Cb Protection API

This page documents the public interfaces exposed by cbapi when communicating with a Carbon Black Enterprise Protection server.

Main Interface

To use cbapi with Carbon Black Protection, you will be using the CbProtectionAPI. The CbProtectionAPI object then exposes two main methods to select data on the Carbon Black server:

class cbapi.protection.rest_api.CbProtectionAPI(*args, **kwargs)

The main entry point into the Carbon Black Enterprise Protection API.

Parameters:profile (str) – (optional) Use the credentials in the named profile when connecting to the Carbon Black server. Uses the profile named ‘default’ when not specified.

Usage:

>>> from cbapi import CbEnterpriseProtectionAPI
>>> cb = CbEnterpriseProtectionAPI(profile="production")
create(cls, data=None)

Creates a new object.

Parameters:cls (class) – The Model class (only some models can be created, for example, Feed, Notification, …)
Returns:An empty instance of the Model class
Raises:ApiError – if the Model cannot be created
select(cls, unique_id=None, *args, **kwargs)

Prepares a query against the Carbon Black data store.

Parameters:
  • cls (class) – The Model class (for example, Computer, Process, Binary, FileInstance) to query
  • unique_id – (optional) The unique id of the object to retrieve, to retrieve a single object by ID
Returns:

An instance of the Model class if a unique_id is provided, otherwise a Query object

Queries

class cbapi.protection.rest_api.Query(doc_class, cb, query=None)

Represents a prepared query to the Carbon Black Enterprise Protection server.

This object is returned as part of a CbEnterpriseProtectionAPI.select() operation on models requested from the Carbon Black Enterprise Protection server. You should not have to create this class yourself.

The query is not executed on the server until it’s accessed, either as an iterator (where it will generate values on demand as they’re requested) or as a list (where it will retrieve the entire result set and save to a list). You can also call the Python built-in len() on this object to retrieve the total number of items matching the query.

The syntax for query :py:meth:where and :py:meth:sort methods can be found in the Enterprise Protection API reference posted on the Carbon Black Developer Network website.

Examples:

>>> from cbapi.protection import CbEnterpriseProtectionAPI, Computer
>>> cb = CbEnterpriseProtectionAPI()
>>> query = cb.select(Computer)                     # returns a Query object matching all Computers
>>> query = query.where("ipAddress:10.201.2.*")     # add a filter to this Query
>>> query = query.sort("processorSpeed DESC")       # sort by computer processor speed, descending
>>> for comp in query:                              # uses the iterator to retrieve all results
>>>     print(comp.name)
>>> comps = query[:10]                              # retrieve the first ten results
>>> len(query)                                      # retrieve the total count
Notes:
  • The slicing operator only supports start and end parameters, but not step. [1:-1] is legal, but [1:2:-1] is not.
  • You can chain where clauses together to create AND queries; only objects that match all where clauses will be returned.
and_(q)

Add a filter to this query. Equivalent to calling where() on this object.

Parameters:q (str) – Query string - see the Enterprise Protection API reference.
Returns:Query object
Return type:Query
sort(new_sort)

Set the sort order for this query.

Parameters:new_sort (str) – Sort order - see the Enterprise Protection API reference.
Returns:Query object
Return type:Query
where(q)

Add a filter to this query.

Parameters:q (str) – Query string - see the Enterprise Protection API reference.
Returns:Query object
Return type:Query

Models

class cbapi.protection.models.ApprovalRequest(cb, model_unique_id, initial_data=None)
ResolutionApproved = 2
ResolutionInstaller = 4
ResolutionNotResolved = 0
ResolutionOther = 7
ResolutionPublisher = 6
ResolutionRejected = 1
ResolutionRuleChange = 3
ResolutionUpdater = 5
StatusClosed = 3
StatusOpen = 2
StatusSubmitted = 1
computer
fileCatalog
installerFileCatalog
processFileCatalog
urlobject = '/api/bit9platform/v1/approvalRequest'
class cbapi.protection.models.Certificate(cb, model_unique_id, initial_data=None)
StateApproved = 2
StateBanned = 3
StateMixed = 4
StateUnapproved = 1
firstSeenComputer
parent
publisher
urlobject = '/api/bit9platform/v1/certificate'
class cbapi.protection.models.Computer(cb, model_unique_id, initial_data=None)

Represents a Computer object in the Carbon Black server.

fileInstances
policy
resetCLIPassword()
templateComputer
urlobject = '/api/bit9platform/v1/computer'
class cbapi.protection.models.Connector(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a Connector object in the Carbon Black server.

