Cb Protection API¶

This page documents the public interfaces exposed by cbapi when communicating with a Carbon Black Enterprise Protection server.

Main Interface¶

To use cbapi with Carbon Black Protection, you will be using the CbProtectionAPI. The CbProtectionAPI object then exposes two main methods to select data on the Carbon Black server:

class cbapi.protection.rest_api.CbProtectionAPI(*args, **kwargs)¶

The main entry point into the Carbon Black Enterprise Protection API.

Parameters:	profile (str) – (optional) Use the credentials in the named profile when connecting to the Carbon Black server. Uses the profile named ‘default’ when not specified.

Usage:

>>> from cbapi import CbEnterpriseProtectionAPI
>>> cb = CbEnterpriseProtectionAPI(profile="production")

create(cls, data=None)¶

Creates a new object.

Parameters:	cls (class) – The Model class (only some models can be created, for example, Feed, Notification, ...)
Returns:	An empty instance of the Model class
Raises:	ApiError – if the Model cannot be created

select(cls, unique_id=None, *args, **kwargs)¶

Prepares a query against the Carbon Black data store.

Parameters:	cls (class) – The Model class (for example, Computer, Process, Binary, FileInstance) to query unique_id – (optional) The unique id of the object to retrieve, to retrieve a single object by ID
Returns:	An instance of the Model class if a unique_id is provided, otherwise a Query object

Queries¶

class cbapi.protection.rest_api.Query(doc_class, cb, query=None)¶

Represents a prepared query to the Carbon Black Enterprise Protection server.

This object is returned as part of a CbEnterpriseProtectionAPI.select() operation on models requested from the Carbon Black Enterprise Protection server. You should not have to create this class yourself.

The query is not executed on the server until it’s accessed, either as an iterator (where it will generate values on demand as they’re requested) or as a list (where it will retrieve the entire result set and save to a list). You can also call the Python built-in len() on this object to retrieve the total number of items matching the query.

The syntax for query :py:meth:where and :py:meth:sort methods can be found in the Enterprise Protection API reference posted on the Carbon Black Developer Network website.

Examples:

>>> from cbapi.protection import CbEnterpriseProtectionAPI, Computer
>>> cb = CbEnterpriseProtectionAPI()
>>> query = cb.select(Computer)                     # returns a Query object matching all Computers
>>> query = query.where("ipAddress:10.201.2.*")     # add a filter to this Query
>>> query = query.sort("processorSpeed DESC")       # sort by computer processor speed, descending
>>> for comp in query:                              # uses the iterator to retrieve all results
>>>     print(comp.name)
>>> comps = query[:10]                              # retrieve the first ten results
>>> len(query)                                      # retrieve the total count

Notes:

The slicing operator only supports start and end parameters, but not step. [1:-1] is legal, but [1:2:-1] is not.
You can chain where clauses together to create AND queries; only objects that match all where clauses will be returned.

and_(q)¶

Add a filter to this query. Equivalent to calling where() on this object.

Parameters:	q (str) – Query string - see the Enterprise Protection API reference.
Returns:	Query object
Return type:	`Query`

sort(new_sort)¶

Set the sort order for this query.

Parameters:	new_sort (str) – Sort order - see the Enterprise Protection API reference.
Returns:	Query object
Return type:	`Query`

where(q)¶

Add a filter to this query.

Parameters:	q (str) – Query string - see the Enterprise Protection API reference.
Returns:	Query object
Return type:	`Query`

Models¶

class cbapi.protection.models.AppCatalog(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a AppCatalog object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/appCatalog'¶

class cbapi.protection.models.AppTemplate(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a AppTemplate object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/appTemplate'¶

class cbapi.protection.models.ApprovalRequest(cb, model_unique_id, initial_data=None)¶

ResolutionApproved = 2¶

ResolutionInstaller = 4¶

ResolutionNotResolved = 0¶

ResolutionOther = 7¶

ResolutionPublisher = 6¶

ResolutionRejected = 1¶

ResolutionRuleChange = 3¶

ResolutionUpdater = 5¶

StatusClosed = 3¶

StatusOpen = 2¶

StatusSubmitted = 1¶

computer¶

fileCatalog¶

installerFileCatalog¶

processFileCatalog¶

urlobject = '/api/bit9platform/v1/approvalRequest'¶

class cbapi.protection.models.Certificate(cb, model_unique_id, initial_data=None)¶

