Enterprise EDR Package
Auth Events Module
Model and Query Classes for Auth Events
- class AuthEvent(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)
Bases:
NewBaseModel
Represents an AuthEvent
Initialize the AuthEvent object.
- Required RBAC Permissions:
org.search.events (CREATE, READ)
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (Any) – The unique ID for this particular instance of the model object.
initial_data (dict) – The data to use when initializing the model object.
force_init (bool) – True to force object initialization.
full_doc (bool) – False to mark the object as not fully initialized.
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where("auth_username:SYSTEM") >>> print(*events)
- static bulk_get_details(cb, alert_id=None, event_ids=None, timeout=0)
Bulk get details
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
alert_id (str) – An alert id to fetch associated events
event_ids (list) – A list of event ids to fetch
timeout (int) – AuthEvent details request timeout in milliseconds. This can never be greater than the configured default timeout. If this value is 0, the configured default timeout is used.
- Returns:
list of Auth Events
- Return type:
list
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> bulk_details = AuthEvent.bulk_get_details(cb, event_ids=['example-value']) >>> print(bulk_details)
- Raises:
ApiError – if cb is not instance of CBCloudAPI
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- static get_auth_events_descriptions(cb)
Returns descriptions and status messages of Auth Events.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- Returns:
Descriptions and status messages of Auth Events as dict objects.
- Return type:
dict
- Raises:
ApiError – if cb is not instance of CBCloudAPI
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> descriptions = AuthEvent.get_auth_events_descriptions(cb) >>> print(descriptions)
- get_details(timeout=0, async_mode=False)
Requests detailed results.
- Parameters:
timeout (int) – AuthEvent details request timeout in milliseconds. This can never be greater than the configured default timeout. If this is 0, the configured default timeout is used.
async_mode (bool) – True to request details in an asynchronous manner.
- Returns:
Auth Events object enriched with the details fields
- Return type:
Note
When using asynchronous mode, this method returns a python future. You can call result() on the future object to wait for completion and get the results.
Examples
>>> cb = CBCloudAPI(profile="example_profile")
>>> events = cb.select(AuthEvent).where(process_pid=2000) >>> print(events[0].get_details())
- refresh()
Reload this object from the server.
- static search_suggestions(cb, query, count=None)
Returns suggestions for keys and field values that can be used in a search.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
query (str) – A search query to use.
count (int) – (optional) Number of suggestions to be returned
- Returns:
A list of search suggestions expressed as dict objects.
- Return type:
list
- Raises:
ApiError – if cb is not instance of CBCloudAPI
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> suggestions = AuthEvent.search_suggestions(cb, 'auth') >>> print(suggestions)
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- class AuthEventFacet(cb, model_unique_id, initial_data)
Bases:
UnrefreshableModel
Represents an AuthEvent facet retrieved.
- Example:
>>> cb = CBCloudAPI(profile="example_profile") >>> events_facet = cb.select(AuthEventFacet).where("auth_username:SYSTEM").add_facet_field("process_name") >>> print(events_facet.results)
- Parameters:
terms – Contains the Auth Event Facet search results
ranges – Groupings for search result properties that are ISO 8601 timestamps or numbers
contacted – The number of searchers contacted for this query
completed – The number of searchers that have reported their results
Initialize the Terms object with initial data.
- class Ranges(cb, initial_data)
Bases:
UnrefreshableModel
Represents the range (bucketed) facet fields and values associated with an AuthEvent Facet query.
Initialize an AuthEventFacet Ranges object with initial_data.
- property facets
Returns the reified AuthEventFacet.Terms._facets for this result.
- property fields
Returns the ranges fields for this result.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- refresh()
Reload this object from the server.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- class Terms(cb, initial_data)
Bases:
UnrefreshableModel
Represents the facet fields and values associated with an AuthEvent Facet query.
Initialize an AuthEventFacet Terms object with initial_data.
- property facets
Returns the terms’ facets for this result.
- property fields
Returns the terms facets’ fields for this result.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- refresh()
Reload this object from the server.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- property ranges_
Returns the reified AuthEventFacet.Ranges for this result.
- refresh()
Reload this object from the server.
- property terms_
Returns the reified AuthEventFacet.Terms for this result.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- class AuthEventGroup(cb, initial_data=None)
Bases:
object
Represents AuthEventGroup
Initialize AuthEventGroup object
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
initial_data (dict) – The data to use when initializing the model object.
Notes
The constructed object will have the following data: - group_start_timestamp - group_end_timestamp - group_key - group_value
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name")) >>> for group in groups: >>> print(group._info)
- class AuthEventQuery(doc_class, cb)
Bases:
Query
Represents the query logic for an AuthEvent query.
This class specializes Query to handle the particulars of Auth Events querying.
Initialize the AuthEventQuery object.
- Parameters:
doc_class (class) – The class of the model this query returns.
