CB PSC API

This page documents the public interfaces exposed by cbapi when communicating with the Carbon Black Predictive Security Cloud (PSC).

Main Interface

To use cbapi with the Carbon Black PSC, you use CbPSCBaseAPI objects.

class cbapi.psc.rest_api.CbPSCBaseAPI(*args, **kwargs)

The main entry point into the Cb PSC API.

Parameters:profile (str) – (optional) Use the credentials in the named profile when connecting to the Carbon Black server. Uses the profile named ‘default’ when not specified.

Usage:

>>> from cbapi import CbPSCBaseAPI
>>> cb = CbPSCBaseAPI(profile="production")
alert_search_suggestions(query)

Returns suggestions for keys and field values that can be used in a search.

Parameters:str (query) – A search query to use.
Returns:A list of search suggestions expressed as dict objects.
api_json_request(method, uri, **kwargs)

Submit a request to the server.

Args:
method (str): HTTP method to use. uri (str): URI to submit the request to. **kwargs (dict): Additional arguments.
Returns:
object: Result of the operation.
Raises:
ServerError: If there’s an error output from the server.
bulk_threat_dismiss(threat_ids, remediation=None, comment=None)

Dismiss the alerts associated with multiple threat IDs. The alerts will be left in a DISMISSED state after this request.

Parameters:
  • list (threat_ids) – List of string threat IDs.
  • str (comment) – The remediation state to set for all alerts.
  • str – The comment to set for all alerts.
Returns:

The request ID, which may be used to select a WorkflowStatus object.

bulk_threat_update(threat_ids, remediation=None, comment=None)

Update the alert status of alerts associated with multiple threat IDs. The alerts will be left in an OPEN state after this request.

Parameters:
  • list (threat_ids) – List of string threat IDs.
  • str (comment) – The remediation state to set for all alerts.
  • str – The comment to set for all alerts.
Returns:

The request ID, which may be used to select a WorkflowStatus object.

create(cls, data=None)

Create a new object.

Args:
cls (class): The Model class (only some models can be created, for example, Feed, Notification, …) data (object): The data used to initialize the new object
Returns:
Model: An empty instance of the model class.
Raises:
ApiError: If the Model cannot be created.
delete_object(uri)

Send a DELETE request to the specified URI.

Args:
uri (str): The URI to send the DELETE request to.
Returns:
object: The return data from the DELETE request.
device_background_scan(device_ids, scan)

Set the background scan option for the specified devices.

Parameters:
  • device_ids (list) – List of IDs of devices to be set.
  • scan (boolean) – True to turn background scan on, False to turn it off.
device_bypass(device_ids, enable)

Set the bypass option for the specified devices.

Parameters:
  • device_ids (list) – List of IDs of devices to be set.
  • enable (boolean) – True to enable bypass, False to disable it.
device_delete_sensor(device_ids)

Delete the specified sensor devices.

Parameters:device_ids (list) – List of IDs of devices to be deleted.
device_quarantine(device_ids, enable)

Set the quarantine option for the specified devices.

Parameters:
  • device_ids (list) – List of IDs of devices to be set.
  • enable (boolean) – True to enable quarantine, False to disable it.
device_uninstall_sensor(device_ids)

Uninstall the specified sensor devices.

Parameters:device_ids (list) – List of IDs of devices to be uninstalled.
device_update_policy(device_ids, policy_id)

Set the current policy for the specified devices.

Parameters:
  • device_ids (list) – List of IDs of devices to be changed.
  • policy_id (int) – ID of the policy to set for the devices.
device_update_sensor_version(device_ids, sensor_version)

Update the sensor version for the specified devices.

Parameters:
  • device_ids (list) – List of IDs of devices to be changed.
  • sensor_version (dict) – New version properties for the sensor.
get_object(uri, query_parameters=None, default=None)

Submit a GET request to the server and parse the result as JSON before returning.

Args:
uri (str): The URI to send the GET request to. query_parameters (object): Parameters for the query. default (object): What gets returned in the event of an empty response.
Returns:
object: Result of the GET request.
get_raw_data(uri, query_parameters=None, default=None, **kwargs)

Submit a GET request to the server and return the result without parsing it.

Args:
uri (str): The URI to send the GET request to. query_parameters (object): Parameters for the query. default (object): What gets returned in the event of an empty response. **kwargs:
Returns:
object: Result of the GET request.
post_object(uri, body, **kwargs)

Send a POST request to the specified URI.

Args:
uri (str): The URI to send the POST request to. body (object): The data to be sent in the body of the POST request. **kwargs:
Returns:
object: The return data from the POST request.
put_object(uri, body, **kwargs)

Send a PUT request to the specified URI.

Args:
uri (str): The URI to send the PUT request to. body (object): The data to be sent in the body of the PUT request. **kwargs:
Returns:
object: The return data from the PUT request.
raise_unless_json(ret, expected)

Raise a ServerError unless we got back an HTTP 200 response with JSON containing all the expected values.

