Reputation Override
Using the Carbon Black Cloud SDK, you can manage your ReputationOverrides to create a list of approved or banned applications using a SHA-256 hash, a certificate signer, or a path to a known IT tool application
Creating a Reputation Override
Using the ReputationOverride model, you can create new overrides directly provided you have the necessary required properties. For a SHA256 you need the hash and optionally the filename, IT_TOOL needs a file path with or without wildcards and optionally an indicator for including the child processes, CERT needs the signer of the application and optionally the certificate authority. See the developer documentation for more details.
>>> from cbc_sdk import CBCloudAPI
>>> cb = CBCloudAPI(profile='sample')
>>> from cbc_sdk.platform import ReputationOverride
>>> ReputationOverride.create(cb, {
... "description": "An override for a sha256 hash",
... "override_list": "BLACK_LIST",
... "override_type": "SHA256",
... "sha256_hash": "af62e6b3d475879c4234fe7bd8ba67ff6544ce6510131a069aaac75aa92aee7a",
... "filename": "foo.exe"
... })
<cbc_sdk.platform.reputation.ReputationOverride: id 83008db065a611eb9a953907c2e1ed66> @ https://defense.conferdeploy.net
>>> ReputationOverride.create(cb, {
... "description": "An override for an IT Tool",
... "override_list": "WHITE_LIST",
... "override_type": "IT_TOOL",
... "path": "C://tools//*.exe",
... "include_child_processes": True
... })
<cbc_sdk.platform.reputation.ReputationOverride: id 9e5c7a2f5ef140a989550c2351de1a32> @ https://defense.conferdeploy.net
>>> ReputationOverride.create(cb, {
... "description": "An override for a CERT",
... "override_list": "WHITE_LIST",
... "override_type": "CERT",
... "signed_by": "VMware Inc.",
... "certificate_authority": "VMware"
... })
<cbc_sdk.platform.reputation.ReputationOverride: id 1768b71d356744498eec5ecd6526ca10> @ https://defense.conferdeploy.net
If you have an EnrichedEvent
or Process
object then you can use either
ban_process_sha256
or approve_process_sha256
to add the applications sha256
hash to either the WHITE_LIST
or BLACK_LIST
.
>>> from cbc_sdk import CBCloudAPI
>>> cb = CBCloudAPI(profile='sample')
>>> from cbc_sdk.platform import Process
>>> proc = cb.select(Process, "ABCD1234-00348f83-0000015c-00000000-1d667eb58a2ec94")
>>> proc.approve_process_sha256("Example approved sha256 from Process")
<cbc_sdk.platform.reputation.ReputationOverride: id 829e252b65aa11ebb1c7a965f279498c> @ https://defense.conferdeploy.net
Retrieving existing Reputation Overrides
Using a query of the ReputationOverride
object, you can see the reputation overrides that
have been created within your organization. If you want to filter the results try including
set_override_list
or set_override_type
in your query or include a more restrictive
where claus which can include wildcards such as *tools*
.
>>> from cbc_sdk import CBCloudAPI
>>> cb = CBCloudAPI(profile='sample')
>>> from cbc_sdk.platform import ReputationOverride
>>> overrides = cb.select(ReputationOverride).where("1")
>>> for override in overrides:
... print(override)
...
-------------------------------------------------------------------------------
create_time: 2021-02-02T22:32:20.176Z
created_by: ABCDE12345
description: An override for an IT Tool
id: 83008db065a611eb9a953907c2e1ed66
include_child_processes: True
override_list: WHITE_LIST
override_type: IT_TOOL
path: C://tools//*.exe
If you already have an id for a ReputationOverride then you can make a query including the id as seen below.
>>> override = cb.select(ReputationOverride, 83008db065a611eb9a953907c2e1ed66)
>>> print(override)
-------------------------------------------------------------------------------
create_time: 2021-02-02T22:32:20.176Z
created_by: ABCDE12345
description: An override for an IT Tool
id: 83008db065a611eb9a953907c2e1ed66
include_child_processes: True
override_list: WHITE_LIST
override_type: IT_TOOL
path: C://tools//*.exe
Deleting a Reputation Override
If you no longer need a ReputationOverride
then you can delete the override using delete()
or bulk_delete([])
if you have a few that need deleted at once.
>>> from cbc_sdk import CBCloudAPI
>>> cb = CBCloudAPI(profile='sample')
>>> from cbc_sdk.platform import ReputationOverride
>>> override = cb.select(ReputationOverride, 83008db065a611eb9a953907c2e1ed66)
>>> override.delete()
>>> ReputationOverride.bulk_delete([
... "9e5c7a2f5ef140a989550c2351de1a32",
... "1768b71d356744498eec5ecd6526ca10"
... ])