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where("auth_username:SYSTEM") >>> print(*events)
- add_criteria(key, newlist)
Add to the criteria on this query with a custom criteria key.
Will overwrite any existing criteria for the specified key.
- Parameters:
key (str) – The key for the criteria item to be set.
newlist (str or list[str]) – Value or list of values to be set for the criteria item.
- Returns:
The query object with specified custom criteria.
Example
>>> query = api.select(Alert).add_criteria("type", ["CB_ANALYTIC", "WATCHLIST"]) >>> query = api.select(Alert).add_criteria("type", "CB_ANALYTIC")
- add_exclusions(key, newlist)
Add to the exclusions on this query with a custom exclusions key.
Will overwrite any existing exclusion for the specified key.
- Parameters:
key (str) – The key for the exclusion item to be set.
newlist (str or list[str]) – Value or list of values to be set for the exclusion item.
- Returns:
The query object with specified custom exclusion.
Example
>>> query = api.select(Alert).add_exclusions("type", ["WATCHLIST"]) >>> query = api.select(Alert).add_exclusions("type", "WATCHLIST")
- all()
Returns all the items of a query as a list.
- Returns:
List of query items
- Return type:
list
- and_(q=None, **kwargs)
Add a conjunctive filter to this query.
- Parameters:
q (Any) – Query string or solrq.Q object
**kwargs (dict) – Arguments to construct a solrq.Q with
- Returns:
This Query object.
- Return type:
- batch_size(new_batch_size)
Set the batch size of the paginated query.
- Parameters:
new_batch_size (int) – The new batch size.
- Returns:
A new query with the updated batch size.
- Return type:
- execute_async()
Executes the current query in an asynchronous fashion.
- Returns:
A future representing the query and its results.
- Return type:
Future
- first()
Returns the first item that would be returned as the result of a query.
- Returns:
First query item
- Return type:
obj
- group_results(fields, max_events_per_group=None, rows=500, start=None, range_duration=None, range_field=None, range_method=None)
Get group results grouped by provided fields.
- Parameters:
fields (str / list) – field or fields by which to perform the grouping
max_events_per_group (int) – Maximum number of events in a group, if not provided all events will be returned
rows (int) – Number of rows to request, can be paginated
start (int) – First row to use for pagination
ranges (dict) – dict with information about duration, field, method
- Returns:
grouped results
- Return type:
dict
Examples
>>> cb = CBCloudAPI(profile="example_profile") >>> groups = set(cb.select(AuthEvent).where(process_pid=2000).group_results("device_name")) >>> for group in groups: >>> print(group._info)
- not_(q=None, **kwargs)
Adds a negated filter to this query.
- Parameters:
q (solrq.Q) – Query object.
**kwargs (dict) – Arguments to construct a solrq.Q with.
- Returns:
This Query object.
- Return type:
- one()
Returns the only item that would be returned by a query.
- Returns:
Sole query return item
- Return type:
obj
- Raises:
MoreThanOneResultError – If the query returns more than one item
ObjectNotFoundError – If the query returns zero items
- or_(**kwargs)
or_()
criteria are explicitly provided to AuthEvent queries.This method overrides the base class in order to provide or_() functionality rather than raising an exception.
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where(process_name="chrome.exe").or_(process_name="firefox.exe") >>> print(*events)
- set_fields(fields)
Sets the fields to be returned with the response.
- Parameters:
fields (str or list[str]) – Field or list of fields to be returned.
- set_rows(rows)
Sets the ‘rows’ query body parameter to the ‘start search’ API call, determining how many rows to request.
- Parameters:
rows (int) – How many rows to request.
- Returns:
AuthEventQuery object
- Return type:
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where(process_name="chrome.exe").set_rows(5) >>> print(*events)
- set_start(start)
Sets the ‘start’ query body parameter, determining where to begin retrieving results from.
- Parameters:
start (int) – Where to start results from.
- set_time_range(start=None, end=None, window=None)
Sets the ‘time_range’ query body parameter, determining a time window based on ‘device_timestamp’.
- Parameters:
start (str in ISO 8601 timestamp) – When to start the result search.
end (str in ISO 8601 timestamp) – When to end the result search.
window (str) – Time window to execute the result search, ending on the current time. Should be in the form “-2w”, where y=year, w=week, d=day, h=hour, m=minute, s=second.
Note
window will take precendent over start and end if provided.
Examples
>>> query = api.select(Process).set_time_range(start="2020-10-20T20:34:07Z").where("query is required") >>> second_query = api.select(Process). ... set_time_range(start="2020-10-20T20:34:07Z", end="2020-10-30T20:34:07Z").where("query is required") >>> third_query = api.select(Process).set_time_range(window='-3d').where("query is required")
- sort_by(key, direction='ASC')
Sets the sorting behavior on a query’s results.
- Parameters:
key (str) – The key in the schema to sort by.
direction (str) – The sort order, either “ASC” or “DESC”.
