search Investigation |
Search Alerts | Searches for alerts on the CarbonBlack Response server, based on the search query you have specified. | search_alert Investigation |
Update Alert | Updates the status of an alert on the CarbonBlack Response server, based on the input parameters you have specified. | update_alert Investigation |
Bulk Update Alerts | Updates the status of multiple alerts on the CarbonBlack Response server, based on the input parameters you have specified. | update_alert Investigation |
Get Watchlist | Retrieves a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) from the CarbonBlack Response server. | get_watchlist Investigation |
Parameter | Description |
---|---|
Filter Options | Options based on which the results retrieved from the CarbonBlack Response server will be filtered. You can choose from the following options: All: Retrieves a list along with the details of all sensors from the CarbonBlack Response server. Hostname: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the hostname you specify. IP Address: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the IP address you specify. Sensor ID: Retrieves a list along with the details of all sensors from the CarbonBlack Response server that match the Sensor ID you specify. |
Value | Specify the value of the filter option you have selected. If you have selected All do not add any input to this field. For example if you select IP Address, then enter the IP address based on which you want to filter the sensor results retrieved from the CarbonBlack Response servers. |
The JSON output contains the details about all sensors or specific sensor(s) retrieved from the CarbonBlack Response server, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Input Type | Options based on which you want to isolate a sensor on the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host that you want to isolate on the CarbonBlack Response server. IP Address: Single IPv4 address of the host that you want to isolate on the CarbonBlack Response server. Process Name: Isolate all sensors on the CarbonBlack Response server on which the specified process name exists. Filehash: Isolate all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists. |
Value | Specify the value of the input type you have selected. For example, if you select IP Address, then enter the IPv4 address of the host that you want to isolate on the CarbonBlack Response server. |
The JSON output contains a list of isolated sensor(s) which are successfully isolated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Input Type | Options based on which you want to remove the isolation on sensor(s) from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host whose isolation you want to remove from the CarbonBlack Response server. IP Address: Single IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server. Process Name: Remove isolation for all sensors on the CarbonBlack Response server on which the specified process name exists. Filehash: Remove isolation for all sensors on the CarbonBlack Response server on which the specified filehash (MD5) exists. |
Value | Specify the value of the input type you have selected. For example, if you select IP Address, then enter the IPv4 address of the host whose isolation you want to remove from the CarbonBlack Response server. |
The JSON output contains a list of sensor(s) whose isolation is successfully removed from the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Sensor Details | Options based on which you want to retrieve running process information from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host for which you want to retrieve process information from the CarbonBlack Response server. IP Address: Single IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server. Sensor ID: ID of the sensor for which you want to retrieve process information from the CarbonBlack Response server. |
Value | Specify the value of the sensor details you have selected. For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process information from the CarbonBlack Response server. |
The JSON output contains a list and details of all running processes on the specified sensor retrieved from the CarbonBlack Response server. The details of running processes include information such as process guid, parent, command line, created time, and username.
Following image displays a sample output:
Parameter | Description |
---|---|
Sensor Details | Options based on which you want to specify the endpoint for which you want to retrieve process connection information from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host for which you want to retrieve process connections information from the CarbonBlack Response server. IP Address: Single IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server. |
Value | Specify the value of the sensor details you have selected. For example, if you select IP Address, then enter the IPv4 address of the host for which you want to retrieve process connections information from the CarbonBlack Response server |
Process Details | Options based on which you want to specify the process for which you want to retrieve process connection information from the CarbonBlack Response server. You can choose from the following options: Process Name: Name of the process for which you want to retrieve process connections information from the CarbonBlack Response server. Process ID: ID of the process for which you want to retrieve process connections information from the CarbonBlack Response server. |
Value | Specify the value of the process details you have selected. For example, if you select Process Name, then enter the name of the process for which you want to get network connections from the CarbonBlack Response server. |
The JSON output contains a list of network connections for a specific process running on the specified sensor retrieved from the CarbonBlack Response server. The details of the process include information such as direction, carbon black process id, pid, domain ,port, ip address, and process name.
Following image displays a sample output:
Parameter | Description |
---|---|
Sensor Details | Options based on which you want to specify the endpoint on which you want to terminate the process on the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host for which you want to terminate the process on the CarbonBlack Response server. IP Address: Single IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server. |
Value | Specify the value of the sensor details you have selected. For example if you select IP Address, then enter the IPv4 address of the host for which you want to terminate the process on the CarbonBlack Response server |
Process Details | Options based on which you want to specify the which process you want to terminate on the CarbonBlack Response server. You can choose from the following options: Process Name: Name of the process that you want to terminate on the CarbonBlack Response server. Process ID: ID of the process that you want to terminate on the CarbonBlack Response server. |
Value | Specify the value of the process details you have selected. For example if you select Process Name, then enter the name of the process that you want to terminate on the CarbonBlack Response server. |
The JSON output contains a list process IDs that were terminated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server. |
Note: To get a result for this operation, you must provide inputs only in the form of process and binary MD5 hash values.
