Endpoint Standard

Submodules

cbc_sdk.endpoint_standard.base module

Model and Query Classes for Endpoint Standard

class Device(cb, model_unique_id, initial_data=None)

Bases: cbc_sdk.endpoint_standard.base.EndpointStandardMutableModel

Represents a Device object in the Carbon Black server.

Initialize a Device object with model_unique_id and initial_data.

activationCode = None

activationCodeExpiryTime = datetime.datetime(1970, 1, 1, 0, 0)

assignedToId = None

assignedToName = None

avEngine = None

avLastScanTime = datetime.datetime(1970, 1, 1, 0, 0)

avMaster = None

avStatus = []

avUpdateServers = []

createTime = datetime.datetime(1970, 1, 1, 0, 0)

deregisteredTime = datetime.datetime(1970, 1, 1, 0, 0)

deviceGuid = None

deviceId = None

deviceOwnerId = None

deviceSessionId = None

deviceType = None

email = None

firstName = None

firstVirusActivityTime = datetime.datetime(1970, 1, 1, 0, 0)

info_key = 'deviceInfo'

lastContact = datetime.datetime(1970, 1, 1, 0, 0)

lastExternalIpAddress = None

lastInternalIpAddress = None

lastLocation = None

lastName = None

lastReportedTime = datetime.datetime(1970, 1, 1, 0, 0)

lastResetTime = datetime.datetime(1970, 1, 1, 0, 0)

lastShutdownTime = datetime.datetime(1970, 1, 1, 0, 0)

lastVirusActivityTime = datetime.datetime(1970, 1, 1, 0, 0)

linuxKernelVersion = None

lr_session()

Retrieve a Live Response session object for this Device.

Returns:Live Response session object. Return type:LiveResponseSession Raises:ApiError – If there is an error establishing a Live Response session for this Device.

messages = []

middleName = None

name = None

organizationId = None

organizationName = None

osVersion = None

passiveMode = None

policyId = None

policyName = None

primary_key = 'deviceId'

quarantined = None

registeredTime = datetime.datetime(1970, 1, 1, 0, 0)

rootedByAnalytics = None

rootedByAnalyticsTime = datetime.datetime(1970, 1, 1, 0, 0)

rootedBySensor = None

rootedBySensorTime = datetime.datetime(1970, 1, 1, 0, 0)

scanLastActionTime = datetime.datetime(1970, 1, 1, 0, 0)

scanLastCompleteTime = datetime.datetime(1970, 1, 1, 0, 0)

scanStatus = None

sensorStates = []

sensorVersion = None

status = None

targetPriorityType = None

testId = None

uninstalledTime = datetime.datetime(1970, 1, 1, 0, 0)

urlobject = '/integrationServices/v3/device'

urlobject_single = '/integrationServices/v3/device/{}'

vdiBaseDevice = None

windowsPlatform = None

class EndpointStandardMutableModel(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Bases: cbc_sdk.base.MutableBaseModel

Represents a EndpointStandardMutableModel object in the Carbon Black server.

Initialize an EndpointStandardMutableModel with model_unique_id and initial_data.

class EnrichedEvent(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=True)

Bases: cbc_sdk.base.UnrefreshableModel

Represents a EnrichedEvent object in the Carbon Black server.

Initialize the EnrichedEvent object.

Parameters:

• cb (CBCloudAPI) – A reference to the CBCloudAPI object.
• model_unique_id (Any) – The unique ID for this particular instance of the model object.
• initial_data (dict) – The data to use when initializing the model object.
• force_init (bool) – True to force object initialization.
• full_doc (bool) – True to mark the object as fully initialized.

default_sort = 'device_timestamp'

get_details(timeout=0, async_mode=False)

Requests detailed results.

Parameters:

• timeout (int) – Event details request timeout in milliseconds.
• async_mode (bool) – True to request details in an asynchronous manner.