- Returns:
The query with sorting parameters.
- Return type:
Example
>>> cb.select(Process).where(process_name="cmd.exe").sort_by("device_timestamp")
- timeout(msecs)
Sets the timeout on a Auth Event query.
- Parameters:
msecs (int) – Timeout duration, in milliseconds. This value can never be greater than the configured default timeout. If this value is 0, the configured default timeout is used.
- Returns:
The Query object with new milliseconds parameter.
- Return type:
Example
>>> cb = CBCloudAPI(profile="example_profile") >>> events = cb.select(AuthEvent).where(process_name="chrome.exe").timeout(5000) >>> print(*events)
- update_criteria(key, newlist)
Update the criteria on this query with a custom criteria key.
- Parameters:
key (str) – The key for the criteria item to be set.
newlist (list) – List of values to be set for the criteria item.
- Returns:
The query object with specified custom criteria.
Example
>>> query = api.select(Alert).update_criteria("my.criteria.key", ["criteria_value"])
Note
Use this method if there is no implemented method for your desired criteria.
- update_exclusions(key, newlist)
Update the exclusion on this query with a custom exclusion key.
- Parameters:
key (str) – The key for the exclusion item to be set.
newlist (list) – List of values to be set for the exclusion item.
- Returns:
The query object with specified custom exclusion.
Example
>>> query = api.select(Alert).update_exclusions("my.criteria.key", ["criteria_value"])
Note
Use this method if there is no implemented method for your desired criteria.
Threat Intelligence Module
Model Classes for Enterprise Endpoint Detection and Response
- class Feed(cb, model_unique_id=None, initial_data=None)
Bases:
FeedModel
Represents an Enterprise EDR feed’s metadata.
- Parameters:
name – A human-friendly name for this feed
owner – The feed owner’s connector ID
provider_url – A URL supplied by the feed’s provider
summary – A human-friendly summary for the feed
category – The feed’s category
source_label – The feed’s source label
access – The feed’s access (public or private)
id – The feed’s unique ID
Initialize the Feed object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (str) – The unique ID of the feed.
initial_data (dict) – The initial data for the object.
- class FeedBuilder(cb, info)
Bases:
object
Helper class allowing Feeds to be assembled.
Creates a new FeedBuilder object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
info (dict) – The initial information for the new feed.
- add_reports(reports)
Adds new reports to the new feed.
- Parameters:
reports (list[Report]) – New reports to be added to the feed.
- Returns:
This object.
- Return type:
- set_alertable(alertable)
Sets the alertable for the new feed. Defaults to true if not specified.
- Parameters:
alertable (bool) – Indicator whether the feed supports alerting.
- Returns:
This object.
- Return type:
- set_category(category)
Sets the category for the new feed.
- Parameters:
category (str) – New category for the feed.
- Returns:
This object.
- Return type:
- set_name(name)
Sets the name for the new feed.
- Parameters:
name (str) – New name for the feed.
- Returns:
This object.
- Return type:
- set_provider_url(provider_url)
Sets the provider URL for the new feed.
- Parameters:
provider_url (str) – New provider URL for the feed.
- Returns:
This object.
- Return type:
- set_source_label(source_label)
Sets the source label for the new feed.
- Parameters:
source_label (str) – New source label for the feed.
- Returns:
This object.
- Return type:
- set_summary(summary)
Sets the summary for the new feed.
- Parameters:
summary (str) – New summary for the feed.
- Returns:
This object.
- Return type:
- append_reports(reports)
Append the given Reports to this Feed’s current Reports.
- Parameters:
reports ([Report]) – List of Reports to append to Feed.
- Raises:
InvalidObjectError – If id is missing.
- append_reports_rawdata(report_data)
Append the given report data, formatted as per the API documentation for reports, to this Feed’s Reports.
- Parameters:
report_data (list[dict]) –
- Raises:
InvalidObjectError – If id is missing or validation of the data fails.
- classmethod create(cb, name, provider_url, summary, category, alertable=True)
Begins creating a new feed by making a FeedBuilder to hold the new feed data.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
name (str) – Name for the new feed.
provider_url (str) – Provider URL for the new feed.
summary (str) – Summary for the new feed.
category (str) – Category for the new feed.
- Returns:
The new FeedBuilder object to be used to create the feed.
- Return type:
- delete()
Deletes this feed from the Enterprise EDR server.
- Raises:
InvalidObjectError – If id is missing.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- replace_reports(reports)
Replace this Feed’s Reports with the given Reports.
- Parameters:
reports ([Report]) – List of Reports to replace existing Reports with.
- Raises:
InvalidObjectError – If id is missing.
- replace_reports_rawdata(report_data)
Replace this Feed’s Reports with the given reports, specified as raw data.
- Parameters:
report_data (list[dict]) –
- Raises:
InvalidObjectError – If id is missing or validation of the data fails.
