Skip to content

Latest commit

 

History

History
executable file
·
123 lines (84 loc) · 3.15 KB

psc-api.rst

File metadata and controls

executable file
·
123 lines (84 loc) · 3.15 KB
Raw

CB PSC API

This page documents the public interfaces exposed by cbapi when communicating with the Carbon Black Predictive Security Cloud (PSC).

Main Interface

To use cbapi with the Carbon Black PSC, you use CbPSCBaseAPI objects.

cbapi.psc.rest_api.CbPSCBaseAPI

Device API

The PSC can be used to enumerate devices within your organization, and change their status via a control request.

You can use the select() method on the CbPSCBaseAPI to create a query object for Device objects, which can be used to locate a list of Devices.

Example:

>>> cbapi = CbPSCBaseAPI(...) >>> devices = cbapi.select(Device).set_os("LINUX").status("ALL")

Selects all devices running Linux from the current organization.

Query Object:

cbapi.psc.query.DeviceSearchQuery

Model Object:

cbapi.psc.models.Device

Alerts API

Using the API, you can search for alerts within your organization, and dismiss or undismiss them, either individually or in bulk.

You can use the select() method on the CbPSCBaseAPI to create a query object for BaseAlert objects, which can be used to locate a list of alerts. You can also search for more specialized alert types:

  • CBAnalyticsAlert - Alerts from CB Analytics
  • VMwareAlert - Alerts from VMware
  • WatchlistAlert - Alerts from watch lists

Example:

>>> cbapi = CbPSCBaseAPI(...) >>> alerts = cbapi.select(BaseAlert).set_device_os(["WINDOWS"]).set_process_name(["IEXPLORE.EXE"])

Selects all alerts on a Windows device running the Internet Explorer process.

Individual alerts may have their status changed using the dismiss() or update() methods on the BaseAlert object. To dismiss multiple alerts at once, you can use the dismiss() or update() methods on the standard query, after adding criteria to it. This method returns a request ID, which can be used to create a WorkflowStatus object; querying this object's "finished" property will let you know when the operation is finished.

Example:

>>> cbapi = CbPSCBaseAPI(...) >>> query = cbapi.select(BaseAlert).set_process_name(["IEXPLORE.EXE"]) >>> reqid = query.dismiss("Using Chrome") >>> stat = cbapi.select(WorkflowStatus, reqid) >>> while not stat.finished: >>> # wait for it to finish

This dismisses all alerts which reference the Internet Explorer process.

Query Objects:

cbapi.psc.query.BaseAlertSearchQuery

cbapi.psc.query.CBAnalyticsAlertSearchQuery

cbapi.psc.query.VMwareAlertSearchQuery

cbapi.psc.query.WatchlistAlertSearchQuery

Model Objects:

cbapi.psc.models.Workflow

cbapi.psc.models.BaseAlert

cbapi.psc.models.CBAnalyticsAlert

cbapi.psc.models.VMwareAlert

cbapi.psc.models.WatchlistAlert

cbapi.psc.models.WorkflowStatus