CBC SDK 1.5.1 - Released January 30, 2024
Asset Groups - Added management of asset groups:
Create, delete, and update asset groups (either with manual or dynamic membership)
Retrieve asset groups by ID
Search for asset groups, retrieve list of all asset groups
Add/remove members, get all members in a group
Get statistics for a group
Helper functions for
Deviceto retrieve and maintain group membership
Preview changes to effective policy for device(s) as a result of a number of different potential changes
Full documentation and new Guide page
Alerts v7 Enhancements - Added additional functionality to Alerts v7 as implemented in version 1.5.0:
Search Grouped Alerts, including faceting and retrieval of all alerts for a group
Get list of watchlists on an alert
Network threat metadata helper function
Full update to Alerts guide in documentation
Command line deobfuscation added to Processes, Alerts, and Observations, allowing visualization of PowerShell command lines that have been deliberately obfuscated by attackers.
scroll()method added to Live Query search results.
New helper methods added to
Policyto enable or disable XDR data collection and auth event data collection.
scroll()methods added to
Python 3.7 has been re-added as “unofficially” supported, since certain integrations that use the SDK still use it.
deployment_typeas part of the facets available in
Search jobs that allow setting a timeout now default that timeout to 5 minutes. The timeout may be lowered from that point, but never raised beyond it. This eliminates a problem of “hung” searches.
ReadTheDocs generation has been improved to show the inherited methods. There are some helper functions on
SearchQueryclasses such as
CBC SDK 1.5.0 - Released October 24, 2023
Alerts Update to use V7 API
The new Alerts V7 API will improve alert management and allow for easier management, consumption, and triage of alerts in the Carbon Black Cloud. Alerts v7 API extends the capabilities with improved methods of retrieving alerts and added functionality to manage alert workflow.
N.B.: This change involves breaking changes to the SDK involving the core Alerts workflow. Please check your existing code carefully before deploying this SDK upgrade.
Alerts V7: Certain changes are not compatible with code written to the old V6 API. For details, please see the Alert Migration Guide. Breaking changes include:
Default Search Time Period is reduced to two weeks.
For fields that do not exist in the Alerts V7 API, a
FunctionalityDecommissionedexception is raised.
get_events()method has been removed.
All facet terms match the field names.
Workflow has been rebuilt.
Create Note returns a single
Noteinstance instead of a list.
Official support for Python 3.7 has been dropped, since that version is now end-of-life. Added explicit testing support for Python version 3.12. N.B.: End users should update their Python version to 3.8.x or greater.
Extended alert schema with additional metadata such as process command line and username, parent and child process information, netconn data, additional device fields, MITRE categorization when available, and more
Ability to mark alerts as “In Progress”
Ability to mark alerts as True Positive or False Positive
Additional fields available for both searching and faceting
Enhanced note management with the ability to add notes to both individual alerts and threats (alerts grouped by threat)
Observed Alerts have been removed from the Alerts API as these events are not considered actionable threats. They can now be retrieved via the Observations API.
External Devices: Added External Device Export and External Device Approvals Export.
Audit log requests have moved from
CBCloudAPIinto their own function entry point in the
platformpackage. The old function has been deprecated.
Process search validation has been changed to use the V2
POSTAPI rather than the old V1
CBCloudAPI.notification_listener()have been marked as deprecated.
Added example script to poll for audit logs.
CBCloudAPIdocumentation has been pulled out into its own page.
Authentication, Getting Started, and Guides pages have been updated.
Concepts page has been removed, and the information it contained has moved to other pages.
New Searching guide added.
Update to left-hand sidebar to allow the Guides sub-listing to be collapsed.
Porting guide has been updated to reflect the latest APIs.
Live Response migration guide has been updated with links.
README.mdhas been updated with better instructions for generating docs locally.
CBCloudAPIand Devices documentation have been updated to better conform to new style guide for docstrings.
CBC SDK 1.4.3 - Released June 26, 2023
Policy Rule Configurations - support for additional rule configuration types:
Host-Based Firewall - addresses the protection of assets based on rules governing network and application behavior.
Data Collection - control over what data is uploaded to the Carbon Black Cloud. Specifically, can enable or disable auth events collection.
Added an example script for manipulating core prevention rule configuration and data collection status on a policy.
pymoxdependency to the latest version, which eliminates warning messages on unit test and provides compatibility with Python 3.11 and later.
Added specific testing support for Python 3.11.
Added additional UAT tests for authentication events.
Many exception classes now carry a
urifield which holds the URI of the API being accessed that caused the exception to be raised.
Fixed link validation for reports and IOCs to accept IPv4 addresses, domain names, or URIs.
Documentation has been reorganized for ease of reference; guides have been added to the main menu, the menu has been reordered, and various modules have been renamed.
Fixed typo in workload guide.
CBC SDK 1.4.2 - Released March 22, 2023
Policy Rule Configurations - allows users to make adjustments to Carbon Black-defined rules.