- property reports
Returns a list of Reports associated with this feed.
- Returns:
List of Reports in this Feed.
- Return type:
Reports ([Report])
- reset()
Undo any changes made to this object’s fields.
- save(public=False)
Saves this feed on the Enterprise EDR server.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- update(**kwargs)
Update this feed’s metadata with the given arguments.
- Parameters:
**kwargs (dict(str, str)) – The fields to update.
- Raises:
InvalidObjectError – If id is missing or Feed.validate() fails.
ApiError – If an invalid field is specified.
Example
>>> feed.update(access="private")
- validate()
Checks to ensure this feed contains valid data.
- Raises:
InvalidObjectError – If the feed contains invalid data.
- class FeedModel(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)
Bases:
UnrefreshableModel
,CreatableModelMixin
,MutableBaseModel
A common base class for models used by the Feed and Watchlist APIs.
Initialize the NewBaseModel object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (Any) – The unique ID for this particular instance of the model object.
initial_data (dict) – The data to use when initializing the model object.
force_init (bool) – True to force object initialization.
full_doc (bool) – True to mark the object as fully initialized.
- delete()
Delete this object.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- reset()
Undo any changes made to this object’s fields.
- save()
Save any changes made to this object’s fields.
- Returns:
This object.
- Return type:
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- validate()
Validates this object.
- Returns:
True if the object is validated.
- Return type:
bool
- Raises:
InvalidObjectError – If the object has missing fields.
- class FeedQuery(doc_class, cb)
Bases:
SimpleQuery
Represents the logic for a Feed query.
>>> cb.select(Feed) >>> cb.select(Feed, id) >>> cb.select(Feed).where(include_public=True)
Initialize the FeedQuery object.
- Parameters:
doc_class (class) – The class of the model this query returns.
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- all()
Returns all the items of a query as a list.
- Returns:
List of query items
- Return type:
list
- and_(new_query)
Add an additional “where” clause to this query.
- Parameters:
new_query (object) – The additional “where” clause, as a string or solrq.Q object.
- Returns:
A new query with the extra “where” clause specified.
- Return type:
- first()
Returns the first item that would be returned as the result of a query.
- Returns:
First query item
- Return type:
obj
- one()
Returns the only item that would be returned by a query.
- Returns:
Sole query return item
- Return type:
obj
- Raises:
MoreThanOneResultError – If the query returns more than one item
ObjectNotFoundError – If the query returns zero items
- property results
Return a list of Feed objects matching self._args parameters.
- sort(new_sort)
Set the sorting for this query.
- Parameters:
new_sort (object) – The new sort criteria for this query.
- Returns:
A new query with the sort parameter specified.
- Return type:
- where(**kwargs)
Add kwargs to self._args dictionary.
- class IOC(cb, model_unique_id=None, initial_data=None, report_id=None)
Bases:
FeedModel
Represents a collection of categorized IOCs. These objects are officially deprecated and replaced by IOC_V2.
- Parameters:
md5 – A list of MD5 checksums
ipv4 – A list of IPv4 addresses
ipv6 – A list of IPv6 addresses
dns – A list of domain names
query – A list of dicts, each containing an IOC query
Creates a new IOC instance.
- Parameters:
cb (BaseAPI) – Reference to API object used to communicate with the server.
model_unique_id (str) – Unique ID of this IOC.
initial_data (dict) – Initial data used to populate the IOC.
report_id (str) – ID of the report this IOC belongs to (if this is a watchlist IOC).
- Raises:
ApiError – If initial_data is None.
- delete()
Delete this object.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- reset()
Undo any changes made to this object’s fields.
- save()
Save any changes made to this object’s fields.
- Returns:
This object.
- Return type:
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- validate()
Checks to ensure this IOC contains valid data.
- Raises:
InvalidObjectError – If the IOC contains invalid data.
- class IOC_V2(cb, model_unique_id=None, initial_data=None, report_id=None)
Bases:
FeedModel
Represents a collection of IOCs of a particular type, plus matching criteria and metadata.
- Parameters:
id – The IOC_V2’s unique ID
match_type – How IOCs in this IOC_V2 are matched
values – A list of IOCs
field – The kind of IOCs contained in this IOC_V2
link – A URL for some reference for this IOC_V2
Creates a new IOC_V2 instance.
- Parameters:
cb (BaseAPI) – Reference to API object used to communicate with the server.
model_unique_id (Any) – Unused.
initial_data (dict) – Initial data used to populate the IOC.
report_id (str) – ID of the report this IOC belongs to (if this is a watchlist IOC).
- Raises:
ApiError – If initial_data is None.
- classmethod create_equality(cb, iocid, field, *values)
Creates a new “equality” IOC.
- Parameters:
cb (BaseAPI) – Reference to API object used to communicate with the server.
iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC.
field (str) – Name of the field to be matched by this IOC.
*values (list(str)) – String values to match against the value of the specified field.
