Enterprise EDR¶

Submodules¶

cbc_sdk.enterprise_edr.auth_events module¶

Model and Query Classes for Auth Events

class AuthEvent(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Bases: cbc_sdk.base.NewBaseModel

Represents an AuthEvent

Initialize the AuthEvent object.

Required RBAC Permissions:: org.search.events (CREATE, READ)

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (Any) – The unique ID for this particular instance of the model object. initial_data (dict) – The data to use when initializing the model object. force_init (bool) – True to force object initialization. full_doc (bool) – False to mark the object as not fully initialized.

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where("auth_username:SYSTEM")
>>> print(*events)

auth_domain_name = None¶

auth_event_action = None¶

auth_remote_device = None¶

auth_remote_port = None¶

auth_username = None¶

backend_timestamp = None¶

static bulk_get_details(cb, alert_id=None, event_ids=None, timeout=0)¶

Bulk get details

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. alert_id (str) – An alert id to fetch associated events event_ids (list) – A list of event ids to fetch timeout (int) – AuthEvent details request timeout in milliseconds.
Returns:	list of Auth Events
Return type:	list

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> bulk_details = AuthEvent.bulk_get_details(cb, event_ids=['example-value'])
>>> print(bulk_details)

Raises:	`ApiError` – if cb is not instance of CBCloudAPI

childproc_count = None¶

crossproc_count = None¶

device_group_id = None¶

device_id = None¶

device_name = None¶

device_policy_id = None¶

device_timestamp = None¶

event_id = None¶

filemod_count = None¶

static get_auth_events_descriptions(cb)¶

Returns descriptions and status messages of Auth Events.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object.
Returns:	Descriptions and status messages of Auth Events as dict objects.
Return type:	dict
Raises:	`ApiError` – if cb is not instance of CBCloudAPI

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> descriptions = AuthEvent.get_auth_events_descriptions(cb)
>>> print(descriptions)

get_details(timeout=0, async_mode=False)¶

Requests detailed results.

Parameters:	timeout (int) – AuthEvent details request timeout in milliseconds. async_mode (bool) – True to request details in an asynchronous manner.
Returns:	Auth Events object enriched with the details fields
Return type:	AuthEvent

Note

When using asynchronous mode, this method returns a python future. You can call result() on the future object to wait for completion and get the results.

Examples

>>> cb = CBCloudAPI(profile="example_profile")

>>> events = cb.select(AuthEvent).where(process_pid=2000)
>>> print(events[0].get_details())

ingress_time = None¶

modload_count = None¶

netconn_count = None¶

org_id = None¶

parent_guid = None¶

parent_pid = None¶

primary_key = 'event_id'¶

process_guid = None¶

process_hash = []¶

process_name = None¶

process_pid = []¶

process_username = []¶

regmod_count = None¶

scriptload_count = None¶

static search_suggestions(cb, query, count=None)¶

Returns suggestions for keys and field values that can be used in a search.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. query (str) – A search query to use. count (int) – (optional) Number of suggestions to be returned
Returns:	A list of search suggestions expressed as dict objects.
Return type:	list
Raises:	`ApiError` – if cb is not instance of CBCloudAPI

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> suggestions = AuthEvent.search_suggestions(cb, 'auth')
>>> print(suggestions)

validation_url = '/api/investigate/v2/orgs/{}/auth_events/search_validation'¶

windows_event_id = None¶

class AuthEventFacet(cb, model_unique_id, initial_data)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents an AuthEvent facet retrieved.

Example:

>>> cb = CBCloudAPI(profile="example_profile")
>>> events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name")
>>> print(events_facet.results)

Parameters:	terms – Contains the Auth Event Facet search results ranges – Groupings for search result properties that are ISO 8601 timestamps or numbers contacted – The number of searchers contacted for this query completed – The number of searchers that have reported their results

Initialize the Terms object with initial data.

class Ranges(cb, initial_data)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents the range (bucketed) facet fields and values associated with an AuthEvent Facet query.

Initialize an AuthEventFacet Ranges object with initial_data.

facets¶: Returns the reified AuthEventFacet.Terms._facets for this result.

fields¶: Returns the ranges fields for this result.

class Terms(cb, initial_data)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents the facet fields and values associated with an AuthEvent Facet query.