StateApproved = 2¶

StateBanned = 3¶

StateMixed = 4¶

StateUnapproved = 1¶

firstSeenComputer¶

parent¶

publisher¶

urlobject = '/api/bit9platform/v1/certificate'¶

class cbapi.protection.models.Computer(cb, model_unique_id, initial_data=None)¶

Represents a Computer object in the Carbon Black server.

fileInstances¶

policy¶

resetCLIPassword()¶

template¶

urlobject = '/api/bit9platform/v1/computer'¶

class cbapi.protection.models.Connector(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a Connector object in the Carbon Black server.

Variables:

analysisName – Name for analysis component of the connector (can be same as the name field)
analysisEnabled – True if analysis component of this connector is enabled
name – Name of the connector. Note that only non-internal connectors can be renamed
canAnalyze – True if this connector can analyze files
enabled – True if connector is enabled
connectorVersion – Version of this connector
analysisTargets – Array of possible analysis targets. Analysis targets are required when creating new fileAnalysis. They usualy represent different OS and configurations and are available only for some internal connectors.
id – Unique connector Id
isInternal – True if this is internal connector

analysisEnabled = None¶

analysisName = None¶

analysisTargets = []¶

canAnalyze = None¶

connectorVersion = None¶

enabled = None¶

id = None¶

isInternal = None¶

name = None¶

pendingAnalyses¶

urlobject = '/api/bit9platform/v1/connector'¶

class cbapi.protection.models.DriftReport(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a DriftReport object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/driftReport'¶

class cbapi.protection.models.DriftReportContents(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a DriftReportContents object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/driftReportContents'¶

class cbapi.protection.models.EnforcementLevel¶

LevelHigh = 20¶

LevelLow = 40¶

LevelMedium = 30¶

LevelNone = 80¶

class cbapi.protection.models.Event(cb, model_unique_id, initial_data=None)¶

Represents a Event object in the Carbon Black server.

fileCatalog¶

urlobject = '/api/bit9platform/v1/event'¶

class cbapi.protection.models.FileAnalysis(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/fileAnalysis'¶

class cbapi.protection.models.FileCatalog(cb, model_unique_id, initial_data=None)¶

Represents a FileCatalog object in the Carbon Black server.

certificate¶

computer¶

fileHash¶

publisher¶

urlobject = '/api/bit9platform/v1/fileCatalog'¶

class cbapi.protection.models.FileInstance(cb, model_unique_id, initial_data=None)¶

Represents a FileInstance object in the Carbon Black server.

computer¶

fileCatalog¶

urlobject = '/api/bit9platform/v1/fileInstance'¶

class cbapi.protection.models.FileInstanceDeleted(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/fileInstanceDeleted'¶

class cbapi.protection.models.FileInstanceGroup(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/fileInstanceGroup'¶

class cbapi.protection.models.FileRule(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a FileRule object in the Carbon Black server.

Variables:

