Enterprise EDR¶
Submodules¶
cbc_sdk.enterprise_edr.auth_events module¶
Model and Query Classes for Auth Events
-
class
AuthEvent
(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶ Bases:
cbc_sdk.base.NewBaseModel
Represents an AuthEvent
Initialize the AuthEvent object.
- Required RBAC Permissions:
- org.search.events (CREATE, READ)
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (Any) – The unique ID for this particular instance of the model object.
- initial_data (dict) – The data to use when initializing the model object.
- force_init (bool) – True to force object initialization.
- full_doc (bool) – False to mark the object as not fully initialized.
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where("auth_username:SYSTEM") >>> print(*events)
-
auth_domain_name
= None¶
-
auth_event_action
= None¶
-
auth_remote_device
= None¶
-
auth_remote_port
= None¶
-
auth_username
= None¶
-
backend_timestamp
= None¶
-
static
bulk_get_details
(cb, alert_id=None, event_ids=None, timeout=0)¶ Bulk get details
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- alert_id (str) – An alert id to fetch associated events
- event_ids (list) – A list of event ids to fetch
- timeout (int) – AuthEvent details request timeout in milliseconds.
Returns: list of Auth Events
Return type: list
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> bulk_details = AuthEvent.bulk_get_details(cb, event_ids=['example-value']) >>> print(bulk_details)
Raises: ApiError
– if cb is not instance of CBCloudAPI
-
childproc_count
= None¶
-
crossproc_count
= None¶
-
device_group_id
= None¶
-
device_id
= None¶
-
device_name
= None¶
-
device_policy_id
= None¶
-
device_timestamp
= None¶
-
event_id
= None¶
-
filemod_count
= None¶
-
static
get_auth_events_descriptions
(cb)¶ Returns descriptions and status messages of Auth Events.
Parameters: cb (CBCloudAPI) – A reference to the CBCloudAPI object. Returns: Descriptions and status messages of Auth Events as dict objects. Return type: dict Raises: ApiError
– if cb is not instance of CBCloudAPIExample
>>> cb = CBCloudAPI(profile="example_profile") >>> descriptions = AuthEvent.get_auth_events_descriptions(cb) >>> print(descriptions)
-
get_details
(timeout=0, async_mode=False)¶ Requests detailed results.
Parameters: - timeout (int) – AuthEvent details request timeout in milliseconds.
- async_mode (bool) – True to request details in an asynchronous manner.
Returns: Auth Events object enriched with the details fields
Return type: Note
- When using asynchronous mode, this method returns a python future. You can call result() on the future object to wait for completion and get the results.
Examples
>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where(process_pid=2000) >>> print(events[0].get_details())
-
ingress_time
= None¶
-
modload_count
= None¶
-
netconn_count
= None¶
-
org_id
= None¶
-
parent_guid
= None¶
-
parent_pid
= None¶
-
primary_key
= 'event_id'¶
-
process_guid
= None¶
-
process_hash
= []¶
-
process_name
= None¶
-
process_pid
= []¶
-
process_username
= []¶
-
regmod_count
= None¶
-
scriptload_count
= None¶
-
static
search_suggestions
(cb, query, count=None)¶ Returns suggestions for keys and field values that can be used in a search.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- query (str) – A search query to use.
- count (int) – (optional) Number of suggestions to be returned
Returns: A list of search suggestions expressed as dict objects.
Return type: list
Raises: ApiError
– if cb is not instance of CBCloudAPIExample
>>> cb = CBCloudAPI(profile="example_profile") >>> suggestions = AuthEvent.search_suggestions(cb, 'auth') >>> print(suggestions)
-
validation_url
= '/api/investigate/v2/orgs/{}/auth_events/search_validation'¶
-
windows_event_id
= None¶
-
class
AuthEventFacet
(cb, model_unique_id, initial_data)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents an AuthEvent facet retrieved.
- Example:
>>> cb = CBCloudAPI(profile="example_profile") >>> events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name") >>> print(events_facet.results)
Parameters: - terms – Contains the Auth Event Facet search results
- ranges – Groupings for search result properties that are ISO 8601 timestamps or numbers
- contacted – The number of searchers contacted for this query
- completed – The number of searchers that have reported their results
Initialize the Terms object with initial data.
-
class
Ranges
(cb, initial_data)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents the range (bucketed) facet fields and values associated with an AuthEvent Facet query.
Initialize an AuthEventFacet Ranges object with initial_data.
-
facets
¶ Returns the reified AuthEventFacet.Terms._facets for this result.
-
fields
¶ Returns the ranges fields for this result.
-
-
class
Terms
(cb, initial_data)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents the facet fields and values associated with an AuthEvent Facet query.
