Changelog

CBC SDK 1.4.3 - Released June 26, 2023

New Features:

• Policy Rule Configurations - support for additional rule configuration types:

  • Host-Based Firewall - addresses the protection of assets based on rules governing network and application behavior.

  • Data Collection - control over what data is uploaded to the Carbon Black Cloud. Specifically, can enable or disable auth events collection.

Updates:

• Added an example script for manipulating core prevention rule configuration and data collection status on a policy.

• Changed pymox dependency to the latest version, which eliminates warning messages on unit test and provides compatibility with Python 3.11 and later.

• Added specific testing support for Python 3.11.

• Added additional UAT tests for authentication events.

• Many exception classes now carry a uri field which holds the URI of the API being accessed that caused the exception to be raised.

Bug Fixes:

• Fixed link validation for reports and IOCs to accept IPv4 addresses, domain names, or URIs.

Documentation:

• Documentation has been reorganized for ease of reference; guides have been added to the main menu, the menu has been reordered, and various modules have been renamed.

• Fixed typo in workload guide.

CBC SDK 1.4.2 - Released March 22, 2023

New Features:

• Policy Rule Configurations - allows users to make adjustments to Carbon Black-defined rules.

• Core Prevention Rule Configurations - controls settings for core prevention rules as supplied by Carbon Black.

• Observations - search through all the noteworthy, searchable activity that was reported by your organization’s sensors.

• Auth Events - visibility into authentication events on Windows endpoints.

Updates:

• Remove use of v1 status URL from process search, which now depends entirely on v2 operations.

• Vulnerabilities can now be dismissed and undismissed, and have dismissals edited.

Bug Fixes:

• User creation: raise error if the API object is not passed as the first parameter to User.create().

• Live Response: pass failed session exception back up to the WorkItem future objects.

• Improved query string parameter handling in API calls.

Documentation:

• New example script showing how to retrieve container alerts.

• New example script allows exporting users with grant and role information.

• Bug fixed in policy_service_crud_operations.py example script affecting iteration over rules.

• Update clarifying alert filtering by fields that take an empty list.

• Sample script added for retrieving alerts for multiple organizations.

CBC SDK 1.4.1 - Released October 21, 2022

New Features:

• AWS workloads now supported in VM Workloads Search.

• Live Query Differential Analysis functionality.

Updates:

• VM Workloads Search updated to use new v2 APIs

• Added the alertable field to feeds.

• Devices API now supports faceting on three additional (public cloud related) fields.

• Added a user acceptance test script for the policy function updates.

Documentation:

• Added information on OAuth authentication to docs.

CBC SDK 1.4.0 - Released July 26,2022

Breaking Changes:

• Policy object has been moved from cbc_sdk.endpoint_standard to cbc_sdk.platform, as it now uses the new Policy Services API rather than the old APIs through Integration Services.

  • N.B.: This change means that you must use a custom API key with permissions under org.policies to manage policies, rather than an older “API key.”

  • To enable time to update integration logic, the cbc_sdk.endpoint_standard Policy object may still be imported from the old package, and supports operations that are backwards-compatible with the old one.

  • When developing a new integration, or updating an existing one cbc_sdk.platform should be used. There is a utility class PolicyBuilder, and as features are added to the Carbon Black Cloud, they will be added to this module.

• Official support for Python 3.6 has been dropped, since that version is now end-of-life. Added explicit testing support for Python versions 3.9 and 3.10. N.B.: End users should update their Python version to 3.7.x or greater.

New Features:

• Credentials handler now supports OAuth tokens.

• Added support for querying a single Report from a Feed.

• Added support for alert notes (create, delete, get, refresh).

Updates:

• Removed the (unused) revoked property from Grant objects.

• Increased the asynchronous query thread pool to 3 threads by default.

• Required version of lxml is now 4.9.1.

• Added a user acceptance test script for Alerts.

Bug Fixes:

• Added max_rows to USB device query, fixing pagination.

• Fixed an off-by-one error in Alerts Search resulting un duplicate alerts showing up in results.

• Fixed an error in alert faceting operations due to sending excess input to the server.

Documentation:

• Watchlists, Feeds, and Reports guide has been updated with additional clarification and examples.

• Updated description for some Device fields that are never populated.

