Guides

Here we’ve listed a collection of tutorials, recorded demonstrations and other resources we think will be useful to get the most out of the Carbon Black Cloud Python SDK.

Audience for These Guides

In general, and unless otherwise indicated, these guides are directed at those that:

• Have a working knowledge of Python.

• Have a basic understanding of what the Carbon Black Cloud does, and its basic terminology such as events, alerts, and watchlists.

• Need information to update to new versions of the SDK when enhanced features are released.

Certain guides may be more geared towards audiences with more experience with the Carbon Black Cloud, such as administrators.

Information about updating to new versions of the SDK to take advantage of new features in Carbon Black Cloud are in Migration Guides.

Feature Guides

• Searching
  • Creating a Query Object
  • Refining a Query
  • Executing a Query
  • Faceting
  • Query Timeouts
  • Search Suggestions
• Alerts
  • Resources
  • Retrieve Alerts
  • Retrieving Alerts for Multiple Organizations
  • Grouping Alerts
  • Retrieving Observations to Provide Context About an Alert
  • Retrieving Processes to Provide Context About an Alert
  • Device Control Alerts
  • Container Runtime Alerts
  • High Volume and Streaming Solution for Alerts
• Asset Groups
  • Resources
  • Retrieve Asset Groups
  • Create an Asset Group
  • Delete an Asset Group
  • Preview Policy Rank Changes
  • Preview Asset Group Changes
• Audit Log Events
  • API Permissions
  • Example of API Usage
• Developing New Credential Providers
  • Writing the Credential Provider
  • Using the Credential Provider
  • Credential Provider Reference
• Devices
  • Searching for Devices
  • Device Actions
• Device Control
  • Retrieving the List of Known USB Devices
  • Approving A Specific Device
  • Removing A Device’s Approval
  • Retrieving the List of Approvals
  • Device Control Alerts
• Differential Analysis
  • Overview
  • Query Comparison
• Live Query
  • Overview
  • Setting up
  • Start a Query Run
  • Check status
  • Get the results
  • Export results
  • Scroll results
  • Clean up
  • Scheduled runs (templates)
• Live Response
  • Establish A Session With A Device
  • File Commands
  • Process Commands
  • Additional Resources
• Policy
• Recommendations
  • Getting the List of Recommendations
  • Recommendations Workflow
  • Recommendations and Reputation Overrides
• Reputation Override
  • Creating a Reputation Override
  • Retrieving existing Reputation Overrides
  • Deleting a Reputation Override
• Unified Binary Store
  • Get Download URL
  • Get Download URL Valid For Specific Period
  • Searching Binaries
• Users and Grants
  • Audience for This Guide
  • Uniform Resource Names (URNs)
  • Getting a List of Users
  • Modifying a User
  • Creating a New User
  • User Access Grants
• Vulnerabilities
  • Retrieving Vulnerabilities
  • Retrieving Vulnerability Details
  • Retrieving Affected Assets for a Vulnerability
• Watchlists, Feeds, Reports, and IOCs
  • About the Objects
  • Setting Up a Basic Custom Watchlist
  • A Closer Look at IOCs
  • Feeds
  • Limitations of Reports and Watchlists
• Workloads
  • Search Compute Resources
  • Fetch Compute Resource by ID
  • Facet Compute Resources
  • Download Compute Resource Listings
  • Summarize Compute Resources
  • Interactive example script featuring Workloads Search

• Searching - Most operations in the SDK will require you to search for objects.

• Alerts - Work and manage different types of alerts such as CB Analytics Alert, Watchlist Alerts and Device Control Alerts.

• Asset Groups - Create and modify Asset Groups, and preview the impact changes to policy ranking or asset group definition will have.

• Alert Migration - Update from SDK 1.4.3 or earlier to SDK 1.5.0 or later to get the benefits of the Alerts v7 API.

• Audit Log Events - Retrieve audit log events indicating various “system” events.

• Devices - Search for, get information about, and act on endpoints.

• Device Control - Control the blocking of USB devices on endpoints.

• Differential Analysis - Provides the ability to compare and understand the changes between two Live Query runs

• Live Query - Live Query allows operators to ask questions of endpoints

• Live Response - Live Response allows security operators to collect information and take action on remote endpoints in real time.

• Notifications to Alerts Migration - Update from Notifications to Alerts in SDK 1.5.0 or later to get the benefits of the Alerts v7 API.

• Policy - Use policies to define and prioritize rules for how applications can behave on groups of assets

• Recommendations - Work with Endpoint Standard recommendations for reputation override.

• Reputation Override - Manage reputation overrides for known applications, IT tools or certs.

• Unified Binary Store - The unified binary store (UBS) is responsible for storing all binaries and corresponding metadata for those binaries.

• Users and Grants - Work with users and access grants.

• Vulnerabilities - View asset (Endpoint or Workload) vulnerabilities to increase security visibility.

• Watchlists, Feeds, Reports, and IOCs - Work with Enterprise EDR watchlists, feeds, reports, and Indicators of Compromise (IOCs).

• Workloads - Advanced protection purpose-built for securing modern workloads to reduce the attack surface and strengthen security posture.

Migration Guides

• Alert Migration
  • Resources
  • Overview
  • New Features
  • Breaking Changes
  • Backwards Compatibility
• Migration Guide For Live Response From v3 To v6
  • Overview
  • Access Permissions
  • Changes in the routes and response codes
  • Changes in some of the request/response fields
  • Additional Information
• Notifications to Alerts Migration
  • Resources
  • How to Update the SDK Usage
• Porting Applications from CBAPI to Carbon Black Cloud SDK
  • Overview
  • Package Name Changes
  • Folder Structure Changes
  • Function Changes