Initialize an AuthEventFacet Terms object with initial_data.
-
facets
¶ Returns the terms’ facets for this result.
-
fields
¶ Returns the terms facets’ fields for this result.
-
-
completed
= None¶
-
contacted
= None¶
-
num_found
= None¶
-
primary_key
= 'job_id'¶
-
ranges
= []¶
-
ranges_
¶ Returns the reified AuthEventFacet.Ranges for this result.
-
result_url
= '/api/investigate/v2/orgs/{}/auth_events/facet_jobs/{}/results'¶
-
submit_url
= '/api/investigate/v2/orgs/{}/auth_events/facet_jobs'¶
-
terms
= []¶
-
terms_
¶ Returns the reified AuthEventFacet.Terms for this result.
-
class
AuthEventGroup
(cb, initial_data=None)¶ Bases:
object
Represents AuthEventGroup
Initialize AuthEventGroup object
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- initial_data (dict) – The data to use when initializing the model object.
Notes
The constructed object will have the following data: - group_start_timestamp - group_end_timestamp - group_key - group_value
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name")) >>> for group in groups: >>> print(group._info)
-
class
AuthEventQuery
(doc_class, cb)¶ Bases:
cbc_sdk.base.Query
Represents the query logic for an AuthEvent query.
This class specializes Query to handle the particulars of Auth Events querying.
Initialize the AuthEventQuery object.
Parameters: - doc_class (class) – The class of the model this query returns.
- cb (CBCloudAPI) – A reference to the CBCloudAPI object.
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where("auth_username:SYSTEM") >>> print(*events)
-
VALID_GROUP_FIELDS
= ('auth_domain_name', 'auth_event_action', 'auth_remote_port', 'auth_username', 'backend_timestamp', 'childproc_count', 'crossproc_count', 'device_group_id', 'device_id', 'device_name', 'device_policy_id', 'device_timestamp', 'event_id', 'filemod_count', 'ingress_time', 'modload_count', 'netconn_count', 'org_id', 'parent_guid', 'parent_pid', 'process_guid', 'process_hash', 'process_name', 'process_pid', 'process_username', 'regmod_count', 'scriptload_count', 'windows_event_id')¶
-
group_results
(fields, max_events_per_group=None, rows=500, start=None, range_duration=None, range_field=None, range_method=None)¶ Get group results grouped by provided fields.
Parameters: - fields (str / list) – field or fields by which to perform the grouping
- max_events_per_group (int) – Maximum number of events in a group, if not provided all events will be returned
- rows (int) – Number of rows to request, can be paginated
- start (int) – First row to use for pagination
- ranges (dict) – dict with information about duration, field, method
Returns: grouped results
Return type: dict
Examples
>>> cb = CBCloudAPI(profile="example_profile") >>> groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name")) >>> for group in groups: >>> print(group._info)
-
or_
(**kwargs)¶ or_()
criteria are explicitly provided to AuthEvent queries.This method overrides the base class in order to provide or_() functionality rather than raising an exception.
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where(process_name="chrome.exe").or_(process_name="firefox.exe") >>> print(*events)
-
set_rows
(rows)¶ Sets the ‘rows’ query body parameter to the ‘start search’ API call, determining how many rows to request.
Parameters: rows (int) – How many rows to request. Returns: AuthEventQuery object Return type: Query Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where(process_name="chrome.exe").set_rows(5) >>> print(*events)
-
timeout
(msecs)¶ Sets the timeout on a Auth Event query.
Parameters: msecs (int) – Timeout duration, in milliseconds. Returns: - The Query object with new milliseconds
- parameter.
Return type: Query (AuthEventQuery) Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where(process_name="chrome.exe").timeout(5000) >>> print(*events)
cbc_sdk.enterprise_edr.threat_intelligence module¶
Model Classes for Enterprise Endpoint Detection and Response
-
class
Feed
(cb, model_unique_id=None, initial_data=None)¶ Bases:
cbc_sdk.enterprise_edr.threat_intelligence.FeedModel
Represents an Enterprise EDR feed’s metadata.
Parameters: - name – A human-friendly name for this feed
- owner – The feed owner’s connector ID
- provider_url – A URL supplied by the feed’s provider
- summary – A human-friendly summary for the feed
- category – The feed’s category
- source_label – The feed’s source label
- access – The feed’s access (public or private)
- id – The feed’s unique ID
Initialize the Feed object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (str) – The unique ID of the feed.
- initial_data (dict) – The initial data for the object.
-
class
FeedBuilder
(cb, info)¶ Bases:
object
Helper class allowing Feeds to be assembled.