- Returns:
New IOC data structure.
- Return type:
- Raises:
ApiError – If there is not at least one value to match against.
- classmethod create_query(cb, iocid, query)
Creates a new “query” IOC.
- Parameters:
cb (BaseAPI) – Reference to API object used to communicate with the server.
iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC.
query (str) – Query to be incorporated in this IOC.
- Returns:
New IOC data structure.
- Return type:
- Raises:
ApiError – If the query string is not present.
- classmethod create_regex(cb, iocid, field, *values)
Creates a new “regex” IOC.
- Parameters:
cb (BaseAPI) – Reference to API object used to communicate with the server.
iocid (str) – ID for the new IOC. If this is None, a UUID will be generated for the IOC.
field (str) – Name of the field to be matched by this IOC.
*values (list(str)) – Regular expression values to match against the value of the specified field.
- Returns:
New IOC data structure.
- Return type:
- Raises:
ApiError – If there is not at least one regular expression to match against.
- delete()
Delete this object.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- ignore()
Sets the ignore status on this IOC.
Only watchlist IOCs have an ignore status.
- Raises:
InvalidObjectError – If id is missing or this IOC is not from a Watchlist.
- property ignored
Returns whether or not this IOC is ignored.
Only watchlist IOCs have an ignore status.
- Returns:
True if the IOC is ignored, False otherwise.
- Return type:
bool
- Raises:
InvalidObjectError – If this IOC is missing an id or is not a Watchlist IOC.
Example
>>> if ioc.ignored: ... ioc.unignore()
- classmethod ipv6_equality_format(input)
Turns a canonically-formatted IPv6 address into a string suitable for use in an equality IOC.
- Parameters:
input (str) – The IPv6 address to be translated.
- Returns:
The translated form of IPv6 address.
- Return type:
str
- Raises:
ApiError – If the string is not in valid format.
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- reset()
Undo any changes made to this object’s fields.
- save()
Save any changes made to this object’s fields.
- Returns:
This object.
- Return type:
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- unignore()
Removes the ignore status on this IOC.
Only watchlist IOCs have an ignore status.
- Raises:
InvalidObjectError – If id is missing or this IOC is not from a Watchlist.
- validate()
Checks to ensure this IOC contains valid FQDN.
- Raises:
InvalidObjectError – If the IOC contains invalid data.
- class Report(cb, model_unique_id=None, initial_data=None, feed_id=None, from_watchlist=False)
Bases:
FeedModel
Represents reports retrieved from an Enterprise EDR feed.
- Parameters:
id – The report’s unique ID
timestamp – When this report was created
title – A human-friendly title for this report
description – A human-friendly description for this report
severity – The severity of the IOCs within this report
link – A URL for some reference for this report
tags – A list of tags for this report
iocs_v2 – A list of IOC_V2 dicts associated with this report
visibility – The visibility of this report
Initialize the ReportSeverity object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (str) – The ID of the Report (only works for Reports in Watchlists).
initial_data (dict) – The initial data for the object.
feed_id (str) – The ID of the feed this report is for.
from_watchlist (bool) – If the report is in a watchlist
- class ReportBuilder(cb, report_body)
Bases:
object
Helper class allowing Reports to be assembled.
Initialize a new ReportBuilder.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
report_body (dict) – Partial report body which should be filled in with all “required” fields.
- add_ioc(ioc)
Adds an IOC to the new report.
- Parameters:
ioc (IOC_V2) – The IOC to be added to the report.
- Returns:
This object.
- Return type:
- add_tag(tag)
Adds a tag value to the new report.
- Parameters:
tag (str) – The new tag for the object.
- Returns:
This object.
- Return type:
- build()
Builds the actual Report from the internal data of the ReportBuilder.
- Returns:
The new Report.
- Return type:
- set_description(description)
Set the description for the new report.
- Parameters:
description (str) – New description for the report.
- Returns:
This object.
- Return type:
- set_link(link)
Set the link for the new report.
- Parameters:
link (str) – New link for the report.
- Returns:
This object.
- Return type:
- set_severity(severity)
Set the severity for the new report.
- Parameters:
severity (int) – New severity for the report.
- Returns:
This object.
- Return type:
- set_timestamp(timestamp)
Set the timestamp for the new report.
- Parameters:
timestamp (int) – New timestamp for the report.
- Returns:
This object.
- Return type:
- set_title(title)
Set the title for the new report.
- Parameters:
title (str) – New title for the report.
- Returns:
This object.
- Return type:
- set_visibility(visibility)
Set the visibility for the new report.
- Parameters:
visibility (str) – New visibility for the report.
- Returns:
This object.
- Return type:
- append_iocs(iocs)
Append a list of IOCs to this Report.
- Parameters:
iocs (list[IOC_V2]) – List of IOCs to be added.