Initialize an AuthEventFacet Terms object with initial_data.

facets¶: Returns the terms’ facets for this result.

fields¶: Returns the terms facets’ fields for this result.

completed = None¶

contacted = None¶

num_found = None¶

primary_key = 'job_id'¶

ranges = []¶

ranges_¶: Returns the reified AuthEventFacet.Ranges for this result.

result_url = '/api/investigate/v2/orgs/{}/auth_events/facet_jobs/{}/results'¶

submit_url = '/api/investigate/v2/orgs/{}/auth_events/facet_jobs'¶

terms = []¶

terms_¶: Returns the reified AuthEventFacet.Terms for this result.

class AuthEventGroup(cb, initial_data=None)¶

Bases: object

Represents AuthEventGroup

Initialize AuthEventGroup object

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. initial_data (dict) – The data to use when initializing the model object.

Notes

The constructed object will have the following data: - group_start_timestamp - group_end_timestamp - group_key - group_value

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name"))
>>> for group in groups:
>>>     print(group._info)

class AuthEventQuery(doc_class, cb)¶

Bases: cbc_sdk.base.Query

Represents the query logic for an AuthEvent query.

This class specializes Query to handle the particulars of Auth Events querying.

Initialize the AuthEventQuery object.

Parameters:	doc_class (class) – The class of the model this query returns. cb (CBCloudAPI) – A reference to the CBCloudAPI object.

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where("auth_username:SYSTEM")
>>> print(*events)

VALID_GROUP_FIELDS = ('auth_domain_name', 'auth_event_action', 'auth_remote_port', 'auth_username', 'backend_timestamp', 'childproc_count', 'crossproc_count', 'device_group_id', 'device_id', 'device_name', 'device_policy_id', 'device_timestamp', 'event_id', 'filemod_count', 'ingress_time', 'modload_count', 'netconn_count', 'org_id', 'parent_guid', 'parent_pid', 'process_guid', 'process_hash', 'process_name', 'process_pid', 'process_username', 'regmod_count', 'scriptload_count', 'windows_event_id')¶

group_results(fields, max_events_per_group=None, rows=500, start=None, range_duration=None, range_field=None, range_method=None)¶

Get group results grouped by provided fields.

Parameters:	fields (str / list) – field or fields by which to perform the grouping max_events_per_group (int) – Maximum number of events in a group, if not provided all events will be returned rows (int) – Number of rows to request, can be paginated start (int) – First row to use for pagination ranges (dict) – dict with information about duration, field, method
Returns:	grouped results
Return type:	dict

Examples

>>> cb = CBCloudAPI(profile="example_profile")
>>> groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name"))
>>> for group in groups:
>>>     print(group._info)

or_(**kwargs)¶

or_() criteria are explicitly provided to AuthEvent queries.

This method overrides the base class in order to provide or_() functionality rather than raising an exception.

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where(process_name="chrome.exe").or_(process_name="firefox.exe")
>>> print(*events)

set_rows(rows)¶

Sets the ‘rows’ query body parameter to the ‘start search’ API call, determining how many rows to request.

Parameters:	rows (int) – How many rows to request.
Returns:	AuthEventQuery object
Return type:	Query

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where(process_name="chrome.exe").set_rows(5)
>>> print(*events)

timeout(msecs)¶

Sets the timeout on a Auth Event query.

Parameters:	msecs (int) – Timeout duration, in milliseconds.
Returns:	The Query object with new milliseconds parameter.
Return type:	Query (AuthEventQuery)

Example

>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where(process_name="chrome.exe").timeout(5000)
>>> print(*events)

cbc_sdk.enterprise_edr.threat_intelligence module¶

Model Classes for Enterprise Endpoint Detection and Response

class Feed(cb, model_unique_id=None, initial_data=None)¶

Bases: cbc_sdk.enterprise_edr.threat_intelligence.FeedModel

Represents an Enterprise EDR feed’s metadata.

Parameters:	name – A human-friendly name for this feed owner – The feed owner’s connector ID provider_url – A URL supplied by the feed’s provider summary – A human-friendly summary for the feed category – The feed’s category source_label – The feed’s source label access – The feed’s access (public or private) id – The feed’s unique ID

Initialize the Feed object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (str) – The unique ID of the feed. initial_data (dict) – The initial data for the object.

class FeedBuilder(cb, info)¶

Bases: object

Helper class allowing Feeds to be assembled.

Creates a new FeedBuilder object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. info (dict) – The initial information for the new feed.

add_reports(reports)¶

Adds new reports to the new feed.

Parameters:	reports (list[Report]) – New reports to be added to the feed.
Returns:	This object.
Return type:	FeedBuilder

build()¶

Builds the new Feed.

Returns:	The new Feed.
Return type:	Feed

set_alertable(alertable)¶

Sets the alertable for the new feed. Defaults to true if not specified.