Core Prevention Rule Configurations - controls settings for core prevention rules as supplied by Carbon Black.
Observations - search through all the noteworthy, searchable activity that was reported by your organization’s sensors.
Auth Events - visibility into authentication events on Windows endpoints.
Remove use of v1 status URL from process search, which now depends entirely on v2 operations.
Vulnerabilities can now be dismissed and undismissed, and have dismissals edited.
User creation: raise error if the API object is not passed as the first parameter to
Live Response: pass failed session exception back up to the
Improved query string parameter handling in API calls.
New example script showing how to retrieve container alerts.
New example script allows exporting users with grant and role information.
Bug fixed in
policy_service_crud_operations.pyexample script affecting iteration over rules.
Update clarifying alert filtering by fields that take an empty list.
Sample script added for retrieving alerts for multiple organizations.
CBC SDK 1.4.1 - Released October 21, 2022
AWS workloads now supported in VM Workloads Search.
Live Query Differential Analysis functionality.
VM Workloads Search updated to use new v2 APIs
alertablefield to feeds.
Devices API now supports faceting on three additional (public cloud related) fields.
Added a user acceptance test script for the policy function updates.
Added information on OAuth authentication to docs.
CBC SDK 1.4.0 - Released July 26,2022
Policyobject has been moved from
cbc_sdk.platform, as it now uses the new Policy Services API rather than the old APIs through Integration Services.
N.B.: This change means that you must use a custom API key with permissions under
org.policiesto manage policies, rather than an older “API key.”
To enable time to update integration logic, the
cbc_sdk.endpoint_standard Policyobject may still be imported from the old package, and supports operations that are backwards-compatible with the old one.
When developing a new integration, or updating an existing one cbc_sdk.platform should be used. There is a utility class
PolicyBuilder, and as features are added to the Carbon Black Cloud, they will be added to this module.
Official support for Python 3.6 has been dropped, since that version is now end-of-life. Added explicit testing support for Python versions 3.9 and 3.10. N.B.: End users should update their Python version to 3.7.x or greater.
Credentials handler now supports OAuth tokens.
Added support for querying a single
Added support for alert notes (create, delete, get, refresh).
Removed the (unused)
Increased the asynchronous query thread pool to 3 threads by default.
Required version of
lxmlis now 4.9.1.
Added a user acceptance test script for Alerts.
max_rowsto USB device query, fixing pagination.
Fixed an off-by-one error in Alerts Search resulting un duplicate alerts showing up in results.
Fixed an error in alert faceting operations due to sending excess input to the server.
Watchlists, Feeds, and Reports guide has been updated with additional clarification and examples.
Updated description for some
Devicefields that are never populated.
Additional sensor states added to
Fixed the description of
BaseAlertSearchQuery.set_typesso that it mentions all valid alert types.
Threat intelligence example has been deprecated.
CBC SDK 1.3.6 - Released April 19, 2022
Support for Device Facet API.
Dynamic reference of query classes–now you can do
api.select("Device")in addition to
Support for Container Runtime Alerts.
NSX Remediation functionality - set the NSX remediation state for workloads which support it.
Endpoint Standard specific
Events have been decommissioned and removed.
SDK now uses Watchlist Manager apis
v2APIs are being decommissioned.
CONTRIBUTINGlink to the
Change to Watchlist/Report documentation to properly reflect how to update a
Cleaned up formatting.
CBC SDK 1.3.5 - Released January 26, 2022
Added asynchronous query support to Live Query.
Added the ability to export query results from Live Query, either synchronously or asynchronously (via the
Jobobject and the Jobs API). Synchronous exports include full-file export, line-by-line export, and ZIP file export. Asynchronous exports include full-file export and line-by-line export.
CredentialProviderthat uses AWS Secrets Manager to store credential information.
WatchlistAlert.get_process()method to return the
Added several helpers to Live Query support to make it easier to get runs from a template, or results, device summaries, or facets from a run.
Optimized API requests when performing query slicing.
Updated pretty-printing of objects containing
lxmldependency updated to version 4.6.5.
User.delete()now checks for an outstanding access grant on the user, and deletes it first if it exists.
Fixed handling of URL when attaching a new IOC to a
Getting and setting of
Reportignore status is now supported even if that
Reportis part of a
Information added about the target audience for the SDK.
Improper reference to a credential property replaced in the Authentication guide.
Broken example updated in Authentication guide.
Added SDK guides for Vulnerabilities and Live Query APIs.
Updated documentation for
ProcessFacetmodel to better indicate support for full query string.
CBC SDK 1.3.4 - Released October 12, 2021
New CredentialProvider supporting Keychain storage of credentials (Mac OS only).
Recommendations API - suggested reputation overrides for policy configuration.
Improved string representation of objects through
TimeoutErroris raised in several places where the wrong exception was being raised.
Fix to allowed categories when performing alert queries.
Added guide page for alerts.
Live Response documentation updated to note use of custom API keys.
Clarified query examples in Concepts.