- classmethod create(cb, title, description, severity, timestamp=None, tags=None)
Begin creating a new Report by returning a ReportBuilder.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
title (str) – Title for the new report.
description (str) – Description for the new report.
severity (int) – Severity value for the new report.
timestamp (int) – UNIX-epoch timestamp for the new report. If omitted, current time will be used.
tags (list[str]) – Tags to be added to the report. If omitted, there will be none.
- Returns:
Reference to the ReportBuilder object.
- Return type:
- property custom_severity
Returns the custom severity for this report.
- Returns:
- The custom severity for this Report,
if it exists.
- Return type:
- Raises:
InvalidObjectError – If id ismissing or this Report is from a Watchlist.
- delete()
Deletes this report from the Enterprise EDR server.
- Raises:
InvalidObjectError – If id is missing, or feed_id is missing and this report is a Feed Report.
Example
>>> report.delete()
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- ignore()
Sets the ignore status on this report.
- Raises:
InvalidObjectError – If id is missing or feed ID is missing.
- property ignored
Returns the ignore status for this report.
- Returns:
True if this Report is ignored, False otherwise.
- Return type:
(bool)
- Raises:
InvalidObjectError – If id is missing or feed ID is missing.
Example
>>> if report.ignored: ... report.unignore()
- property iocs_
Returns a list of IOC_V2’s associated with this report.
Example
>>> for ioc in report.iocs_: ... print(ioc.values)
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- remove_iocs(iocs)
Remove a list of IOCs from this Report.
- Parameters:
iocs (list[IOC_V2]) – List of IOCs to be removed.
- remove_iocs_by_id(ids_list)
Remove IOCs from this report by specifying their IDs.
- Parameters:
ids_list (list[str]) – List of IDs of the IOCs to be removed.
- reset()
Undo any changes made to this object’s fields.
- save()
Save any changes made to this object’s fields.
- Returns:
This object.
- Return type:
- save_watchlist()
Saves this report as a watchlist report.
Note
This method cannot be used to save a feed report. To save feed reports, create them with cb.create and use Feed.replace.
This method cannot be used to save a report that is already part of a watchlist. Use the update() method instead.
- Raises:
InvalidObjectError – If Report.validate() fails.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- unignore()
Removes the ignore status on this report.
- Raises:
InvalidObjectError – If id is missing or feed ID is missing.
- update(**kwargs)
Update this Report with the given arguments.
- Parameters:
**kwargs (dict(str, str)) – The Report fields to update.
- Returns:
The updated Report.
- Return type:
- Raises:
InvalidObjectError – If id is missing, or feed_id is missing and this report is a Feed Report, or Report.validate() fails.
Note
The report’s timestamp is always updated, regardless of whether passed explicitly.
>>> report.update(title="My new report title")
- validate()
Checks to ensure this report contains valid data.
- Raises:
InvalidObjectError – If the report contains invalid data.
- class ReportQuery(doc_class, cb)
Bases:
SimpleQuery
Represents the logic for a Report query.
Example
>>> cb.select(Report).where(feed_id=id) >>> cb.select(Report, id) >>> cb.select(Report, id, from_watchlist=True)
Initialize the ReportQuery object.
- Parameters:
doc_class (class) – The class of the model this query returns.
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- all()
Returns all the items of a query as a list.
- Returns:
List of query items
- Return type:
list
- and_(new_query)
Add an additional “where” clause to this query.
- Parameters:
new_query (object) – The additional “where” clause, as a string or solrq.Q object.
- Returns:
A new query with the extra “where” clause specified.
- Return type:
- first()
Returns the first item that would be returned as the result of a query.
- Returns:
First query item
- Return type:
obj
- one()
Returns the only item that would be returned by a query.
- Returns:
Sole query return item
- Return type:
obj
- Raises:
MoreThanOneResultError – If the query returns more than one item
ObjectNotFoundError – If the query returns zero items
- property results
Return a list of Report objects
- sort(new_sort)
Set the sorting for this query.
- Parameters:
new_sort (object) – The new sort criteria for this query.
- Returns:
A new query with the sort parameter specified.
- Return type:
- where(**kwargs)
Add kwargs to self._args dictionary.
- class ReportSeverity(cb, initial_data=None)
Bases:
FeedModel
Represents severity information for a Watchlist Report.
- Parameters:
report_id – The unique ID for the corresponding report
severity – The severity level
Initialize the ReportSeverity object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
initial_data (dict) – The initial data for the object.
- delete()
Delete this object.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- reset()
Undo any changes made to this object’s fields.
- save()
Save any changes made to this object’s fields.
- Returns:
This object.
- Return type:
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- validate()
Validates this object.
- Returns:
True if the object is validated.
- Return type:
bool
- Raises:
InvalidObjectError – If the object has missing fields.
- class Watchlist(cb, model_unique_id=None, initial_data=None)
Bases:
FeedModel
Represents an Enterprise EDR watchlist.