• Additional sensor states added to Device documentation.

• Fixed the description of BaseAlertSearchQuery.set_types so that it mentions all valid alert types.

• Threat intelligence example has been deprecated.

CBC SDK 1.3.6 - Released April 19, 2022

New Features:

• Support for Device Facet API.

• Dynamic reference of query classes–now you can do api.select("Device") in addition to api.select(Device).

• Support for Container Runtime Alerts.

• NSX Remediation functionality - set the NSX remediation state for workloads which support it.

Updates:

• Endpoint Standard specific Event s have been decommissioned and removed.

• SDK now uses Watchlist Manager apis v3 instead of v2. v2 APIs are being decommissioned.

Documentation:

• Added a CONTRIBUTING link to the README.md file.

• Change to Watchlist/Report documentation to properly reflect how to update a Report in a Watchlist.

• Cleaned up formatting.

CBC SDK 1.3.5 - Released January 26, 2022

New Features:

• Added asynchronous query support to Live Query.

• Added the ability to export query results from Live Query, either synchronously or asynchronously (via the Job object and the Jobs API). Synchronous exports include full-file export, line-by-line export, and ZIP file export. Asynchronous exports include full-file export and line-by-line export.

• Added a CredentialProvider that uses AWS Secrets Manager to store credential information.

Updates:

• Added WatchlistAlert.get_process() method to return the Process of a WatchlistAlert.

• Added several helpers to Live Query support to make it easier to get runs from a template, or results, device summaries, or facets from a run.

• Optimized API requests when performing query slicing.

• Updated pretty-printing of objects containing dict members.

• lxml dependency updated to version 4.6.5.

Bug Fixes:

• User.delete() now checks for an outstanding access grant on the user, and deletes it first if it exists.

• Fixed handling of URL when attaching a new IOC to a Feed.

• Getting and setting of Report ignore status is now supported even if that Report is part of a Feed.

Documentation:

• Information added about the target audience for the SDK.

• Improper reference to a credential property replaced in the Authentication guide.

• Broken example updated in Authentication guide.

• Added SDK guides for Vulnerabilities and Live Query APIs.

• Updated documentation for ProcessFacet model to better indicate support for full query string.

CBC SDK 1.3.4 - Released October 12, 2021

New Features:

• New CredentialProvider supporting Keychain storage of credentials (Mac OS only).

• Recommendations API - suggested reputation overrides for policy configuration.

Updates:

• Improved string representation of objects through __str__() mechanism.

Bug Fixes:

• Ensure proper TimeoutError is raised in several places where the wrong exception was being raised.

• Fix to allowed categories when performing alert queries.

Documentation Changes:

• Added guide page for alerts.

• Live Response documentation updated to note use of custom API keys.

• Clarified query examples in Concepts.

• Note that vulnerability assessment has been moved from workload to platform.

• Small typo fixes in watchlists, feeds, UBS, and reports guide.

CBC SDK 1.3.3 - Released August 10, 2021

Bug Fixes:

• Dependency fix on schema library.

CBC SDK 1.3.2 - Released August 10, 2021

New Features:

• Added asynchronous query options to Live Response APIs.

• Added functionality for Watchlists, Reports, and Feeds to simplify developer interaction.

Updates:

• Added documentation on the mapping between permissions and Live Response commands.

Bug Fixes:

• Fixed an error using the STIX/TAXII example with Cabby.

• Fixed a potential infinite loop in getting detailed search results for enriched events and processes.

• Comparison now case-insensitive on UBS download.

CBC SDK 1.3.1 - Released June 15, 2021

New Features:

• Allow the SDK to accept a pre-configured Session object to be used for access, to get around unusual configuration requirements.

Bug Fixes:

• Fix functions in Grant object for adding a new access profile to a user access grant.