Parameters:	alertable (bool) – Indicator whether the feed supports alerting.
Returns:	This object.
Return type:	FeedBuilder

set_category(category)¶

Sets the category for the new feed.

Parameters:	category (str) – New category for the feed.
Returns:	This object.
Return type:	FeedBuilder

set_name(name)¶

Sets the name for the new feed.

Parameters:	name (str) – New name for the feed.
Returns:	This object.
Return type:	FeedBuilder

set_provider_url(provider_url)¶

Sets the provider URL for the new feed.

Parameters:	provider_url (str) – New provider URL for the feed.
Returns:	This object.
Return type:	FeedBuilder

set_source_label(source_label)¶

Sets the source label for the new feed.

Parameters:	source_label (str) – New source label for the feed.
Returns:	This object.
Return type:	FeedBuilder

set_summary(summary)¶

Sets the summary for the new feed.

Parameters:	summary (str) – New summary for the feed.
Returns:	This object.
Return type:	FeedBuilder

access = None¶

append_reports(reports)¶

Append the given Reports to this Feed’s current Reports.

Parameters:	reports ([Report]) – List of Reports to append to Feed.
Raises:	`InvalidObjectError` – If id is missing.

append_reports_rawdata(report_data)¶

Append the given report data, formatted as per the API documentation for reports, to this Feed’s Reports.

Parameters:	report_data (list[dict]) –
Raises:	`InvalidObjectError` – If id is missing or validation of the data fails.

category = None¶

classmethod create(cb, name, provider_url, summary, category, alertable=True)¶

Begins creating a new feed by making a FeedBuilder to hold the new feed data.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. name (str) – Name for the new feed. provider_url (str) – Provider URL for the new feed. summary (str) – Summary for the new feed. category (str) – Category for the new feed.
Returns:	The new FeedBuilder object to be used to create the feed.
Return type:	FeedBuilder

delete()¶

Deletes this feed from the Enterprise EDR server.

Raises:	`InvalidObjectError` – If id is missing.

id = None¶

name = None¶

owner = None¶

primary_key = 'id'¶

provider_url = None¶

replace_reports(reports)¶

Replace this Feed’s Reports with the given Reports.

Parameters:	reports ([Report]) – List of Reports to replace existing Reports with.
Raises:	`InvalidObjectError` – If id is missing.

replace_reports_rawdata(report_data)¶

Replace this Feed’s Reports with the given reports, specified as raw data.

Parameters:	report_data (list[dict]) –
Raises:	`InvalidObjectError` – If id is missing or validation of the data fails.

reports¶

Returns a list of Reports associated with this feed.

Returns:	List of Reports in this Feed.
Return type:	Reports ([Report])

save(public=False)¶

Saves this feed on the Enterprise EDR server.

Parameters:	public (bool) – Whether to make the feed publicly available.
Returns:	The saved Feed.
Return type:	Feed (Feed)

source_label = None¶

summary = None¶

update(**kwargs)¶

Update this feed’s metadata with the given arguments.

Parameters:	*kwargs (dict(str, str*)) – The fields to update.
Raises:	`InvalidObjectError` – If id is missing or Feed.validate() fails. `ApiError` – If an invalid field is specified.

Example

>>> feed.update(access="private")

urlobject = '/threathunter/feedmgr/v2/orgs/{}/feeds'¶

urlobject_single = '/threathunter/feedmgr/v2/orgs/{}/feeds/{}'¶

validate()¶

Checks to ensure this feed contains valid data.

Raises:	`InvalidObjectError` – If the feed contains invalid data.

class FeedModel(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Bases: cbc_sdk.base.UnrefreshableModel, cbc_sdk.base.CreatableModelMixin, cbc_sdk.base.MutableBaseModel

A common base class for models used by the Feed and Watchlist APIs.

Initialize the NewBaseModel object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (Any) – The unique ID for this particular instance of the model object. initial_data (dict) – The data to use when initializing the model object. force_init (bool) – True to force object initialization. full_doc (bool) – True to mark the object as fully initialized.