Variables:
  • id – Unique connector Id
  • name – Name of the connector. Note that only non-internal connectors can be renamed
  • analysisName – Name for analysis component of the connector (can be same as the name field)
  • connectorVersion – Version of this connector
  • canAnalyze – True if this connector can analyze files
  • enabled – True if connector is enabled
  • analysisEnabled – True if analysis component of this connector is enabled
  • isInternal – True if this is internal connector
  • analysisTargets – Array of possible analysis targets. Analysis targets are required when creating new fileAnalysis. They usualy represent different OS and configurations and are available only for some internal connectors.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

analysisEnabled = None
analysisName = None
analysisTargets = []
canAnalyze = None
connectorVersion = None
enabled = None
id = None
isInternal = None
name = None
pendingAnalyses
urlobject = '/api/bit9platform/v1/connector'
class cbapi.protection.models.DriftReport(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a DriftReport object in the Carbon Black server.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

urlobject = '/api/bit9platform/v1/driftReport'
class cbapi.protection.models.DriftReportContents(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a DriftReportContents object in the Carbon Black server.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

urlobject = '/api/bit9platform/v1/driftReportContents'
class cbapi.protection.models.EnforcementLevel
LevelHigh = 20
LevelLow = 40
LevelMedium = 30
LevelNone = 80
class cbapi.protection.models.Event(cb, model_unique_id, initial_data=None)

Represents a Event object in the Carbon Black server.

fileCatalog
urlobject = '/api/bit9platform/v1/event'
class cbapi.protection.models.FileAnalysis(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/fileAnalysis'
class cbapi.protection.models.FileCatalog(cb, model_unique_id, initial_data=None)

Represents a FileCatalog object in the Carbon Black server.

certificate
computer
fileHash
publisher
urlobject = '/api/bit9platform/v1/fileCatalog'
class cbapi.protection.models.FileInstance(cb, model_unique_id, initial_data=None)

Represents a FileInstance object in the Carbon Black server.

computer
fileCatalog
urlobject = '/api/bit9platform/v1/fileInstance'
class cbapi.protection.models.FileInstanceDeleted(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/fileInstanceDeleted'
class cbapi.protection.models.FileInstanceGroup(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/fileInstanceGroup'
class cbapi.protection.models.FileRule(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a FileRule object in the Carbon Black server.

Variables:
  • id – Unique id of this fileRule
  • fileCatalogId – Id of fileCatalog entry associated with this fileRule. Can be null if file hasn’t been seen on any endpoints yet. This is foreign key and can be expanded to expose fields from the related fileCatalog object
  • name – Name of this rule.
  • description – Description of this rule.
  • fileState – File state for this rule. Can be one of: 1=Unapproved 2=Approved 3=Banned
  • sourceType – Mechanism that created this rule. Can be one of: 1 = Manual 2 = Trusted Directory 3 = Reputation 4 = Imported 5 = External (API) 6 = Event Rule 7 = Application Template 8 = Unified Management
  • sourceId – Id of source of this rule. Can be event rule id or trusted directory id
  • reportOnly – True if this has a report-only ban
  • reputationApprovalsEnabled – True if reputation approvals are enabled for this file
  • forceInstaller – True if this file is forced to act as installer, even if product detected it as ‘not installer’
  • forceNotInstaller – True if this file is forced to act as ‘not installer’, even if product detected it as installer
  • policyIds – List of IDs of policies where this rule applies. Value will be empty if this is a global rule
  • hash – Hash associated with this rule. Note that hash will be available only if rule was created through md5 or sha-1 hash. If rule was created through fileName, fileCatalogId or sha-256 hash that exists in the catalog, this field will be empty.
  • fileName – File name associated with this rule. Note that file name will be available only if rule was created through file name. If rule was created through fileCatalogId or hash, this field will be empty.
  • lazyApproval – This filed is valid only when creating approvals. When set to true, it will cause approval to be sent to agent only if file is marked as installer or if it blocked on any agent. This is useful when proactively creating lot of approvals that might or might not be required, since it is using less resources. Note that, as soone as lazy approval is sent to agents, this field will changed to ‘false’.
  • platformFlags – Set of platform flags where this file rule will be valid. combination of: 1 = Windows 2 = Mac 4 = Linux
  • dateCreated – Date/time when this rule was created (UTC)
  • createdBy – User that created this object
  • createdByUserId – Id of user that created this object
  • dateModified – Date/time when this object was last modified (UTC)
  • modifiedBy – User that last modified this object
  • modifiedByUserId – Id of user that last modified this object
  • clVersion – CL version associated with this file rule
  • idUnique – Unique GUID of this rule
  • origIdUnique – Unique GUID of the original rule
  • unifiedFlag – Local override flag for unified rule (0 - if rule is not unified, 1 - no override allowed, 3 - local override allowed)
  • unifiedSource – Unified server name that created this rule
  • fileRuleType – Text description of file rule type
  • version – Version of this file rule
  • visible – If rule should be visible in the UI or not