visible – If rule should be visible in the UI or not
forceNotInstaller – True if this file is forced to act as ‘not installer’, even if product detected it as installer
fileState – File state for this rule. Can be one of: 1=Unapproved 2=Approved 3=Banned
sourceId – Id of source of this rule. Can be event rule id or trusted directory id
fileCatalogId – Id of fileCatalog entry associated with this fileRule. Can be null if file hasn’t been seen on any endpoints yet. This is foreign key and can be expanded to expose fields from the related fileCatalog object
dateModified – Date/time when this object was last modified (UTC)
version – Version of this file rule
unifiedSource – Unified server name that created this rule
idUnique – Unique GUID of this rule
dateCreated – Date/time when this rule was created (UTC)
modifiedBy – User that last modified this object
hash – Hash associated with this rule. Note that hash will be available only if rule was created through md5 or sha-1 hash. If rule was created through fileName, fileCatalogId or sha-256 hash that exists in the catalog, this field will be empty.
name – Name of this rule.
createdByUserId – Id of user that created this object
fileName – File name associated with this rule. Note that file name will be available only if rule was created through file name. If rule was created through fileCatalogId or hash, this field will be empty.
lazyApproval – This filed is valid only when creating approvals. When set to true, it will cause approval to be sent to agent only if file is marked as installer or if it blocked on any agent. This is useful when proactively creating lot of approvals that might or might not be required, since it is using less resources. Note that, as soone as lazy approval is sent to agents, this field will changed to ‘false’.
clVersion – CL version associated with this file rule
reportOnly – True if this has a report-only ban
policyIds – List of IDs of policies where this rule applies. Value will be empty if this is a global rule
createdBy – User that created this object
sourceType – Mechanism that created this rule. Can be one of: 1 = Manual 2 = Trusted Directory 3 = Reputation 4 = Imported 5 = External (API) 6 = Event Rule 7 = Application Template 8 = Unified Management
unifiedFlag – Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 3 - local override allowed)
platformFlags – Set of platform flags where this file rule will be valid. combination of: 1 = Windows 2 = Mac 4 = Linux
forceInstaller – True if this file is forced to act as installer, even if product detected it as ‘not installer’
reputationApprovalsEnabled – True if reputation approvals are enabled for this file
origIdUnique – Unique GUID of the original rule
modifiedByUserId – Id of user that last modified this object
id – Unique id of this fileRule
description – Description of this rule.
fileRuleType – Text description of file rule type

PlatformLinux = 4¶

PlatformMac = 2¶

PlatformWindows = 1¶

SourceTypeApplicationTemplate = 7¶

SourceTypeEventRule = 6¶

SourceTypeExternal = 5¶

SourceTypeImported = 4¶

SourceTypeManual = 1¶

SourceTypeReputation = 3¶

SourceTypeTrustedDirectory = 2¶

SourceTypeUnifiedManagement = 8¶

StateApproved = 2¶

StateBanned = 3¶

StateUnapproved = 1¶

clVersion = None¶

createdBy = None¶

createdByUser¶

createdByUserId = None¶

dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

description = None¶

fileCatalog¶

fileCatalogId = None¶

fileName = None¶

fileRuleType = None¶

fileState = None¶

forceInstaller = None¶

forceNotInstaller = None¶

hash = None¶

id = None¶

idUnique = None¶

lazyApproval = None¶

modifiedBy = None¶

modifiedByUserId = None¶

name = None¶

origIdUnique = None¶

platformFlags = None¶

policyIds = None¶

reportOnly = None¶

reputationApprovalsEnabled = None¶

sourceId = None¶

sourceType = None¶

unifiedFlag = None¶

unifiedSource = None¶

urlobject = '/api/bit9platform/v1/fileRule'¶

version = None¶

visible = None¶

class cbapi.protection.models.FileUpload(cb, model_unique_id, initial_data=None)¶

file¶

urlobject = '/api/bit9platform/v1/fileUpload'¶

class cbapi.protection.models.GrantedUserPolicyPermission(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a GrantedUserPolicyPermission object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/grantedUserPolicyPermission'¶

class cbapi.protection.models.InternalEvent(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/fileInstance'¶

class cbapi.protection.models.MeteredExecution(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/meteredExecution'¶

class cbapi.protection.models.Notification(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a Notification object in the Carbon Black server.

Variables:

fileAnalysisId – Id of fileAnalysis object associated with the notification. This should be available if notification came as a result of the file analysis
analysisResult – Analysis result. Can be one of: 0 = Unknown, 1 = Not malicious, 2 = Potential risk, 3 = Malicious
time – Date/time of the notification (UTC)
connectorId – Id of connector object that sent the notification

ResultClean = 1¶

ResultMalicious = 3¶

ResultNotAvailable = 0¶

ResultPotentialThreat = 2¶

analysisResult = None¶

anomaly = None¶

appliance = None¶

connectorId = None¶

destIp = None¶

destUsername = None¶

directories = []¶

externalId = None¶

externalUrl = None¶

fileAnalysisId = None¶

fileName = None¶

files = []¶

flags = None¶

httpHeader = None¶

malwareName = None¶

malwareType = None¶

md5 = None¶

msgFormat = None¶

product = None¶

regKeys = []¶

severity = None¶

sha1 = None¶

sha256 = None¶

srcHost = None¶

srcIp = None¶

srcUsername = None¶

status = None¶

targetApp = None¶

targetOS = None¶

time = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

type = None¶

urlobject = '/api/bit9platform/v1/notification'¶

version = None¶

class cbapi.protection.models.Notifier(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/notifier'¶

class cbapi.protection.models.PendingAnalysis(cb, model_unique_id, initial_data=None)¶