CBC SDK 1.3.0 - Released June 8, 2021

New Features

• Add User Management, Grants, Access Profiles, Permitted Roles

• Move Vulnerability models to Platform package in preparation for supporting Endpoints and Workloads

• Refactor Vulnerability models

  • VulnerabilitySummary.get_org_vulnerability_summary static function changed to Vulnerability.OrgSummary model with query class

  • VulnerabilitySummary model moved inside Vulnerability to Vulnerability.AssetView sub model

  • OrganizationalVulnerability and Vulnerability consolidated into a single model to include Carbon Black Cloud context and CVE information together

  • Vulnerability(cb, CVE_ID) returns Carbon Black Cloud context and CVE information

  • DeviceVulnerability.get_vulnerability_summary_per_device static function moved to get_vulnerability_summary function on Device model

  • affected_assets(os_product_id) function changed to get_affected_assets() function and no longer requires os_product_id

• Add dashboard export examples

• Live Response migrated from v3 to v6 (migration guide)

  • Live Response uses API Keys of type Custom

• Add function to get Enriched Events for Alert

Bug Fixes

• Fix validate query from dropping sort_by for Query class

• Fix the ability to set expiration for binary download URL

• Fix bug in helpers read_iocs functionality

• Fix install_sensor and bulk_install on ComputeResource to use id instead of uuid

• Fix DeviceSearchQuery from duplicating Device due to base index of 1

CBC SDK 1.2.3 - Released April 19, 2021

Bug Fixes

• Prevent alert query from retrieving past 10k limit

CBC SDK 1.2.3 - Released April 19, 2021

Bug Fixes

• Prevent alert query from retrieving past 10k limit

CBC SDK 1.2.2 - Released April 5, 2021

Bug Fixes

• Add support for full credential property loading through BaseAPI constructor

CBC SDK 1.2.1 - Released March 31, 2021

New Features

• Add __str__ functions for Process.Tree and Process.Summary

• Add get_details for Process

• Add set_max_rows to DeviceQuery

Bug Fixes

• Modify base class for EnrichedEventQuery to Query from cbc_sdk.base to support entire feature set for searching

• Document fixes for changelog and Workload

• Fix _spawn_new_workers to correctly find active devices for Carbon Black Cloud

CBC SDK 1.2.0 - Released March 9, 2021

New Features

• VMware Carbon Black Cloud Workload support for managing workloads:

  • Vulnerability Assessment

  • Sensor Lifecycle Management

  • VM Workloads Search

• Add tutorial for Reputation Override

Bug Fixes

• Fix to initialization of ReputationOverride objects

CBC SDK 1.1.1 - Released February 2, 2021

New Features

• Add easy way to add single approvals and blocks

• Add Device Control Alerts

• Add deployment_type support to the Device model

Bug Fixes

• Fix error when updating iocs in a Report model

• Set max_retries to None to use Connection init logic for retries

CBC SDK 1.1.0 - Released January 27, 2021

New Features

• Reputation Overrides for Endpoint Standard with Enterprise EDR support coming soon

• Device Control for Endpoint Standard

• Live Query Templates/Scheduled Runs and Template History

• Add set_time_range for Alert query

Bug Fixes

• Refactored code base to reduce query inheritance complexity

• Limit Live Query results to 10k cap to prevent 400 Bad Request

• Add missing criteria for Live Query RunHistory to search on template ids

• Add missing args.orgkey to get_cb_cloud_object to prevent exception from being thrown

• Refactor add and update criteria to use CriteriaBuilderSupportMixin

CBC SDK 1.0.1 - Released December 17, 2020

Bug Fixes

• Fix readme links

• Few ReadTheDocs fixes

CBC SDK 1.0.0 - Released December 16, 2020

New Features

• Enriched Event searches for Endpoint Standard

• Aggregation search added for Enriched Event Query

• Add support for fetching additional details for an Enriched Event

• Facet query support for Enriched Events, Processes, and Process Events

• Addition of Python Futures to support asynchronous calls for customers who want to leverage that feature , while continuing to also provide the simplified experience which hides the multiple calls required.

• Added translation support for MISP threat intel to cbc_sdk threat intel example

Updates

• Improved information and extra calls for Audit and Remediation (Live Query)

• Great test coverage – create extensions and submit PRs with confidence

• Process and Process Event searches updated to latest APIs and moved to platform package

• Flake8 formatting applied to all areas of the code

• Converted old docstrings to use google format docstrings

• Migrated STIX/TAXII Threat Intel module from cbapi to cbc_sdk examples

Bug Fixes

• Fixed off by one error for process event pagination

• Added support for default profile using CBCloudAPI()

• Retry limit to Process Event search to prevent infinite loop