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

PlatformLinux = 4
PlatformMac = 2
PlatformWindows = 1
SourceTypeApplicationTemplate = 7
SourceTypeEventRule = 6
SourceTypeExternal = 5
SourceTypeImported = 4
SourceTypeManual = 1
SourceTypeReputation = 3
SourceTypeTrustedDirectory = 2
SourceTypeUnifiedManagement = 8
StateApproved = 2
StateBanned = 3
StateUnapproved = 1
clVersion = None
createdBy = None
createdByUser
createdByUserId = None
dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
description = None
fileCatalog
fileCatalogId = None
fileName = None
fileRuleType = None
fileState = None
forceInstaller = None
forceNotInstaller = None
hash = None
id = None
idUnique = None
lazyApproval = None
modifiedBy = None
modifiedByUserId = None
name = None
origIdUnique = None
platformFlags = None
policyIds = None
reportOnly = None
reputationApprovalsEnabled = None
sourceId = None
sourceType = None
unifiedFlag = None
unifiedSource = None
urlobject = '/api/bit9platform/v1/fileRule'
version = None
visible = None
class cbapi.protection.models.FileUpload(cb, model_unique_id, initial_data=None)
file
urlobject = '/api/bit9platform/v1/fileUpload'
class cbapi.protection.models.GrantedUserPolicyPermission(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a GrantedUserPolicyPermission object in the Carbon Black server.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

urlobject = '/api/bit9platform/v1/grantedUserPolicyPermission'
class cbapi.protection.models.InternalEvent(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/internalEvent'
class cbapi.protection.models.MeteredExecution(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/meteredExecution'
class cbapi.protection.models.Notification(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a Notification object in the Carbon Black server.

Variables:
  • connectorId – Id of connector object that sent the notification
  • time – Date/time of the notification (UTC)
  • analysisResult – Analysis result. Can be one of: 0 = Unknown, 1 = Not malicious, 2 = Potential risk, 3 = Malicious
  • fileAnalysisId – Id of fileAnalysis object associated with the notification. This should be available if notification came as a result of the file analysis

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

ResultClean = 1
ResultMalicious = 3
ResultNotAvailable = 0
ResultPotentialThreat = 2
analysisResult = None
anomaly = None
appliance = None
connectorId = None
destIp = None
destUsername = None
directories = []
externalId = None
externalUrl = None
fileAnalysisId = None
fileName = None
files = []
flags = None
httpHeader = None
malwareName = None
malwareType = None
md5 = None
msgFormat = None
product = None
regKeys = []
severity = None
sha1 = None
sha256 = None
srcHost = None
srcIp = None
srcUsername = None
status = None
targetApp = None
targetOS = None
time = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
type = None
urlobject = '/api/bit9platform/v1/notification'
version = None
class cbapi.protection.models.Notifier(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/notifier'
class cbapi.protection.models.PendingAnalysis(cb, model_unique_id, initial_data=None)
ResultClean = 1
ResultMalicious = 3
ResultNotAvailable = 0
ResultPotentialThreat = 2
StatusAnalyzed = 3
StatusCancelled = 5
StatusError = 4
StatusProcessed = 2
StatusScheduled = 0
StatusSubmitted = 1
create_notification(**kwargs)
file
fileCatalog
fileHash
urlobject = '/api/bit9platform/v1/pendingAnalysis'
class cbapi.protection.models.Policy(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a Policy object in the Carbon Black server.