SCHEMA_IOCV2 = Schema({'id': And(And(<class 'str'>), <built-in function len>), 'match_type': And(And(<class 'str'>), And(<function FeedModel.<lambda>>)), 'values': And(And(<class 'list'>), [And(<class 'str'>)], <built-in function len>), Optional('field'): And(<class 'str'>), Optional('link'): And(<class 'str'>)})¶

SCHEMA_REPORT = Schema({'id': And(And(<class 'str'>), <built-in function len>), 'timestamp': And(And(<class 'int'>), And(<function FeedModel.<lambda>>)), 'title': And(And(<class 'str'>), <built-in function len>), 'description': And(And(<class 'str'>), <built-in function len>), 'severity': And(And(<class 'int'>), And(<function FeedModel.<lambda>>)), Optional('link'): And(<class 'str'>), Optional('tags'): And(And(<class 'list'>), [And(<class 'str'>)]), 'iocs_v2': And(And(<class 'list'>), [Schema({'id': And(And(<class 'str'>), <built-in function len>), 'match_type': And(And(<class 'str'>), And(<function FeedModel.<lambda>>)), 'values': And(And(<class 'list'>), [And(<class 'str'>)], <built-in function len>), Optional('field'): And(<class 'str'>), Optional('link'): And(<class 'str'>)})], And(<built-in function len>)), Optional('visibility'): And(<class 'str'>)})¶

class FeedQuery(doc_class, cb)¶

Bases: cbc_sdk.base.SimpleQuery

Represents the logic for a Feed query.

>>> cb.select(Feed)
>>> cb.select(Feed, id)
>>> cb.select(Feed).where(include_public=True)

Initialize the FeedQuery object.

Parameters:	doc_class (class) – The class of the model this query returns. cb (CBCloudAPI) – A reference to the CBCloudAPI object.

results¶: Return a list of Feed objects matching self._args parameters.

where(**kwargs)¶: Add kwargs to self._args dictionary.

class IOC(cb, model_unique_id=None, initial_data=None, report_id=None)¶

Bases: cbc_sdk.enterprise_edr.threat_intelligence.FeedModel

Represents a collection of categorized IOCs. These objects are officially deprecated and replaced by IOC_V2.

Parameters:	md5 – A list of MD5 checksums ipv4 – A list of IPv4 addresses ipv6 – A list of IPv6 addresses dns – A list of domain names query – A list of dicts, each containing an IOC query

Creates a new IOC instance.

Parameters:	cb (BaseAPI) – Reference to API object used to communicate with the server. model_unique_id (str) – Unique ID of this IOC. initial_data (dict) – Initial data used to populate the IOC. report_id (str) – ID of the report this IOC belongs to (if this is a watchlist IOC).
Raises:	`ApiError` – If initial_data is None.

dns = []¶

ipv4 = []¶

ipv6 = []¶

md5 = []¶

query = []¶

validate()¶

Checks to ensure this IOC contains valid data.

Raises:	`InvalidObjectError` – If the IOC contains invalid data.

class IOC_V2(cb, model_unique_id=None, initial_data=None, report_id=None)¶

Bases: cbc_sdk.enterprise_edr.threat_intelligence.FeedModel

Represents a collection of IOCs of a particular type, plus matching criteria and metadata.

Parameters:	id – The IOC_V2’s unique ID match_type – How IOCs in this IOC_V2 are matched values – A list of IOCs field – The kind of IOCs contained in this IOC_V2 link – A URL for some reference for this IOC_V2

Creates a new IOC_V2 instance.

Parameters:	cb (BaseAPI) – Reference to API object used to communicate with the server. model_unique_id (Any) – Unused. initial_data (dict) – Initial data used to populate the IOC. report_id (str) – ID of the report this IOC belongs to (if this is a watchlist IOC).
Raises:	`ApiError` – If initial_data is None.

classmethod create_equality(cb, iocid, field, *values)¶

Creates a new “equality” IOC.

Parameters:	cb (BaseAPI) – Reference to API object used to communicate with the server. iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC. field (str) – Name of the field to be matched by this IOC. values (list(str*)) – String values to match against the value of the specified field.
Returns:	New IOC data structure.
Return type:	IOC_V2
Raises:	`ApiError` – If there is not at least one value to match against.

classmethod create_query(cb, iocid, query)¶

Creates a new “query” IOC.

Parameters:	cb (BaseAPI) – Reference to API object used to communicate with the server. iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC. query (str) – Query to be incorporated in this IOC.
Returns:	New IOC data structure.
Return type:	IOC_V2
Raises:	`ApiError` – If the query string is not present.

classmethod create_regex(cb, iocid, field, *values)¶

Creates a new “regex” IOC.

Parameters:	cb (BaseAPI) – Reference to API object used to communicate with the server. iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC. field (str) – Name of the field to be matched by this IOC. values (list(str*)) – Regular expression values to match against the value of the specified field.
Returns:	New IOC data structure.
Return type:	IOC_V2
Raises:	`ApiError` – If there is not at least one regular expression to match against.

field = None¶

id = None¶

ignore()¶

Sets the ignore status on this IOC.

