You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Carbon Black API - Python language bindings
Notifications You must be signed in to change notification settings
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Go to fileThese are the Python bindings for the Carbon Black EDR and App Control REST APIs. To learn more about the REST APIs, visit the Carbon Black Developer Network Website at https://developer.carbonblack.com.
Please visit https://cbapi.readthedocs.io for detailed documentation on this API.
The cbapi package is designed to work on Python 2.6.6 and above (including 3.x). If you're just starting out, we recommend using the latest version of Python 3.6.x or above.
All requirements are installed as part of pip install . The legacy cbapi ( cbapi.CbApi ) and legacy bit9api ( cbapi.bit9Api ) are still compatible with Python 2.x only.
Backwards compatibility with old scripts is maintained through the cbapi.legacy module. Old scripts that import cbapi.CbApi directly will continue to work.
New scripts should use the cbapi.CbResponseAPI (for EDR (CB Response)) and cbapi.CbProtectionAPI (for App Control (CB Protection)) API entry points.
There are two ways to get started:
pip install cbapi
python setup.py develop
There are several examples in the examples directory for both EDR and App Control. For a quick start, see the following code snippets:
Carbon Black EDR
from cbapi.response.models import Process, Binary, Sensor, Feed, Watchlist, Investigation from cbapi.response.rest_api import CbEnterpriseResponseAPI import logging logging.basicConfig(level=logging.DEBUG) c=CbEnterpriseResponseAPI() # read the first four bytes of the notepad.exe associated with the first process instance of notepad running c.select(Process).where('process_name:notepad.exe').first().binary.file.read(4) # if you want a specific ID, you can put it straight into the .select() call: binary = c.select(Binary, "24DA05ADE2A978E199875DA0D859E7EB") # isolate all sensors who ran executable_name.exe sensors = set() for proc in c.select(Process).where('process_name:executable_name.exe'): sensors.add(proc.sensor) for s in sensors: s.network_isolation_enabled = True s.save() Carbon Black App Control
from cbapi.protection.models import * from cbapi.protection.rest_api import CbEnterpriseProtectionAPI p=CbEnterpriseProtectionAPI() # Select the first file instance fi = p.select(FileInstance).first() # print that computer's hostname fi.computer.name # change the policy ID fi.computer.policyId = 3 fi.computer.save() In order to perform any queries via the API, you will need to get the API token for your CB user. See the documentation on the Developer Network website on how to acquire the API token for CB Response or CB Protection.
Once you acquire your API token, place it in one of the default credentials file locations:
For distinction between credentials of different Carbon Black products, use the following naming convention for your credentials files:
For example, if you use a Carbon Black Cloud product, you should have created a credentials file in one of these locations:
Credentials found in a later path will overwrite earlier ones.
The credentials are stored in INI format. The name of each credential profile is enclosed in square brackets, followed by key-value pairs providing the necessary credential information::
[default] url=https://localhost token=abcdef0123456789abcdef ssl_verify=False [prod] url=https://cbserver.prod.corp.com token=aaaaaa ssl_verify=True [otheruser] url=https://localhost token=bbbbbb ssl_verify=False The possible options for each credential profile are:
Future versions of cbapi may provide the ability to "pin" the TLS certificate so as to provide certificate verification on self-signed or internal CA signed certificates.