Creates a new FeedBuilder object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- info (dict) – The initial information for the new feed.
-
add_reports
(reports)¶ Adds new reports to the new feed.
Parameters: reports (list[Report]) – New reports to be added to the feed. Returns: This object. Return type: FeedBuilder
-
set_alertable
(alertable)¶ Sets the alertable for the new feed. Defaults to true if not specified.
Parameters: alertable (bool) – Indicator whether the feed supports alerting. Returns: This object. Return type: FeedBuilder
-
set_category
(category)¶ Sets the category for the new feed.
Parameters: category (str) – New category for the feed. Returns: This object. Return type: FeedBuilder
-
set_name
(name)¶ Sets the name for the new feed.
Parameters: name (str) – New name for the feed. Returns: This object. Return type: FeedBuilder
-
set_provider_url
(provider_url)¶ Sets the provider URL for the new feed.
Parameters: provider_url (str) – New provider URL for the feed. Returns: This object. Return type: FeedBuilder
-
set_source_label
(source_label)¶ Sets the source label for the new feed.
Parameters: source_label (str) – New source label for the feed. Returns: This object. Return type: FeedBuilder
-
set_summary
(summary)¶ Sets the summary for the new feed.
Parameters: summary (str) – New summary for the feed. Returns: This object. Return type: FeedBuilder
-
access
= None¶
-
append_reports
(reports)¶ Append the given Reports to this Feed’s current Reports.
Parameters: reports ([Report]) – List of Reports to append to Feed. Raises: InvalidObjectError
– If id is missing.
-
append_reports_rawdata
(report_data)¶ Append the given report data, formatted as per the API documentation for reports, to this Feed’s Reports.
Parameters: report_data (list[dict]) – Raises: InvalidObjectError
– If id is missing or validation of the data fails.
-
category
= None¶
-
classmethod
create
(cb, name, provider_url, summary, category, alertable=True)¶ Begins creating a new feed by making a FeedBuilder to hold the new feed data.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- name (str) – Name for the new feed.
- provider_url (str) – Provider URL for the new feed.
- summary (str) – Summary for the new feed.
- category (str) – Category for the new feed.
Returns: The new FeedBuilder object to be used to create the feed.
Return type:
-
delete
()¶ Deletes this feed from the Enterprise EDR server.
Raises: InvalidObjectError
– If id is missing.
-
id
= None¶
-
name
= None¶
-
owner
= None¶
-
primary_key
= 'id'¶
-
provider_url
= None¶
-
replace_reports
(reports)¶ Replace this Feed’s Reports with the given Reports.
Parameters: reports ([Report]) – List of Reports to replace existing Reports with. Raises: InvalidObjectError
– If id is missing.
-
replace_reports_rawdata
(report_data)¶ Replace this Feed’s Reports with the given reports, specified as raw data.
Parameters: report_data (list[dict]) – Raises: InvalidObjectError
– If id is missing or validation of the data fails.
-
reports
¶ Returns a list of Reports associated with this feed.
Returns: List of Reports in this Feed. Return type: Reports ([Report])
-
save
(public=False)¶ Saves this feed on the Enterprise EDR server.
Parameters: public (bool) – Whether to make the feed publicly available. Returns: The saved Feed. Return type: Feed (Feed)
-
source_label
= None¶
-
summary
= None¶
-
update
(**kwargs)¶ Update this feed’s metadata with the given arguments.
Parameters: **kwargs (dict(str, str)) – The fields to update.
Raises: InvalidObjectError
– If id is missing or Feed.validate() fails.ApiError
– If an invalid field is specified.
Example
>>> feed.update(access="private")
-
urlobject
= '/threathunter/feedmgr/v2/orgs/{}/feeds'¶
-
urlobject_single
= '/threathunter/feedmgr/v2/orgs/{}/feeds/{}'¶
-
validate
()¶ Checks to ensure this feed contains valid data.
Raises: InvalidObjectError
– If the feed contains invalid data.
-
class
FeedModel
(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶ Bases:
cbc_sdk.base.UnrefreshableModel
,cbc_sdk.base.CreatableModelMixin
,cbc_sdk.base.MutableBaseModel
A common base class for models used by the Feed and Watchlist APIs.
Initialize the NewBaseModel object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (Any) – The unique ID for this particular instance of the model object.
- initial_data (dict) – The data to use when initializing the model object.
- force_init (bool) – True to force object initialization.
- full_doc (bool) – True to mark the object as fully initialized.