Variables:
  • id – Unique id of this policy
  • name – Name of this policy.
  • description – Description of this policy.
  • packageName – Name of installer package for this policy
  • enforcementLevel – Target enforcement level. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
  • disconnectedEnforcementLevel – Target enforcement level for disconnected computers. Can be one of: 20=High (Block Unapproved) 30=Medium (Prompt Unapproved) 40=Low (Monitor Unapproved) 60=None (Visibility) 80=None (Disabled)
  • helpDeskUrl – Helpdesk URL for notifiers in this policy
  • imageUrl – Image logo URL for notifiers in this policy
  • dateCreated – Date/time when this rule was created (UTC)
  • createdByUserId – Id of user that created this object
  • dateModified – Date/time when this object was last modified (UTC)
  • modifiedByUserId – Id of user that last modified this object
  • readOnly – True if this policy is read-only
  • hidden – True if this policy is hidden in the UI
  • automatic – True if AD mapping is enabled for this policy
  • loadAgentInSafeMode – True if agents in this policy will be loaded when machine is booted in ‘safe mode’
  • reputationEnabled – True if reputation approvals are enabled in this policy
  • fileTrackingEnabled – True if file tracking enabled in this policy
  • customLogo – True if notifiers in this policy use custom logo
  • automaticApprovalsOnTransition – True if agents in this policy will automatically locally approve files when transitioning into High Enforcement
  • allowAgentUpgrades – True if agents can be upgraded for this policy
  • totalComputers – Total number of computers in this policy
  • connectedComputers – Number of connected computers in this policy
  • atEnforcementComputers – Number of computers that are at target enforcement level in this policy
  • clVersionMax – Max target CL version for agents in this policy

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

allowAgentUpgrades = None
atEnforcementComputers = None
automatic = None
automaticApprovalsOnTransition = None
clVersionMax = None
connectedComputers = None
createdByUserId = None
dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
description = None
disconnectedEnforcementLevel = None
enforcementLevel = None
fileTrackingEnabled = None
helpDeskUrl = None
hidden = None
id = None
imageUrl = None
loadAgentInSafeMode = None
modifiedByUserId = None
name = None
packageName = None
readOnly = None
reputationEnabled = None
totalComputers = None
urlobject = '/api/bit9platform/v1/policy'
class cbapi.protection.models.Publisher(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/publisher'
class cbapi.protection.models.PublisherCertificate(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a PublisherCertificate object in the Carbon Black server.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

urlobject = '/api/bit9platform/v1/publisherCertificate'
class cbapi.protection.models.ScriptRule(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a ScriptRule object in the Carbon Black server.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

urlobject = '/api/bit9platform/v1/scriptRule'
class cbapi.protection.models.ServerConfig(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/serverConfig'
class cbapi.protection.models.ServerPerformance(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/serverPerformance'
class cbapi.protection.models.TrustedDirectory(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a TrustedDirectory object in the Carbon Black server.

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

urlobject = '/api/bit9platform/v1/trustedDirectory'
class cbapi.protection.models.TrustedUser(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a TrustedUser object in the Carbon Black server.

Variables:
  • id – Unique id of this trustedUser
  • name – Name of the user as it will appear on the console. This is not the name that will be enforced on the endpoint
  • userSid – Id of the user that will be trusted on the endpoint. This field can be user name, user SID (Security identifier) on Windows platforms or user’s ID on Linux and Mac platforms
  • description – Description of this rule
  • platformId – Platform where this trustedUser will be valid. it is one of: 1 = Windows, 2 = Mac, 4 = Linux
  • dateCreated – Date/time when this object was created (UTC)
  • createdByUserId – Id of user that created this object. This is foreign key and can be expanded to expose fields from the related user object
  • createdBy – User that created this object
  • dateModified – Date/time when this object was last modified (UTC)
  • modifiedByUserId – Id of user that last modified this object. This is foreign key and can be expanded to expose fields from the related user object
  • modifiedBy – User that last modified this object
  • clVersion – CL version associated with this trustedUser