ResultClean = 1¶

ResultMalicious = 3¶

ResultNotAvailable = 0¶

ResultPotentialThreat = 2¶

StatusAnalyzed = 3¶

StatusCancelled = 5¶

StatusError = 4¶

StatusProcessed = 2¶

StatusScheduled = 0¶

StatusSubmitted = 1¶

create_notification(**kwargs)¶

file¶

fileCatalog¶

fileHash¶

urlobject = '/api/bit9platform/v1/pendingAnalysis'¶

class cbapi.protection.models.Policy(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a Policy object in the Carbon Black server.

Variables:

helpDeskUrl – Helpdesk URL for notifiers in this policy
enforcementLevel – Target enforcement level. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
automatic – True if AD mapping is enabled for this policy
imageUrl – Image logo URL for notifiers in this policy
fileTrackingEnabled – True if file tracking enabled in this policy
readOnly – True if this policy is read-only
hidden – True if this policy is hidden in the UI
connectedComputers – Number of connected computers in this policy
dateCreated – Date/time when this rule was created (UTC)
reputationEnabled – True if reputation approvals are enabled in this policy
dateModified – Date/time when this object was last modified (UTC)
atEnforcementComputers – Number of computers that are at target enforcement level in this policy
automaticApprovalsOnTransition – True if agents in this policy will automatically locally approve files when transitioning into High Enforcement
loadAgentInSafeMode – True if agents in this policy will be loaded when machine is booted in ‘safe mode’
id – Unique id of this policy
packageName – Name of installer package for this policy
name – Name of this policy.
customLogo – True if notifiers in this policy use custom logo
disconnectedEnforcementLevel – Target enforcement level for disconnected computers. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
createdByUserId – Id of user that created this object
clVersionMax – Max target CL version for agents in this policy
modifiedByUserId – Id of user that last modified this object
totalComputers – Total number of computers in this policy
allowAgentUpgrades – True if agents can be upgraded for this policy
description – Description of this policy.

allowAgentUpgrades = None¶

atEnforcementComputers = None¶

automatic = None¶

automaticApprovalsOnTransition = None¶

clVersionMax = None¶

connectedComputers = None¶

createdByUserId = None¶

customLogo = None¶

dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

description = None¶

disconnectedEnforcementLevel = None¶

enforcementLevel = None¶

fileTrackingEnabled = None¶

helpDeskUrl = None¶

hidden = None¶

id = None¶

imageUrl = None¶

loadAgentInSafeMode = None¶

modifiedByUserId = None¶

name = None¶

packageName = None¶

readOnly = None¶

reputationEnabled = None¶

totalComputers = None¶

urlobject = '/api/bit9platform/v1/policy'¶

class cbapi.protection.models.Publisher(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/publisher'¶

class cbapi.protection.models.PublisherCertificate(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a PublisherCertificate object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/publisherCertificate'¶

class cbapi.protection.models.ScriptRule(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a ScriptRule object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/scriptRule'¶

class cbapi.protection.models.ServerConfig(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/serverConfig'¶

class cbapi.protection.models.ServerPerformance(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/serverPerformance'¶

class cbapi.protection.models.TrustedDirectory(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a TrustedDirectory object in the Carbon Black server.

urlobject = '/api/bit9platform/v1/trustedDirectory'¶

class cbapi.protection.models.TrustedUser(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a TrustedUser object in the Carbon Black server.