Note

• When using asynchronous mode, this method returns a python future. You can call result() on the future object to wait for completion and get the results.

primary_key = 'event_id'

class EnrichedEventFacet(cb, model_unique_id, initial_data)

Bases: cbc_sdk.base.UnrefreshableModel

Represents a EnrichedEventFacet object in the Carbon Black server.

Variables:

• job_id – The Job ID assigned to this query
• terms – Contains the Enriched Event Facet search results
• ranges – Groupings for search result properties that are ISO 8601 timestamps or numbers
• contacted – The number of searchers contacted for this query
• completed – The number of searchers that have reported their results

Initialize the Terms object with initial data.

class Ranges(cb, initial_data)

Bases: cbc_sdk.base.UnrefreshableModel

Represents a Ranges object in the Carbon Black server.

Initialize an EnrichedEventFacet Ranges object with initial_data.

facets

Returns the reified EnrichedEventFacet.Terms._facets for this result.

fields

Returns the ranges fields for this result.

class Terms(cb, initial_data)

Bases: cbc_sdk.base.UnrefreshableModel

Represents a Terms object in the Carbon Black server.

Initialize an EnrichedEventFacet Terms object with initial_data.

facets

Returns the terms’ facets for this result.

fields

Returns the terms facets’ fields for this result.

completed = None

contacted = None

job_id = None

num_found = None

primary_key = 'job_id'

ranges = []

ranges_

Returns the reified EnrichedEventFacet.Ranges for this result.

result_url = '/api/investigate/v2/orgs/{}/enriched_events/facet_jobs/{}/results'

submit_url = '/api/investigate/v2/orgs/{}/enriched_events/facet_jobs'

terms = {}

terms_

Returns the reified EnrichedEventFacet.Terms for this result.

class EnrichedEventQuery(doc_class, cb)

Bases: cbc_sdk.endpoint_standard.base.Query, cbc_sdk.base.AsyncQueryMixin

Represents the query logic for an Enriched Event query.

This class specializes Query to handle the particulars of enriched events querying.

Initialize the EnrichedEventQuery object.

Parameters:

• doc_class (class) – The class of the model this query returns.
• cb (CBCloudAPI) – A reference to the CBCloudAPI object.

aggregation(field)

Performs an aggregation search where results are grouped by an aggregation field

Parameters:field (str) – The aggregation field, either ‘process_sha256’ or ‘device_id’

or_(**kwargs)

or_ criteria are explicitly provided to EnrichedEvent queries although they are endpoint_standard.

This method overrides the base class in order to provide or_() functionality rather than raising an exception.

set_rows(rows)

Sets the ‘rows’ query body parameter to the ‘start search’ API call, determining how many rows to request.

Parameters:rows (int) – How many rows to request.

set_time_range(start=None, end=None, window=None)

Sets the ‘time_range’ query body parameter, determining a time window based on ‘device_timestamp’.

Parameters:

• start (str in ISO 8601 timestamp) – When to start the result search.
• end (str in ISO 8601 timestamp) – When to end the result search.
• window (str) – Time window to execute the result search, ending on the current time. Should be in the form “-2w”, where y=year, w=week, d=day, h=hour, m=minute, s=second.

Note

• window will take precedence over start and end if provided.

Examples

query = api.select(EnrichedEvent).set_time_range(start=”2020-10-20T20:34:07Z”) second_query = api.select(EnrichedEvent).set_time_range(start=”2020-10-20T20:34:07Z”,

end=”2020-10-30T20:34:07Z”)

third_query = api.select(EnrichedEvent).set_time_range(window=’-3d’)

sort_by(key, direction='ASC')

Sets the sorting behavior on a query’s results.

Parameters:

• key (str) – The key in the schema to sort by.
• direction (str) – The sort order, either “ASC” or “DESC”.

Returns:

The query with sorting parameters.

Return type:

Query (EnrichedEventQuery

Example: >>> cb.select(EnrichedEvent).where(process_name=”cmd.exe”).sort_by(“device_timestamp”)

timeout(msecs)

Sets the timeout on a event query.