- Parameters:
name – A human-friendly name for the watchlist
description – A short description of the watchlist
id – The watchlist’s unique id
tags_enabled – Whether tags are currently enabled
alerts_enabled – Whether alerts are currently enabled
create_timestamp – When this watchlist was created
last_update_timestamp – Report IDs associated with this watchlist
report_ids – Report IDs associated with this watchlist
classifier – A key, value pair specifying an associated feed
Initialize the Watchlist object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (str) – The unique ID of the watch list.
initial_data (dict) – The initial data for the object.
- class WatchlistBuilder(cb, name)
Bases:
object
Helper class allowing Watchlists to be assembled.
Creates a new WatchlistBuilder object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
name (str) – Name for the new watchlist.
- add_report_ids(report_ids)
Adds report IDs to the watchlist.
- Parameters:
report_ids (list[str]) – List of report IDs to add to the watchlist.
- Returns:
This object.
- Return type:
- add_reports(reports)
Adds reports to the watchlist.
- Parameters:
reports (list[Report]) – List of reports to be added to the watchlist.
- Returns:
This object.
- Return type:
- build()
Builds the new Watchlist using information in the builder. The new watchlist must still be saved.
- Returns:
The new Watchlist.
- Return type:
- set_alerts_enabled(flag)
Sets whether alerts will be enabled on the new watchlist.
- Parameters:
flag (bool) – True to enable alerts, False to disable them. Default is False.
- Returns:
This object.
- Return type:
- set_description(description)
Sets the description for the new watchlist.
- Parameters:
description (str) – New description for the watchlist.
- Returns:
This object.
- Return type:
- set_name(name)
Sets the name for the new watchlist.
- Parameters:
name (str) – New name for the watchlist.
- Returns:
This object.
- Return type:
- set_tags_enabled(flag)
Sets whether tags will be enabled on the new watchlist.
- Parameters:
flag (bool) – True to enable tags, False to disable them. Default is True.
- Returns:
This object.
- Return type:
- add_report_ids(report_ids)
Adds new report IDs to the watchlist.
- Parameters:
report_ids (list[str]) – List of report IDs to be added to the watchlist.
- add_reports(reports)
Adds new reports to the watchlist.
- Parameters:
reports (list[Report]) – List of reports to be added to the watchlist.
- property classifier_
Returns the classifier key and value, if any, for this watchlist.
- Returns:
Watchlist’s classifier key and value. None: If there is no classifier key and value.
- Return type:
tuple(str, str)
- classmethod create(cb, name)
Starts creating a new Watchlist by returning a WatchlistBuilder that can be used to set attributes.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
name (str) – Name for the new watchlist.
- Returns:
The builder for the new watchlist. Call build() to create the actual Watchlist.
- Return type:
- classmethod create_from_feed(feed, name=None, description=None, enable_alerts=False, enable_tags=True)
Creates a new Watchlist that encapsulates a Feed.
- Parameters:
feed (Feed) – The feed to be encapsulated by this Watchlist.
name (str) – Name for the new watchlist. The default is to use the Feed name.
description (str) – Description for the new watchlist. The default is to use the Feed summary.
enable_alerts (bool) –
enable_tags (bool) –
- Returns:
A new Watchlist object, which must be saved to the server.
- Return type:
- delete()
Deletes this watchlist from the Enterprise EDR server.
- Raises:
InvalidObjectError – If id is missing.
- disable_alerts()
Disable alerts for this watchlist.
- Raises:
InvalidObjectError – If id is missing.
- disable_tags()
Disable tagging for this watchlist.
- Raises:
InvalidObjectError – if id is missing.
- enable_alerts()
Enable alerts for this watchlist. Alerts are not retroactive.
- Raises:
InvalidObjectError – If id is missing.
- enable_tags()
Enable tagging for this watchlist.
- Raises:
InvalidObjectError – If id is missing.
- property feed
Returns the Feed linked to this Watchlist, if there is one.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- is_dirty()
Returns whether or not any fields of this object have been changed.
- Returns:
True if any fields of this object have been changed, False if not.
- Return type:
bool
- refresh()
Reload this object from the server.
- property reports
Returns a list of Report objects associated with this watchlist.
- Returns:
List of Reports associated with the watchlist.
- Return type:
Reports ([Report])
Note
If this Watchlist is a classifier (i.e. feed-linked) Watchlist, reports will be empty. To get the reports associated with the linked Feed, use feed like:
>>> for report in watchlist.feed.reports: ... print(report.title)
- reset()
Undo any changes made to this object’s fields.
- save()
Saves this watchlist on the Enterprise EDR server.
- Returns:
The saved Watchlist.
- Return type:
- Raises:
InvalidObjectError – If Watchlist.validate() fails.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- touch(fulltouch=False)
Force this object to be considered as changed.
- update(**kwargs)
Updates this watchlist with the given arguments.