Variables:

modifiedBy – User that last modified this object
createdByUserId – Id of user that created this object. This is foreign key and can be expanded to expose fields from the related user object
clVersion – CL version associated with this trustedUser
modifiedByUserId – Id of user that last modified this object. This is foreign key and can be expanded to expose fields from the related user object
name – Name of the user as it will appear on the console. This is not the name that will be enforced on the endpoint
dateModified – Date/time when this object was last modified (UTC)
dateCreated – Date/time when this object was created (UTC)
description – Description of this rule
createdBy – User that created this object
userSid – Id of the user that will be trusted on the endpoint. This field can be user name, user SID (Security identifier) on Windows platforms or user’s ID on Linux and Mac platforms
id – Unique id of this trustedUser
platformId – Platform where this trustedUser will be valid. it is one of: 1 = Windows, 2 = Mac, 4 = Linux

clVersion = None¶

createdBy = None¶

createdByUserId = None¶

dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

description = None¶

id = None¶

modifiedBy = None¶

modifiedByUserId = None¶

name = None¶

platformId = None¶

urlobject = '/api/bit9platform/v1/trustedUser'¶

userSid = None¶

class cbapi.protection.models.Updater(cb, model_unique_id, initial_data=None)¶

urlobject = '/api/bit9platform/v1/updater'¶

class cbapi.protection.models.User(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a User object in the Carbon Black server.

Variables:

eMailAddress – EMail address of this user
external – True if this is externally generated user (e.g. from AD)
automatic – True if this user’s roles are assigned automatically through mappings (valid only for external users)
apiToken – API token for this user
backupCellPhone – User’s secondary cell phone
readOnly – True if this user is one of internal users (System or Cb Collective Defense Cloud Service) or AD user. These users cannot be modified through the API
userGroupIds – Comma-separated list of IDs of corresponding userGroup objects
department – Department this user belongs to
name – Name of the user
passwordSalt – Salt used to generate password hash
unified – True if this user’s token is already connected to a remote unified environment (token should not be changed)
backupPager – User’s secondary pager number
passwordHash – Hash of user password
title – Title of this user
comments – Comments for this user
registrationDate – Date this user was first registered (UTC)
salutation – Salutation of this user
id – Unique id of this user
pager – User’s pager number
adminComments – Administrator’s comments for this user
firstName – First name of this user
homePhone – User’s home phone
cellPhone – User’s cell phone
lastName – Last name of this user
enabled – True if this user is enabled

adminComments = None¶

apiToken = None¶

automatic = None¶

backupCellPhone = None¶

backupPager = None¶

cellPhone = None¶

comments = None¶

department = None¶

eMailAddress = None¶

enabled = None¶

external = None¶

firstName = None¶

homePhone = None¶

id = None¶

lastName = None¶

name = None¶

pager = None¶

passwordHash = None¶

passwordSalt = None¶

readOnly = None¶

registrationDate = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

salutation = None¶

title = None¶

unified = None¶

urlobject = '/api/bit9platform/v1/user'¶

userGroupIds = None¶

class cbapi.protection.models.UserGroup(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)¶

Represents a UserGroup object in the Carbon Black server.

Variables:

modifiedBy – User that last modified this object
createdByUserId – Id of user that created this object. This is foreign key and can be expanded to expose fields from the related user object
editable – True if this userGroup is editable
policyIds – List of IDs of policies where this user group applies. Value will be empty if this is a global user group
automaticCount – Number of users that belong to this group and have been assigned through AD rule (doesn’t include internal users)
name – Name of the user group
permissions – Permissions associated with users of this user group as a hexadecimal string. See https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#usergroup for more information.
dateModified – Date/time when this object was last modified (UTC)
dateCreated – Date/time when this object was created (UTC)
manualCount – Number of users that belong to this group and have been assigned manually (doesn’t include internal users)
enabled – True if this userGroup is enabled
createdBy – User that created this object
modifiedByUserId – Id of user that last modified this object. This is foreign key and can be expanded to expose fields from the related user object
id – Unique id of this user group
description – Description of this user group

automaticCount = None¶

createdBy = None¶

createdByUserId = None¶

dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())¶

description = None¶

editable = None¶

enabled = None¶

id = None¶

manualCount = None¶

modifiedBy = None¶

modifiedByUserId = None¶

name = None¶

permissions = None¶

policyIds = None¶

urlobject = '/api/bit9platform/v1/userGroup'¶

Cb Protection API¶

Main Interface¶

Queries¶

Models¶

Table Of Contents

Related Topics

This Page