-
SCHEMA_IOCV2
= Schema({'id': And(And(<class 'str'>), <built-in function len>), 'match_type': And(And(<class 'str'>), And(<function FeedModel.<lambda>>)), 'values': And(And(<class 'list'>), [And(<class 'str'>)], <built-in function len>), Optional('field'): And(<class 'str'>), Optional('link'): And(<class 'str'>)})¶
-
SCHEMA_REPORT
= Schema({'id': And(And(<class 'str'>), <built-in function len>), 'timestamp': And(And(<class 'int'>), And(<function FeedModel.<lambda>>)), 'title': And(And(<class 'str'>), <built-in function len>), 'description': And(And(<class 'str'>), <built-in function len>), 'severity': And(And(<class 'int'>), And(<function FeedModel.<lambda>>)), Optional('link'): And(<class 'str'>), Optional('tags'): And(And(<class 'list'>), [And(<class 'str'>)]), 'iocs_v2': And(And(<class 'list'>), [Schema({'id': And(And(<class 'str'>), <built-in function len>), 'match_type': And(And(<class 'str'>), And(<function FeedModel.<lambda>>)), 'values': And(And(<class 'list'>), [And(<class 'str'>)], <built-in function len>), Optional('field'): And(<class 'str'>), Optional('link'): And(<class 'str'>)})], And(<built-in function len>)), Optional('visibility'): And(<class 'str'>)})¶
-
class
FeedQuery
(doc_class, cb)¶ Bases:
cbc_sdk.base.SimpleQuery
Represents the logic for a Feed query.
>>> cb.select(Feed) >>> cb.select(Feed, id) >>> cb.select(Feed).where(include_public=True)
Initialize the FeedQuery object.
Parameters: - doc_class (class) – The class of the model this query returns.
- cb (CBCloudAPI) – A reference to the CBCloudAPI object.
-
results
¶ Return a list of Feed objects matching self._args parameters.
-
where
(**kwargs)¶ Add kwargs to self._args dictionary.
-
class
IOC
(cb, model_unique_id=None, initial_data=None, report_id=None)¶ Bases:
cbc_sdk.enterprise_edr.threat_intelligence.FeedModel
Represents a collection of categorized IOCs. These objects are officially deprecated and replaced by IOC_V2.
Parameters: - md5 – A list of MD5 checksums
- ipv4 – A list of IPv4 addresses
- ipv6 – A list of IPv6 addresses
- dns – A list of domain names
- query – A list of dicts, each containing an IOC query
Creates a new IOC instance.
Parameters: - cb (BaseAPI) – Reference to API object used to communicate with the server.
- model_unique_id (str) – Unique ID of this IOC.
- initial_data (dict) – Initial data used to populate the IOC.
- report_id (str) – ID of the report this IOC belongs to (if this is a watchlist IOC).
Raises: ApiError
– If initial_data is None.-
dns
= []¶
-
ipv4
= []¶
-
ipv6
= []¶
-
md5
= []¶
-
query
= []¶
-
validate
()¶ Checks to ensure this IOC contains valid data.
Raises: InvalidObjectError
– If the IOC contains invalid data.
-
class
IOC_V2
(cb, model_unique_id=None, initial_data=None, report_id=None)¶ Bases:
cbc_sdk.enterprise_edr.threat_intelligence.FeedModel
Represents a collection of IOCs of a particular type, plus matching criteria and metadata.
Parameters: - id – The IOC_V2’s unique ID
- match_type – How IOCs in this IOC_V2 are matched
- values – A list of IOCs
- field – The kind of IOCs contained in this IOC_V2
- link – A URL for some reference for this IOC_V2
Creates a new IOC_V2 instance.
Parameters: - cb (BaseAPI) – Reference to API object used to communicate with the server.
- model_unique_id (Any) – Unused.
- initial_data (dict) – Initial data used to populate the IOC.
- report_id (str) – ID of the report this IOC belongs to (if this is a watchlist IOC).
Raises: ApiError
– If initial_data is None.-
classmethod
create_equality
(cb, iocid, field, *values)¶ Creates a new “equality” IOC.
Parameters: - cb (BaseAPI) – Reference to API object used to communicate with the server.
- iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC.
- field (str) – Name of the field to be matched by this IOC.
- *values (list(str)) – String values to match against the value of the specified field.
Returns: New IOC data structure.
Return type: Raises: ApiError
– If there is not at least one value to match against.
-
classmethod
create_query
(cb, iocid, query)¶ Creates a new “query” IOC.
Parameters: - cb (BaseAPI) – Reference to API object used to communicate with the server.
- iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC.
- query (str) – Query to be incorporated in this IOC.
Returns: New IOC data structure.
Return type: Raises: ApiError
– If the query string is not present.
-
classmethod
create_regex
(cb, iocid, field, *values)¶ Creates a new “regex” IOC.