Only watchlist IOCs have an ignore status.

Raises:	`InvalidObjectError` – If id is missing or this IOC is not from a Watchlist.

ignored¶

Returns whether or not this IOC is ignored.

Only watchlist IOCs have an ignore status.

Returns:	True if the IOC is ignored, False otherwise.
Return type:	bool
Raises:	`InvalidObjectError` – If this IOC is missing an id or is not a Watchlist IOC.

Example

>>> if ioc.ignored:
...     ioc.unignore()

classmethod ipv6_equality_format(input)¶

Turns a canonically-formatted IPv6 address into a string suitable for use in an equality IOC.

Parameters:	input (str) – The IPv6 address to be translated.
Returns:	The translated form of IPv6 address.
Return type:	str
Raises:	`ApiError` – If the string is not in valid format.

link = None¶

match_type = None¶

primary_key = 'id'¶

unignore()¶

Removes the ignore status on this IOC.

Only watchlist IOCs have an ignore status.

Raises:	`InvalidObjectError` – If id is missing or this IOC is not from a Watchlist.

validate()¶

Checks to ensure this IOC contains valid FQDN.

Raises:	`InvalidObjectError` – If the IOC contains invalid data.

values = []¶

class Report(cb, model_unique_id=None, initial_data=None, feed_id=None, from_watchlist=False)¶

Bases: cbc_sdk.enterprise_edr.threat_intelligence.FeedModel

Represents reports retrieved from an Enterprise EDR feed.

Parameters:

id – The report’s unique ID
timestamp – When this report was created
title – A human-friendly title for this report
description – A human-friendly description for this report
severity – The severity of the IOCs within this report
link – A URL for some reference for this report
tags – A list of tags for this report
iocs_v2 – A list of IOC_V2 dicts associated with this report
visibility – The visibility of this report

Initialize the ReportSeverity object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (str) – The ID of the Report (only works for Reports in Watchlists). initial_data (dict) – The initial data for the object. feed_id (str) – The ID of the feed this report is for. from_watchlist (bool) – If the report is in a watchlist

class ReportBuilder(cb, report_body)¶

Bases: object

Helper class allowing Reports to be assembled.

Initialize a new ReportBuilder.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. report_body (dict) – Partial report body which should be filled in with all “required” fields.

add_ioc(ioc)¶

Adds an IOC to the new report.

Parameters:	ioc (IOC_V2) – The IOC to be added to the report.
Returns:	This object.
Return type:	ReportBuilder

add_tag(tag)¶

Adds a tag value to the new report.

Parameters:	tag (str) – The new tag for the object.
Returns:	This object.
Return type:	ReportBuilder

build()¶

Builds the actual Report from the internal data of the ReportBuilder.

Returns:	The new Report.
Return type:	Report

set_description(description)¶

Set the description for the new report.

Parameters:	description (str) – New description for the report.
Returns:	This object.
Return type:	ReportBuilder

set_link(link)¶

Set the link for the new report.

Parameters:	link (str) – New link for the report.
Returns:	This object.
Return type:	ReportBuilder

set_severity(severity)¶

Set the severity for the new report.

Parameters:	severity (int) – New severity for the report.
Returns:	This object.
Return type:	ReportBuilder

set_timestamp(timestamp)¶

Set the timestamp for the new report.

Parameters:	timestamp (int) – New timestamp for the report.
Returns:	This object.
Return type:	ReportBuilder

set_title(title)¶

Set the title for the new report.

Parameters:	title (str) – New title for the report.
Returns:	This object.
Return type:	ReportBuilder

set_visibility(visibility)¶

Set the visibility for the new report.

Parameters:	visibility (str) – New visibility for the report.
Returns:	This object.
Return type:	ReportBuilder

append_iocs(iocs)¶

Append a list of IOCs to this Report.

Parameters:	iocs (list[IOC_V2]) – List of IOCs to be added.

classmethod create(cb, title, description, severity, timestamp=None, tags=None)¶

Begin creating a new Report by returning a ReportBuilder.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. title (str) – Title for the new report. description (str) – Description for the new report. severity (int) – Severity value for the new report. timestamp (int) – UNIX-epoch timestamp for the new report. If omitted, current time will be used. tags (list[str]) – Tags to be added to the report. If omitted, there will be none.
Returns:	Reference to the ReportBuilder object.
Return type:	ReportBuilder

custom_severity¶

Returns the custom severity for this report.