- Parameters:
**kwargs (dict(str, str)) – The fields to update.
- Raises:
InvalidObjectError – If id is missing or Watchlist.validate() fails.
ApiError – If report_ids is given and is empty.
Example
>>> watchlist.update(name="New Name")
- validate()
Checks to ensure this watchlist contains valid data.
- Raises:
InvalidObjectError – If the watchlist contains invalid data.
- class WatchlistQuery(doc_class, cb)
Bases:
SimpleQuery
Represents the logic for a Watchlist query.
>>> cb.select(Watchlist)
Initialize the WatchlistQuery object.
- Parameters:
doc_class (class) – The class of the model this query returns.
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
- all()
Returns all the items of a query as a list.
- Returns:
List of query items
- Return type:
list
- and_(new_query)
Add an additional “where” clause to this query.
- Parameters:
new_query (object) – The additional “where” clause, as a string or solrq.Q object.
- Returns:
A new query with the extra “where” clause specified.
- Return type:
- first()
Returns the first item that would be returned as the result of a query.
- Returns:
First query item
- Return type:
obj
- one()
Returns the only item that would be returned by a query.
- Returns:
Sole query return item
- Return type:
obj
- Raises:
MoreThanOneResultError – If the query returns more than one item
ObjectNotFoundError – If the query returns zero items
- property results
Return a list of all Watchlist objects.
- sort(new_sort)
Set the sorting for this query.
- Parameters:
new_sort (object) – The new sort criteria for this query.
- Returns:
A new query with the sort parameter specified.
- Return type:
- where(new_query)
Add a “where” clause to this query.
- Parameters:
new_query (object) – The “where” clause, as a string or solrq.Q object.
- Returns:
A new query with the “where” clause specified.
- Return type:
- log = <Logger cbc_sdk.enterprise_edr.threat_intelligence (WARNING)>
Models
UBS Module
Model Classes for Enterprise Endpoint Detection and Response
- class Binary(cb, model_unique_id)
Bases:
UnrefreshableModel
Represents a retrievable binary.
- Parameters:
sha256 – The SHA-256 hash of the file
md5 – The MD5 hash of the file
file_available – If true, the file is available for download
available_file_size – The size of the file available for download
file_size – The size of the actual file (represented by the hash)
os_type – The OS that this file is designed for
architecture – The set of architectures that this file was compiled for
lang_id – The Language ID value for the Windows VERSIONINFO resource
charset_id – The Character set ID value for the Windows VERSIONINFO resource
internal_name – The internal name from FileVersionInformation
product_name – The product name from FileVersionInformation
company_name – The company name from FileVersionInformation
trademark – The trademark from FileVersionInformation
file_description – The file description from FileVersionInformation
file_version – The file version from FileVersionInformation
comments – Comments from FileVersionInformation
original_filename – The original filename from FileVersionInformation
product_description – The product description from FileVersionInformation
product_version – The product version from FileVersionInformation
private_build – The private build from FileVersionInformation
special_build – The special build from FileVersionInformation
Initialize the Binary object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (str) – The SHA-256 of the binary being retrieved.
- class Summary(cb, model_unique_id)
Bases:
UnrefreshableModel
Represents a summary of organization-specific information for a retrievable binary.
Initialize the Summary object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
model_unique_id (str) – The SHA-256 of the binary being retrieved.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- refresh()
Reload this object from the server.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- download_url(expiration_seconds=3600)
Returns a URL that can be used to download the file for this binary. Returns None if no download found.
- Parameters:
expiration_seconds (int) – How long the download should be valid for.
- Returns:
A pre-signed AWS download URL. None: If no download is found.
- Return type:
URL (str)
- Raises:
InvalidObjectError – If the URL retrieval should be retried.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- refresh()
Reload this object from the server.
- property summary
Returns organization-specific information about this binary.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- class Downloads(cb, shas, expiration_seconds=3600)
Bases:
UnrefreshableModel
Represents download information for a list of process hashes.
Initialize the Downloads object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
shas (list) – A list of SHA hash values for binaries.
expiration_seconds (int) – Number of seconds until this request expires.
- class FoundItem(cb, item)
Bases:
UnrefreshableModel
Represents the download URL and process hash for a successfully located binary.
Initialize the FoundItem object.
- Parameters:
cb (CBCloudAPI) – A reference to the CBCloudAPI object.
item (dict) – The values for a successfully-retrieved item.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- refresh()
Reload this object from the server.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any
- property found
Returns a list of Downloads.FoundItem, one for each binary found in the binary store.
- get(attrname, default_val=None)
Return an attribute of this object.
- Parameters:
attrname (str) – Name of the attribute to be returned.
default_val (Any) – Default value to be used if the attribute is not set.
- Returns:
The returned attribute value, which may be defaulted.
- Return type:
Any
- refresh()
Reload this object from the server.
- to_json()
Return a json object of the response.
- Returns:
The response dictionary representation.
- Return type:
Any