Parameters: - cb (BaseAPI) – Reference to API object used to communicate with the server.
- iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC.
- field (str) – Name of the field to be matched by this IOC.
- *values (list(str)) – Regular expression values to match against the value of the specified field.
Returns: New IOC data structure.
Return type: Raises: ApiError
– If there is not at least one regular expression to match against.
-
field
= None¶
-
id
= None¶
-
ignore
()¶ Sets the ignore status on this IOC.
Only watchlist IOCs have an ignore status.
Raises: InvalidObjectError
– If id is missing or this IOC is not from a Watchlist.
-
ignored
¶ Returns whether or not this IOC is ignored.
Only watchlist IOCs have an ignore status.
Returns: True if the IOC is ignored, False otherwise. Return type: bool Raises: InvalidObjectError
– If this IOC is missing an id or is not a Watchlist IOC.Example
>>> if ioc.ignored: ... ioc.unignore()
-
classmethod
ipv6_equality_format
(input)¶ Turns a canonically-formatted IPv6 address into a string suitable for use in an equality IOC.
Parameters: input (str) – The IPv6 address to be translated. Returns: The translated form of IPv6 address. Return type: str Raises: ApiError
– If the string is not in valid format.
-
link
= None¶
-
match_type
= None¶
-
primary_key
= 'id'¶
-
unignore
()¶ Removes the ignore status on this IOC.
Only watchlist IOCs have an ignore status.
Raises: InvalidObjectError
– If id is missing or this IOC is not from a Watchlist.
-
validate
()¶ Checks to ensure this IOC contains valid FQDN.
Raises: InvalidObjectError
– If the IOC contains invalid data.
-
values
= []¶
-
class
Report
(cb, model_unique_id=None, initial_data=None, feed_id=None, from_watchlist=False)¶ Bases:
cbc_sdk.enterprise_edr.threat_intelligence.FeedModel
Represents reports retrieved from an Enterprise EDR feed.
Parameters: - id – The report’s unique ID
- timestamp – When this report was created
- title – A human-friendly title for this report
- description – A human-friendly description for this report
- severity – The severity of the IOCs within this report
- link – A URL for some reference for this report
- tags – A list of tags for this report
- iocs_v2 – A list of IOC_V2 dicts associated with this report
- visibility – The visibility of this report
Initialize the ReportSeverity object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (str) – The ID of the Report (only works for Reports in Watchlists).
- initial_data (dict) – The initial data for the object.
- feed_id (str) – The ID of the feed this report is for.
- from_watchlist (bool) – If the report is in a watchlist
-
class
ReportBuilder
(cb, report_body)¶ Bases:
object
Helper class allowing Reports to be assembled.
Initialize a new ReportBuilder.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- report_body (dict) – Partial report body which should be filled in with all “required” fields.
-
add_ioc
(ioc)¶ Adds an IOC to the new report.
Parameters: ioc (IOC_V2) – The IOC to be added to the report. Returns: This object. Return type: ReportBuilder
-
add_tag
(tag)¶ Adds a tag value to the new report.
Parameters: tag (str) – The new tag for the object. Returns: This object. Return type: ReportBuilder
-
build
()¶ Builds the actual Report from the internal data of the ReportBuilder.
Returns: The new Report. Return type: Report
-
set_description
(description)¶ Set the description for the new report.
Parameters: description (str) – New description for the report. Returns: This object. Return type: ReportBuilder
-
set_link
(link)¶ Set the link for the new report.
Parameters: link (str) – New link for the report. Returns: This object. Return type: ReportBuilder
-
set_severity
(severity)¶ Set the severity for the new report.
Parameters: severity (int) – New severity for the report. Returns: This object. Return type: ReportBuilder
-
set_timestamp
(timestamp)¶ Set the timestamp for the new report.
Parameters: timestamp (int) – New timestamp for the report. Returns: This object. Return type: ReportBuilder
-
set_title
(title)¶ Set the title for the new report.
Parameters: title (str) – New title for the report. Returns: This object. Return type: ReportBuilder
-
set_visibility
(visibility)¶ Set the visibility for the new report.
Parameters: visibility (str) – New visibility for the report. Returns: This object. Return type: ReportBuilder
-
append_iocs
(iocs)¶ Append a list of IOCs to this Report.
Parameters: iocs (list[IOC_V2]) – List of IOCs to be added.
-
classmethod
create
(cb, title, description, severity, timestamp=None, tags=None)¶ Begin creating a new Report by returning a ReportBuilder.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- title (str) – Title for the new report.
- description (str) – Description for the new report.
- severity (int) – Severity value for the new report.
- timestamp (int) – UNIX-epoch timestamp for the new report. If omitted, current time will be used.