Returns:	The custom severity for this Report, if it exists.
Return type:	ReportSeverity (ReportSeverity)
Raises:	`InvalidObjectError` – If id ismissing or this Report is from a Watchlist.

delete()¶

Deletes this report from the Enterprise EDR server.

Raises:	`InvalidObjectError` – If id is missing, or feed_id is missing and this report is a Feed Report.

Example

>>> report.delete()

description = None¶

id = None¶

ignore()¶

Sets the ignore status on this report.

Raises:	`InvalidObjectError` – If id is missing or feed ID is missing.

ignored¶

Returns the ignore status for this report.

Returns:	True if this Report is ignored, False otherwise.
Return type:	(bool)
Raises:	`InvalidObjectError` – If id is missing or feed ID is missing.

Example

>>> if report.ignored:
...     report.unignore()

iocs = {}¶

iocs_¶

Returns a list of IOC_V2’s associated with this report.

Returns:	List of IOC_V2’s for associated with the Report.
Return type:	IOC_V2 ([IOC_V2])

Example

>>> for ioc in report.iocs_:
...     print(ioc.values)

iocs_v2 = []¶

link = None¶

primary_key = 'id'¶

remove_iocs(iocs)¶

Remove a list of IOCs from this Report.

Parameters:	iocs (list[IOC_V2]) – List of IOCs to be removed.

remove_iocs_by_id(ids_list)¶

Remove IOCs from this report by specifying their IDs.

Parameters:	ids_list (list[str]) – List of IDs of the IOCs to be removed.

save_watchlist()¶

Saves this report as a watchlist report.

Note

This method cannot be used to save a feed report. To save feed reports, create them with cb.create and use Feed.replace.

This method cannot be used to save a report that is already part of a watchlist. Use the update() method instead.

Raises:	`InvalidObjectError` – If Report.validate() fails.

severity = None¶

tags = []¶

timestamp = None¶

title = None¶

unignore()¶

Removes the ignore status on this report.

Raises:	`InvalidObjectError` – If id is missing or feed ID is missing.

update(**kwargs)¶

Update this Report with the given arguments.

Parameters:	*kwargs (dict(str, str*)) – The Report fields to update.
Returns:	The updated Report.
Return type:	Report (Report)
Raises:	`InvalidObjectError` – If id is missing, or feed_id is missing and this report is a Feed Report, or Report.validate() fails.

Note

The report’s timestamp is always updated, regardless of whether passed explicitly.

>>> report.update(title="My new report title")

urlobject = '/threathunter/feedmgr/v2/orgs/{}/feeds/{}/reports'¶

urlobject_single = '/threathunter/watchlistmgr/v3/orgs/{}/reports/{}'¶

validate()¶

Checks to ensure this report contains valid data.

Raises:	`InvalidObjectError` – If the report contains invalid data.

visibility = None¶

class ReportQuery(doc_class, cb)¶

Bases: cbc_sdk.base.SimpleQuery

Represents the logic for a Report query.

Example

>>> cb.select(Report).where(feed_id=id)
>>> cb.select(Report, id)
>>> cb.select(Report, id, from_watchlist=True)

Initialize the ReportQuery object.

Parameters:	doc_class (class) – The class of the model this query returns. cb (CBCloudAPI) – A reference to the CBCloudAPI object.

results¶: Return a list of Report objects

where(**kwargs)¶: Add kwargs to self._args dictionary.

class ReportSeverity(cb, initial_data=None)¶

Bases: cbc_sdk.enterprise_edr.threat_intelligence.FeedModel

Represents severity information for a Watchlist Report.

Parameters:	report_id – The unique ID for the corresponding report severity – The severity level

Initialize the ReportSeverity object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. initial_data (dict) – The initial data for the object.

primary_key = 'report_id'¶

report_id = None¶

severity = None¶

class Watchlist(cb, model_unique_id=None, initial_data=None)¶

Bases: cbc_sdk.enterprise_edr.threat_intelligence.FeedModel

Represents an Enterprise EDR watchlist.

Parameters:

name – A human-friendly name for the watchlist
description – A short description of the watchlist
id – The watchlist’s unique id
tags_enabled – Whether tags are currently enabled
alerts_enabled – Whether alerts are currently enabled
create_timestamp – When this watchlist was created
last_update_timestamp – Report IDs associated with this watchlist
report_ids – Report IDs associated with this watchlist
classifier – A key, value pair specifying an associated feed

Initialize the Watchlist object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (str) – The unique ID of the watch list. initial_data (dict) – The initial data for the object.

class WatchlistBuilder(cb, name)¶

Bases: object

Helper class allowing Watchlists to be assembled.