A JSON output contains information such as, last seen, host count, timestamp, and product version for the specified file retrieved from the CarbonBlack Response server, based on the filehash value you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
File Type | Type of file you want to hunt for on the CarbonBlack Response server. You can choose from the following options: Process or Binary. |
Filehash | Filehash value (MD5 hash value only) for the file for which you want to retrieve information from the CarbonBlack Response server. |
Start Record From | (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0. |
Number of Records | (Optional) Number of records that you want this operation to return. The default is set to 10. |
The JSON output contains information such as sensor id, hostname, process id, and path of the file, retrieved from the CarbonBlack Response server, based on the file type and filehash value you have specified.
Following image displays a sample output:
None
A JSON output contains a list of all blacklisted filehashes and their details retrieved from the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash value (MD5 hash value only) for the file that you want to block on the CarbonBlack Response server. |
The JSON contains a Success
message if the specified MD5 value is successfully blocked across the endpoints on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash | Filehash value (MD5 hash value only) for the file that you want to unblock on the CarbonBlack Response server. |
The JSON contains a Success
message if the specified MD5 value is successfully unblocked across the endpoints on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Input Type | Options based on which you want to delete a file from the CarbonBlack Response server. You can choose from the following options: Hostname: Name of the host on which you want to delete a file from the CarbonBlack Response server. IP Address: Single IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server. Sensor ID: ID of the sensor on which you want to delete a file from the CarbonBlack Response server. |
Value | Specify the value of the input type you have selected. For example, if you select IP Address, then enter the IPv4 address of the host on which you want to delete a file from the CarbonBlack Response server. |
File Path | Full path of the file that you want to delete from the CarbonBlack Response server. |
The JSON output contains a Success
message if the specified file is successfully deleted from the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Query Type | Type of query that you want to run on the CarbonBlack Response server. You can choose from the following options: Process or Binary. |
CarbonBlack Query | Query to be run on the CarbonBlack Response server. |
Start Record From | (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0. |
Number of Records | (Optional) Number of records that you want this operation to return. The default is set to 10. |
The JSON output depends on the query that you run on the CarbonBlack Response server.
For example, if you run the following query: query = “process_name:win *.exe”
with query_type = “process”
, then the JSON output will contain a list of the processes and details of each process such as sensor id, process pid, hostname, md5, and parent name.
Following image displays a sample output:
Parameter | Description |
---|---|
CarbonBlack Query | Query to be run on the CarbonBlack Response server based on which you want to retrieve alerts from the CarbonBlack Response server. |
Status | Status of the alert that you are searching for on the CarbonBlack Response server. You can select from the following options: All, In Progress, Unresolved, Resolved, and False Positive. |
Sort By | Sort the results retrieved from the CarbonBlack Response server based on this option. You can choose from the following options: Severity, Most Recent, Least Recent, Alert Name Ascending or Alert Name Descending. |
Start Record From | (Optional) Returns the result retrieved from the CarbonBlack Response server from the specified number. The default is set to 0. |
Number of Records | (Optional) Number of records that you want this operation to return. The default is set to 10. |
The JSON output contains details of the alerts such as unique id, md5, watchlist name, alert type, status, or observed host retrieved from the CarbonBlack Response server, based on the input parameters you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Unique ID | Unique ID of the alert whose status you want to update on the CarbonBlack Response server. |
Status | Status to which you want the specified alert to be updated on the CarbonBlack Response server. You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved. |
The JSON output contains a Success
message if the status of the specified alert is successfully updated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Alert IDs | Comma-separated list of unique IDs of alerts whose status you want to update on the CarbonBlack Response server. |
Status | Status to which you want the specified alerts to be updated on the CarbonBlack Response server. You can choose from the following options: Resolved, In Progress, False Positive, or Unresolved. |
The JSON output contains a Success
message if the status of all the specified alerts are successfully updated on the CarbonBlack Response server.
Following image displays a sample output:
Parameter | Description |
---|---|
Watchlist ID | Unique ID of the watchlist whose details you want to retrieve from the CarbonBlack Response server. Note: If you do not specify any watchlist ID, then this operation will retrieve a list of all available watchlists from the CarbonBlack Response server. |
The JSON output a list along with its details for all watchlists or specific watchlist (if you have specified the watchlist ID) retrieved from the CarbonBlack Response server.
Following image displays a sample output:
The Sample - CarbonBlack-Response - 2.0.0
playbook collection comes bundled with the CarbonBlack Response connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CarbonBlack Response connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.