- tags (list[str]) – Tags to be added to the report. If omitted, there will be none.
Returns: Reference to the ReportBuilder object.
Return type:
-
custom_severity
¶ Returns the custom severity for this report.
Returns: - The custom severity for this Report,
- if it exists.
Return type: ReportSeverity (ReportSeverity) Raises: InvalidObjectError
– If id ismissing or this Report is from a Watchlist.
-
delete
()¶ Deletes this report from the Enterprise EDR server.
Raises: InvalidObjectError
– If id is missing, or feed_id is missing and this report is a Feed Report.Example
>>> report.delete()
-
description
= None¶
-
id
= None¶
-
ignore
()¶ Sets the ignore status on this report.
Raises: InvalidObjectError
– If id is missing or feed ID is missing.
-
ignored
¶ Returns the ignore status for this report.
Returns: True if this Report is ignored, False otherwise. Return type: (bool) Raises: InvalidObjectError
– If id is missing or feed ID is missing.Example
>>> if report.ignored: ... report.unignore()
-
iocs
= {}¶
-
iocs_
¶ Returns a list of IOC_V2’s associated with this report.
Returns: List of IOC_V2’s for associated with the Report. Return type: IOC_V2 ([IOC_V2]) Example
>>> for ioc in report.iocs_: ... print(ioc.values)
-
iocs_v2
= []¶
-
link
= None¶
-
primary_key
= 'id'¶
-
remove_iocs
(iocs)¶ Remove a list of IOCs from this Report.
Parameters: iocs (list[IOC_V2]) – List of IOCs to be removed.
-
remove_iocs_by_id
(ids_list)¶ Remove IOCs from this report by specifying their IDs.
Parameters: ids_list (list[str]) – List of IDs of the IOCs to be removed.
-
save_watchlist
()¶ Saves this report as a watchlist report.
Note
This method cannot be used to save a feed report. To save feed reports, create them with cb.create and use Feed.replace.
This method cannot be used to save a report that is already part of a watchlist. Use the update() method instead.
Raises: InvalidObjectError
– If Report.validate() fails.
-
severity
= None¶
-
timestamp
= None¶
-
title
= None¶
-
unignore
()¶ Removes the ignore status on this report.
Raises: InvalidObjectError
– If id is missing or feed ID is missing.
-
update
(**kwargs)¶ Update this Report with the given arguments.
Parameters: **kwargs (dict(str, str)) – The Report fields to update. Returns: The updated Report. Return type: Report (Report) Raises: InvalidObjectError
– If id is missing, or feed_id is missing and this report is a Feed Report, or Report.validate() fails.Note
The report’s timestamp is always updated, regardless of whether passed explicitly.
>>> report.update(title="My new report title")
-
urlobject
= '/threathunter/feedmgr/v2/orgs/{}/feeds/{}/reports'¶
-
urlobject_single
= '/threathunter/watchlistmgr/v3/orgs/{}/reports/{}'¶
-
validate
()¶ Checks to ensure this report contains valid data.
Raises: InvalidObjectError
– If the report contains invalid data.
-
visibility
= None¶
-
class
ReportQuery
(doc_class, cb)¶ Bases:
cbc_sdk.base.SimpleQuery
Represents the logic for a Report query.
Example
>>> cb.select(Report).where(feed_id=id) >>> cb.select(Report, id) >>> cb.select(Report, id, from_watchlist=True)
Initialize the ReportQuery object.
Parameters: - doc_class (class) – The class of the model this query returns.
- cb (CBCloudAPI) – A reference to the CBCloudAPI object.
-
results
¶ Return a list of Report objects
-
where
(**kwargs)¶ Add kwargs to self._args dictionary.
-
class
ReportSeverity
(cb, initial_data=None)¶ Bases:
cbc_sdk.enterprise_edr.threat_intelligence.FeedModel
Represents severity information for a Watchlist Report.
Parameters: - report_id – The unique ID for the corresponding report
- severity – The severity level
Initialize the ReportSeverity object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- initial_data (dict) – The initial data for the object.
-
primary_key
= 'report_id'¶
-
report_id
= None¶
-
severity
= None¶
-
class
Watchlist
(cb, model_unique_id=None, initial_data=None)¶ Bases:
cbc_sdk.enterprise_edr.threat_intelligence.FeedModel
Represents an Enterprise EDR watchlist.
Parameters: - name – A human-friendly name for the watchlist
- description – A short description of the watchlist
- id – The watchlist’s unique id
- tags_enabled – Whether tags are currently enabled
- alerts_enabled – Whether alerts are currently enabled
- create_timestamp – When this watchlist was created
- last_update_timestamp – Report IDs associated with this watchlist
- report_ids – Report IDs associated with this watchlist
- classifier – A key, value pair specifying an associated feed
Initialize the Watchlist object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (str) – The unique ID of the watch list.