Creates a new WatchlistBuilder object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. name (str) – Name for the new watchlist.

add_report_ids(report_ids)¶

Adds report IDs to the watchlist.

Parameters:	report_ids (list[str]) – List of report IDs to add to the watchlist.
Returns:	This object.
Return type:	WatchlistBuilder

add_reports(reports)¶

Adds reports to the watchlist.

Parameters:	reports (list[Report]) – List of reports to be added to the watchlist.
Returns:	This object.
Return type:	WatchlistBuilder

build()¶

Builds the new Watchlist using information in the builder. The new watchlist must still be saved.

Returns:	The new Watchlist.
Return type:	Watchlist

set_alerts_enabled(flag)¶

Sets whether alerts will be enabled on the new watchlist.

Parameters:	flag (bool) – True to enable alerts, False to disable them. Default is False.
Returns:	This object.
Return type:	WatchlistBuilder

set_description(description)¶

Sets the description for the new watchlist.

Parameters:	description (str) – New description for the watchlist.
Returns:	This object.
Return type:	WatchlistBuilder

set_name(name)¶

Sets the name for the new watchlist.

Parameters:	name (str) – New name for the watchlist.
Returns:	This object.
Return type:	WatchlistBuilder

set_tags_enabled(flag)¶

Sets whether tags will be enabled on the new watchlist.

Parameters:	flag (bool) – True to enable tags, False to disable them. Default is True.
Returns:	This object.
Return type:	WatchlistBuilder

add_report_ids(report_ids)¶

Adds new report IDs to the watchlist.

Parameters:	report_ids (list[str]) – List of report IDs to be added to the watchlist.

add_reports(reports)¶

Adds new reports to the watchlist.

Parameters:	reports (list[Report]) – List of reports to be added to the watchlist.

alerts_enabled = None¶

classifier = {}¶

classifier_¶

Returns the classifier key and value, if any, for this watchlist.

Returns:	Watchlist’s classifier key and value. None: If there is no classifier key and value.
Return type:	tuple(str, str)

classmethod create(cb, name)¶

Starts creating a new Watchlist by returning a WatchlistBuilder that can be used to set attributes.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. name (str) – Name for the new watchlist.
Returns:	The builder for the new watchlist. Call build() to create the actual Watchlist.
Return type:	WatchlistBuilder

classmethod create_from_feed(feed, name=None, description=None, enable_alerts=False, enable_tags=True)¶

Creates a new Watchlist that encapsulates a Feed.

Parameters:	feed (Feed) – The feed to be encapsulated by this Watchlist. name (str) – Name for the new watchlist. The default is to use the Feed name. description (str) – Description for the new watchlist. The default is to use the Feed summary. enable_alerts (bool) – enable_tags (bool) –
Returns:	A new Watchlist object, which must be saved to the server.
Return type:	Watchlist

create_timestamp = None¶

delete()¶

Deletes this watchlist from the Enterprise EDR server.

Raises:	`InvalidObjectError` – If id is missing.

description = None¶

disable_alerts()¶

Disable alerts for this watchlist.

Raises:	`InvalidObjectError` – If id is missing.

disable_tags()¶

Disable tagging for this watchlist.

Raises:	`InvalidObjectError` – if id is missing.

enable_alerts()¶

Enable alerts for this watchlist. Alerts are not retroactive.

Raises:	`InvalidObjectError` – If id is missing.

enable_tags()¶

Enable tagging for this watchlist.

Raises:	`InvalidObjectError` – If id is missing.

feed¶: Returns the Feed linked to this Watchlist, if there is one.

id = None¶

last_update_timestamp = None¶

name = None¶

report_ids = []¶

reports¶

Returns a list of Report objects associated with this watchlist.

Returns:	List of Reports associated with the watchlist.
Return type:	Reports ([Report])

Note

If this Watchlist is a classifier (i.e. feed-linked) Watchlist, reports will be empty. To get the reports associated with the linked Feed, use feed like:

>>> for report in watchlist.feed.reports:
...     print(report.title)

save()¶

Saves this watchlist on the Enterprise EDR server.

Returns:	The saved Watchlist.
Return type:	Watchlist (Watchlist)
Raises:	`InvalidObjectError` – If Watchlist.validate() fails.

tags_enabled = None¶

update(**kwargs)¶

Updates this watchlist with the given arguments.

Parameters:	*kwargs (dict(str, str*)) – The fields to update.
Raises:	`InvalidObjectError` – If id is missing or Watchlist.validate() fails. `ApiError` – If report_ids is given and is empty.