Parameters:msecs (int) – Timeout duration, in milliseconds. Returns:

The Query object with new milliseconds

parameter.

Return type:Query (EnrichedEventQuery)

Example: >>> cb.select(EnrichedEvent).where(process_name=”foo.exe”).timeout(5000)

class Event(cb, model_unique_id, initial_data=None)

Bases: cbc_sdk.base.NewBaseModel

Represents a Event object in the Carbon Black server.

Initialize an Event with model_unique_id and initial_data.

info_key = 'eventInfo'

primary_key = 'eventId'

urlobject = '/integrationServices/v3/event'

class Policy(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Bases: cbc_sdk.endpoint_standard.base.EndpointStandardMutableModel, cbc_sdk.base.CreatableModelMixin

Represents a Policy object in the Carbon Black server.

Initialize an EndpointStandardMutableModel with model_unique_id and initial_data.

add_rule(new_rule)

Adds a rule to this Policy.

Parameters:new_rule (dict(str,str)) – The new rule to add to this Policy.

Notes

• The new rule must conform to this dictionary format:

  {“action”: “ACTION”, “application”: {“type”: “TYPE”, “value”: “VALUE”}, “operation”: “OPERATION”, “required”: “REQUIRED”}

• The dictionary keys have these possible values:

  “action”: [“IGNORE”, “ALLOW”, “DENY”, “TERMINATE_PROCESS”,

  “TERMINATE_THREAD”, “TERMINATE”]

  “type”: [“NAME_PATH”, “SIGNED_BY”, “REPUTATION”] “value”: Any string value to match on “operation”: [“BYPASS_ALL”, “INVOKE_SCRIPT”, “INVOKE_SYSAPP”,

  “POL_INVOKE_NOT_TRUSTED”, “INVOKE_CMD_INTERPRETER”, “RANSOM”, “NETWORK”, “PROCESS_ISOLATION”, “CODE_INJECTION”, “MEMORY_SCRAPE”, “RUN_INMEMORY_CODE”, “ESCALATE”, “RUN”]

  “required”: [True, False]

delete_rule(rule_id)

Deletes a rule from this Policy.

description = None

id = None

info_key = 'policyInfo'

latestRevision = None

name = None

policy = {}

priorityLevel = None

replace_rule(rule_id, new_rule)

Replaces a rule in this policy.

rules

Returns a dictionary of rules and rule IDs for this Policy.

systemPolicy = None

urlobject = '/integrationServices/v3/policy'

version = None

class Query(doc_class, cb, query=None)

Bases: cbc_sdk.base.PaginatedQuery, cbc_sdk.platform.base.PlatformQueryBase, cbc_sdk.base.QueryBuilderSupportMixin, cbc_sdk.base.IterableQueryMixin

Represents a prepared query to the Cb Endpoint Standard server.

This object is returned as part of a CBCloudAPI.select operation on models requested from the Cb Endpoint Standard server. You should not have to create this class yourself.

The query is not executed on the server until it’s accessed, either as an iterator (where it will generate values on demand as they’re requested) or as a list (where it will retrieve the entire result set and save to a list). You can also call the Python built-in `len() on this object to retrieve the total number of items matching the query.

Example: >>> from cbc_sdk import CBCloudAPI >>> cb = CBCloudAPI()

Notes

• The slicing operator only supports start and end parameters, but not step. [1:-1] is legal, but [1:2:-1] is not.
• You can chain where clauses together to create AND queries; only objects that match all where clauses will be returned. - Device Queries with multiple search parameters only support AND operations, not OR. Use of Query.or_(myParameter=’myValue’) will add ‘AND myParameter:myValue’ to the search query.

Initialize a Query object.

or_(**kwargs)

Unsupported. Will raise if called.

Raises:ApiError – .or_() cannot be called on Endpoint Standard queries.

prepare_query(args)

Adds query parameters that are part of a select().where() clause to the request.

log = <Logger cbc_sdk.endpoint_standard.base (WARNING)>

Endpoint Standard Models

Module contents