- initial_data (dict) – The initial data for the object.
-
class
WatchlistBuilder
(cb, name)¶ Bases:
object
Helper class allowing Watchlists to be assembled.
Creates a new WatchlistBuilder object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- name (str) – Name for the new watchlist.
-
add_report_ids
(report_ids)¶ Adds report IDs to the watchlist.
Parameters: report_ids (list[str]) – List of report IDs to add to the watchlist. Returns: This object. Return type: WatchlistBuilder
-
add_reports
(reports)¶ Adds reports to the watchlist.
Parameters: reports (list[Report]) – List of reports to be added to the watchlist. Returns: This object. Return type: WatchlistBuilder
-
build
()¶ Builds the new Watchlist using information in the builder. The new watchlist must still be saved.
Returns: The new Watchlist. Return type: Watchlist
-
set_alerts_enabled
(flag)¶ Sets whether alerts will be enabled on the new watchlist.
Parameters: flag (bool) – True to enable alerts, False to disable them. Default is False. Returns: This object. Return type: WatchlistBuilder
-
set_description
(description)¶ Sets the description for the new watchlist.
Parameters: description (str) – New description for the watchlist. Returns: This object. Return type: WatchlistBuilder
-
set_name
(name)¶ Sets the name for the new watchlist.
Parameters: name (str) – New name for the watchlist. Returns: This object. Return type: WatchlistBuilder
Sets whether tags will be enabled on the new watchlist.
Parameters: flag (bool) – True to enable tags, False to disable them. Default is True. Returns: This object. Return type: WatchlistBuilder
-
add_report_ids
(report_ids)¶ Adds new report IDs to the watchlist.
Parameters: report_ids (list[str]) – List of report IDs to be added to the watchlist.
-
add_reports
(reports)¶ Adds new reports to the watchlist.
Parameters: reports (list[Report]) – List of reports to be added to the watchlist.
-
alerts_enabled
= None¶
-
classifier
= {}¶
-
classifier_
¶ Returns the classifier key and value, if any, for this watchlist.
Returns: Watchlist’s classifier key and value. None: If there is no classifier key and value. Return type: tuple(str, str)
-
classmethod
create
(cb, name)¶ Starts creating a new Watchlist by returning a WatchlistBuilder that can be used to set attributes.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- name (str) – Name for the new watchlist.
Returns: The builder for the new watchlist. Call build() to create the actual Watchlist.
Return type:
-
classmethod
create_from_feed
(feed, name=None, description=None, enable_alerts=False, enable_tags=True)¶ Creates a new Watchlist that encapsulates a Feed.
Parameters: - feed (Feed) – The feed to be encapsulated by this Watchlist.
- name (str) – Name for the new watchlist. The default is to use the Feed name.
- description (str) – Description for the new watchlist. The default is to use the Feed summary.
- enable_alerts (bool) –
- enable_tags (bool) –
Returns: A new Watchlist object, which must be saved to the server.
Return type:
-
create_timestamp
= None¶
-
delete
()¶ Deletes this watchlist from the Enterprise EDR server.
Raises: InvalidObjectError
– If id is missing.
-
description
= None¶
-
disable_alerts
()¶ Disable alerts for this watchlist.
Raises: InvalidObjectError
– If id is missing.
Disable tagging for this watchlist.
Raises: InvalidObjectError
– if id is missing.
-
enable_alerts
()¶ Enable alerts for this watchlist. Alerts are not retroactive.
Raises: InvalidObjectError
– If id is missing.
Enable tagging for this watchlist.
Raises: InvalidObjectError
– If id is missing.
-
feed
¶ Returns the Feed linked to this Watchlist, if there is one.
-
id
= None¶
-
last_update_timestamp
= None¶
-
name
= None¶
-
report_ids
= []¶
-
reports
¶ Returns a list of Report objects associated with this watchlist.
Returns: List of Reports associated with the watchlist. Return type: Reports ([Report]) Note
If this Watchlist is a classifier (i.e. feed-linked) Watchlist, reports will be empty. To get the reports associated with the linked Feed, use feed like:
>>> for report in watchlist.feed.reports: ... print(report.title)
-
save
()¶ Saves this watchlist on the Enterprise EDR server.
Returns: The saved Watchlist. Return type: Watchlist (Watchlist) Raises: InvalidObjectError
– If Watchlist.validate() fails.
-
update
(**kwargs)¶ Updates this watchlist with the given arguments.