Example

>>> watchlist.update(name="New Name")

urlobject = '/threathunter/watchlistmgr/v3/orgs/{}/watchlists'¶

urlobject_single = '/threathunter/watchlistmgr/v3/orgs/{}/watchlists/{}'¶

validate()¶

Checks to ensure this watchlist contains valid data.

Raises:	`InvalidObjectError` – If the watchlist contains invalid data.

class WatchlistQuery(doc_class, cb)¶

Bases: cbc_sdk.base.SimpleQuery

Represents the logic for a Watchlist query.

>>> cb.select(Watchlist)

Initialize the WatchlistQuery object.

Parameters:	doc_class (class) – The class of the model this query returns. cb (CBCloudAPI) – A reference to the CBCloudAPI object.

results¶: Return a list of all Watchlist objects.

log = <Logger cbc_sdk.enterprise_edr.threat_intelligence (WARNING)>¶: Models

cbc_sdk.enterprise_edr.ubs module¶

Model Classes for Enterprise Endpoint Detection and Response

class Binary(cb, model_unique_id)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents a retrievable binary.

Parameters:

sha256 – The SHA-256 hash of the file
md5 – The MD5 hash of the file
file_available – If true, the file is available for download
available_file_size – The size of the file available for download
file_size – The size of the actual file (represented by the hash)
os_type – The OS that this file is designed for
architecture – The set of architectures that this file was compiled for
lang_id – The Language ID value for the Windows VERSIONINFO resource
charset_id – The Character set ID value for the Windows VERSIONINFO resource
internal_name – The internal name from FileVersionInformation
product_name – The product name from FileVersionInformation
company_name – The company name from FileVersionInformation
trademark – The trademark from FileVersionInformation
file_description – The file description from FileVersionInformation
file_version – The file version from FileVersionInformation
comments – Comments from FileVersionInformation
original_filename – The original filename from FileVersionInformation
product_description – The product description from FileVersionInformation
product_version – The product version from FileVersionInformation
private_build – The private build from FileVersionInformation
special_build – The special build from FileVersionInformation

Initialize the Binary object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (str) – The SHA-256 of the binary being retrieved.

class Summary(cb, model_unique_id)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents a summary of organization-specific information for a retrievable binary.

Initialize the Summary object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. model_unique_id (str) – The SHA-256 of the binary being retrieved.

primary_key = 'sha256'¶

urlobject_single = '/ubs/v1/orgs/{}/sha256/{}/summary/device'¶

architecture = []¶

available_file_size = None¶

charset_id = None¶

comments = None¶

company_name = None¶

download_url(expiration_seconds=3600)¶

Returns a URL that can be used to download the file for this binary. Returns None if no download found.

Parameters:	expiration_seconds (int) – How long the download should be valid for.
Returns:	A pre-signed AWS download URL. None: If no download is found.
Return type:	URL (str)
Raises:	`InvalidObjectError` – If the URL retrieval should be retried.

file_available = None¶

file_description = None¶

file_size = None¶

file_version = None¶

internal_name = None¶

lang_id = None¶

md5 = None¶

original_filename = None¶

os_type = None¶

primary_key = 'sha256'¶

private_build = None¶

product_description = None¶

product_name = None¶

product_version = None¶

sha256 = None¶

special_build = None¶

summary¶: Returns organization-specific information about this binary.

trademark = None¶

urlobject_single = '/ubs/v1/orgs/{}/sha256/{}/metadata'¶

class Downloads(cb, shas, expiration_seconds=3600)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents download information for a list of process hashes.

Initialize the Downloads object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. shas (list) – A list of SHA hash values for binaries. expiration_seconds (int) – Number of seconds until this request expires.

class FoundItem(cb, item)¶

Bases: cbc_sdk.base.UnrefreshableModel

Represents the download URL and process hash for a successfully located binary.

Initialize the FoundItem object.

Parameters:	cb (CBCloudAPI) – A reference to the CBCloudAPI object. item (dict) – The values for a successfully-retrieved item.

primary_key = 'sha256'¶

found¶: Returns a list of Downloads.FoundItem, one for each binary found in the binary store.

urlobject = '/ubs/v1/orgs/{}/file/_download'¶

Enterprise EDR¶

Submodules¶

cbc_sdk.enterprise_edr.auth_events module¶

cbc_sdk.enterprise_edr.threat_intelligence module¶

cbc_sdk.enterprise_edr.ubs module¶

Module contents¶