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

clVersion = None
createdBy = None
createdByUserId = None
dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
description = None
id = None
modifiedBy = None
modifiedByUserId = None
name = None
platformId = None
urlobject = '/api/bit9platform/v1/trustedUser'
userSid = None
class cbapi.protection.models.Updater(cb, model_unique_id, initial_data=None)
urlobject = '/api/bit9platform/v1/updater'
class cbapi.protection.models.User(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a User object in the Carbon Black server.

Variables:
  • id – Unique id of this user
  • name – Name of the user
  • userGroupIds – Comma-separated list of IDs of corresponding userGroup objects
  • eMailAddress – EMail address of this user
  • firstName – First name of this user
  • lastName – Last name of this user
  • title – Title of this user
  • salutation – Salutation of this user
  • department – Department this user belongs to
  • homePhone – User’s home phone
  • cellPhone – User’s cell phone
  • backupCellPhone – User’s secondary cell phone
  • pager – User’s pager number
  • backupPager – User’s secondary pager number
  • comments – Comments for this user
  • adminComments – Administrator’s comments for this user
  • registrationDate – Date this user was first registered (UTC)
  • readOnly – True if this user is one of internal users (System or Cb Collective Defense Cloud Service) or AD user. These users cannot be modified through the API
  • external – True if this is externally generated user (e.g. from AD)
  • automatic – True if this user’s roles are assigned automatically through mappings (valid only for external users)
  • unified – True if this user’s token is already connected to a remote unified environment (token should not be changed)
  • enabled – True if this user is enabled
  • passwordHash – Hash of user password
  • passwordSalt – Salt used to generate password hash
  • apiToken – API token for this user

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

adminComments = None
apiToken = None
automatic = None
backupCellPhone = None
backupPager = None
cellPhone = None
comments = None
department = None
eMailAddress = None
enabled = None
external = None
firstName = None
homePhone = None
id = None
lastName = None
name = None
pager = None
passwordHash = None
passwordSalt = None
readOnly = None
registrationDate = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
salutation = None
title = None
unified = None
urlobject = '/api/bit9platform/v1/user'
userGroupIds = None
class cbapi.protection.models.UserGroup(cb, model_unique_id=None, initial_data=None, force_init=False, full_doc=False)

Represents a UserGroup object in the Carbon Black server.

Variables:
  • id – Unique id of this user group
  • name – Name of the user group
  • description – Description of this user group
  • permissions – Permissions associated with users of this user group as a hexadecimal string. See https://developer.carbonblack.com/reference/enterprise-protection/8.0/rest-api/#usergroup for more information.
  • policyIds – List of IDs of policies where this user group applies. Value will be empty if this is a global user group
  • enabled – True if this userGroup is enabled
  • editable – True if this userGroup is editable
  • dateCreated – Date/time when this object was created (UTC)
  • createdByUserId – Id of user that created this object. This is foreign key and can be expanded to expose fields from the related user object
  • createdBy – User that created this object
  • dateModified – Date/time when this object was last modified (UTC)
  • modifiedByUserId – Id of user that last modified this object. This is foreign key and can be expanded to expose fields from the related user object
  • modifiedBy – User that last modified this object
  • automaticCount – Number of users that belong to this group and have been assigned through AD rule (doesn’t include internal users)
  • manualCount – Number of users that belong to this group and have been assigned manually (doesn’t include internal users)

Base model for :param cb: :param model_unique_id: :param initial_data: :param force_init: :param full_doc: :return:

automaticCount = None
createdBy = None
createdByUserId = None
dateCreated = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
dateModified = datetime.datetime(1970, 1, 1, 0, 0, tzinfo=tzlocal())
description = None
editable = None
enabled = None
id = None
manualCount = None
modifiedBy = None
modifiedByUserId = None
name = None
permissions = None
policyIds = None
urlobject = '/api/bit9platform/v1/userGroup'