Parameters: **kwargs (dict(str, str)) – The fields to update.
Raises: InvalidObjectError
– If id is missing or Watchlist.validate() fails.ApiError
– If report_ids is given and is empty.
Example
>>> watchlist.update(name="New Name")
-
urlobject
= '/threathunter/watchlistmgr/v3/orgs/{}/watchlists'¶
-
urlobject_single
= '/threathunter/watchlistmgr/v3/orgs/{}/watchlists/{}'¶
-
validate
()¶ Checks to ensure this watchlist contains valid data.
Raises: InvalidObjectError
– If the watchlist contains invalid data.
-
class
WatchlistQuery
(doc_class, cb)¶ Bases:
cbc_sdk.base.SimpleQuery
Represents the logic for a Watchlist query.
>>> cb.select(Watchlist)
Initialize the WatchlistQuery object.
Parameters: - doc_class (class) – The class of the model this query returns.
- cb (CBCloudAPI) – A reference to the CBCloudAPI object.
-
results
¶ Return a list of all Watchlist objects.
-
log
= <Logger cbc_sdk.enterprise_edr.threat_intelligence (WARNING)>¶ Models
cbc_sdk.enterprise_edr.ubs module¶
Model Classes for Enterprise Endpoint Detection and Response
-
class
Binary
(cb, model_unique_id)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents a retrievable binary.
Parameters: - sha256 – The SHA-256 hash of the file
- md5 – The MD5 hash of the file
- file_available – If true, the file is available for download
- available_file_size – The size of the file available for download
- file_size – The size of the actual file (represented by the hash)
- os_type – The OS that this file is designed for
- architecture – The set of architectures that this file was compiled for
- lang_id – The Language ID value for the Windows VERSIONINFO resource
- charset_id – The Character set ID value for the Windows VERSIONINFO resource
- internal_name – The internal name from FileVersionInformation
- product_name – The product name from FileVersionInformation
- company_name – The company name from FileVersionInformation
- trademark – The trademark from FileVersionInformation
- file_description – The file description from FileVersionInformation
- file_version – The file version from FileVersionInformation
- comments – Comments from FileVersionInformation
- original_filename – The original filename from FileVersionInformation
- product_description – The product description from FileVersionInformation
- product_version – The product version from FileVersionInformation
- private_build – The private build from FileVersionInformation
- special_build – The special build from FileVersionInformation
Initialize the Binary object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (str) – The SHA-256 of the binary being retrieved.
-
class
Summary
(cb, model_unique_id)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents a summary of organization-specific information for a retrievable binary.
Initialize the Summary object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- model_unique_id (str) – The SHA-256 of the binary being retrieved.
-
primary_key
= 'sha256'¶
-
urlobject_single
= '/ubs/v1/orgs/{}/sha256/{}/summary/device'¶
-
architecture
= []¶
-
available_file_size
= None¶
-
charset_id
= None¶
-
comments
= None¶
-
company_name
= None¶
-
download_url
(expiration_seconds=3600)¶ Returns a URL that can be used to download the file for this binary. Returns None if no download found.
Parameters: expiration_seconds (int) – How long the download should be valid for. Returns: A pre-signed AWS download URL. None: If no download is found. Return type: URL (str) Raises: InvalidObjectError
– If the URL retrieval should be retried.
-
file_available
= None¶
-
file_description
= None¶
-
file_size
= None¶
-
file_version
= None¶
-
internal_name
= None¶
-
lang_id
= None¶
-
md5
= None¶
-
original_filename
= None¶
-
os_type
= None¶
-
primary_key
= 'sha256'¶
-
private_build
= None¶
-
product_description
= None¶
-
product_name
= None¶
-
product_version
= None¶
-
sha256
= None¶
-
special_build
= None¶
-
summary
¶ Returns organization-specific information about this binary.
-
trademark
= None¶
-
urlobject_single
= '/ubs/v1/orgs/{}/sha256/{}/metadata'¶
-
class
Downloads
(cb, shas, expiration_seconds=3600)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents download information for a list of process hashes.
Initialize the Downloads object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- shas (list) – A list of SHA hash values for binaries.
- expiration_seconds (int) – Number of seconds until this request expires.
-
class
FoundItem
(cb, item)¶ Bases:
cbc_sdk.base.UnrefreshableModel
Represents the download URL and process hash for a successfully located binary.
Initialize the FoundItem object.
Parameters: - cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- item (dict) – The values for a successfully-retrieved item.
-
primary_key
= 'sha256'¶
-
found
¶ Returns a list of Downloads.FoundItem, one for each binary found in the binary store.
-
urlobject
= '/ubs/v1/orgs/{}/file/_download'¶