Note that vulnerability assessment has been moved from
Small typo fixes in watchlists, feeds, UBS, and reports guide.
CBC SDK 1.3.3 - Released August 10, 2021
Dependency fix on schema library.
CBC SDK 1.3.2 - Released August 10, 2021
Added asynchronous query options to Live Response APIs.
Added functionality for Watchlists, Reports, and Feeds to simplify developer interaction.
Added documentation on the mapping between permissions and Live Response commands.
Fixed an error using the STIX/TAXII example with Cabby.
Fixed a potential infinite loop in getting detailed search results for enriched events and processes.
Comparison now case-insensitive on UBS download.
CBC SDK 1.3.1 - Released June 15, 2021
Allow the SDK to accept a pre-configured
Sessionobject to be used for access, to get around unusual configuration requirements.
Fix functions in
Grantobject for adding a new access profile to a user access grant.
CBC SDK 1.3.0 - Released June 8, 2021
Add User Management, Grants, Access Profiles, Permitted Roles
Move Vulnerability models to Platform package in preparation for supporting Endpoints and Workloads
Refactor Vulnerability models
VulnerabilitySummary.get_org_vulnerability_summarystatic function changed to
Vulnerability.OrgSummarymodel with query class
VulnerabilitySummarymodel moved inside
Vulnerabilityconsolidated into a single model to include Carbon Black Cloud context and CVE information together
Vulnerability(cb, CVE_ID)returns Carbon Black Cloud context and CVE information
DeviceVulnerability.get_vulnerability_summary_per_devicestatic function moved to
affected_assets(os_product_id)function changed to
get_affected_assets()function and no longer requires
Add dashboard export examples
Live Response migrated from v3 to v6 (migration guide)
Live Response uses API Keys of type Custom
Add function to get Enriched Events for Alert
Fix validate query from dropping sort_by for Query class
Fix the ability to set expiration for binary download URL
Fix bug in helpers read_iocs functionality
Fix install_sensor and bulk_install on ComputeResource to use id instead of uuid
Fix DeviceSearchQuery from duplicating Device due to base index of 1
CBC SDK 1.2.3 - Released April 19, 2021
Prevent alert query from retrieving past 10k limit
CBC SDK 1.2.3 - Released April 19, 2021
Prevent alert query from retrieving past 10k limit
CBC SDK 1.2.2 - Released April 5, 2021
Add support for full credential property loading through BaseAPI constructor
CBC SDK 1.2.1 - Released March 31, 2021
Add __str__ functions for Process.Tree and Process.Summary
Add get_details for Process
Add set_max_rows to DeviceQuery
Modify base class for EnrichedEventQuery to Query from cbc_sdk.base to support entire feature set for searching
Document fixes for changelog and Workload
Fix _spawn_new_workers to correctly find active devices for Carbon Black Cloud
CBC SDK 1.2.0 - Released March 9, 2021
VMware Carbon Black Cloud Workload support for managing workloads:
Sensor Lifecycle Management
VM Workloads Search
Add tutorial for Reputation Override
Fix to initialization of ReputationOverride objects
CBC SDK 1.1.1 - Released February 2, 2021
Add easy way to add single approvals and blocks
Add Device Control Alerts
Add deployment_type support to the Device model
Fix error when updating iocs in a Report model
Set max_retries to None to use Connection init logic for retries
CBC SDK 1.1.0 - Released January 27, 2021
Reputation Overrides for Endpoint Standard with Enterprise EDR support coming soon
Device Control for Endpoint Standard
Live Query Templates/Scheduled Runs and Template History
Add set_time_range for Alert query
Refactored code base to reduce query inheritance complexity
Limit Live Query results to 10k cap to prevent 400 Bad Request
Add missing criteria for Live Query RunHistory to search on template ids
Add missing args.orgkey to get_cb_cloud_object to prevent exception from being thrown
Refactor add and update criteria to use CriteriaBuilderSupportMixin
CBC SDK 1.0.1 - Released December 17, 2020
Fix readme links
Few ReadTheDocs fixes
CBC SDK 1.0.0 - Released December 16, 2020
Enriched Event searches for Endpoint Standard
Aggregation search added for Enriched Event Query
Add support for fetching additional details for an Enriched Event
Facet query support for Enriched Events, Processes, and Process Events
Addition of Python Futures to support asynchronous calls for customers who want to leverage that feature , while continuing to also provide the simplified experience which hides the multiple calls required.
Added translation support for MISP threat intel to cbc_sdk threat intel example
Improved information and extra calls for Audit and Remediation (Live Query)
Great test coverage – create extensions and submit PRs with confidence
Process and Process Event searches updated to latest APIs and moved to platform package
Flake8 formatting applied to all areas of the code
Converted old docstrings to use google format docstrings
Migrated STIX/TAXII Threat Intel module from cbapi to cbc_sdk examples
Fixed off by one error for process event pagination
Added support for default profile using CBCloudAPI()
Retry limit to Process Event search to prevent infinite loop