Args:
ret (object): Return value to be checked. expected (dict): Expected keys and values that need to be found in the JSON response.
Raises:
ServerError: If the HTTP response is anything but 200, or if the expected values are not found.
select(cls, unique_id=None, *args, **kwargs)

Prepare a query against the Carbon Black data store.

Args:
cls (class): The Model class (for example, Computer, Process, Binary, FileInstance) to query unique_id (optional): The unique id of the object to retrieve, to retrieve a single object by ID *args: **kwargs:
Returns:
object: An instance of the Model class if a unique_id is provided, otherwise a Query object
url

Return the connection URL.

Returns:
str: The connection URL.

Device API

The PSC can be used to enumerate devices within your organization, and change their status via a control request.

You can use the select() method on the CbPSCBaseAPI to create a query object for Device objects, which can be used to locate a list of Devices.

Example:

>>> cbapi = CbPSCBaseAPI(...)
>>> devices = cbapi.select(Device).set_os("LINUX").status("ALL")

Selects all devices running Linux from the current organization.

Query Object:

class cbapi.psc.devices_query.DeviceSearchQuery(doc_class, cb)

Represents a query that is used to locate Device objects.

background_scan(scan)

Set the background scan option for the specified devices.

Parameters:scan (boolean) – True to turn background scan on, False to turn it off.
bypass(enable)

Set the bypass option for the specified devices.

Parameters:enable (boolean) – True to enable bypass, False to disable it.
delete_sensor()

Delete the specified sensor devices.

download()

Uses the query parameters that have been set to download all device listings in CSV format.

Example:

>>> cb.select(Device).set_status(["ALL"]).download()
Returns:The CSV raw data as returned from the server.
quarantine(enable)

Set the quarantine option for the specified devices.

Parameters:enable (boolean) – True to enable quarantine, False to disable it.
set_ad_group_ids(ad_group_ids)

Restricts the devices that this query is performed on to the specified AD group IDs.

Parameters:ad_group_ids – list of ints
Returns:This instance
set_device_ids(device_ids)

Restricts the devices that this query is performed on to the specified device IDs.

Parameters:ad_group_ids – list of ints
Returns:This instance
set_exclude_sensor_versions(sensor_versions)

Restricts the devices that this query is performed on to exclude specified sensor versions.

Parameters:sensor_versions – List of sensor versions to exclude
Returns:This instance
set_last_contact_time(*args, **kwargs)

Restricts the devices that this query is performed on to the specified last contact time (either specified as a start and end point or as a range).

Returns:This instance
set_os(operating_systems)

Restricts the devices that this query is performed on to the specified operating systems.

Parameters:operating_systems – list of operating systems
Returns:This instance
set_policy_ids(policy_ids)

Restricts the devices that this query is performed on to the specified policy IDs.

Parameters:policy_ids – list of ints
Returns:This instance
set_status(statuses)

Restricts the devices that this query is performed on to the specified status values.

Parameters:statuses – list of strings
Returns:This instance
set_target_priorities(target_priorities)

Restricts the devices that this query is performed on to the specified target priority values.

Parameters:target_priorities – list of strings
Returns:This instance
sort_by(key, direction='ASC')

Sets the sorting behavior on a query’s results.

Example:

>>> cb.select(Device).sort_by("name")
Parameters:
  • key – the key in the schema to sort by
  • direction – the sort order, either “ASC” or “DESC”
Return type:

DeviceSearchQuery

uninstall_sensor()

Uninstall the specified sensor devices.

update_policy(policy_id)

Set the current policy for the specified devices.

Parameters:policy_id (int) – ID of the policy to set for the devices.
update_sensor_version(sensor_version)

Update the sensor version for the specified devices.

Parameters:sensor_version (dict) – New version properties for the sensor.

Model Object:

class cbapi.psc.models.Device(cb, model_unique_id, initial_data=None)

Represents a Device object in the Carbon Black server.

Variables:
activation_code = None
activation_code_expiry_time = None
ad_group_id = None
av_ave_version = None
av_engine = None
av_last_scan_time = None
av_master = None
av_pack_version = None
av_product_version = None
av_status = []
av_update_servers = []
av_vdf_version = None
background_scan(flag)

Set the background scan option for this device.

Parameters:flag (boolean) – True to turn background scan on, False to turn it off.
bypass(flag)

Set the bypass option for this device.

Parameters:flag (boolean) – True to enable bypass, False to disable it.
current_sensor_policy_name = None
delete_sensor()

Delete this sensor device.

deregistered_time = None
device_id = None
device_meta_data_item_list = []
device_owner_id = None
email = None
encoded_activation_code = None
first_name = None
id = None
last_contact_time = None
last_device_policy_changed_time = None
last_device_policy_requested_time = None
last_external_ip_address = None
last_internal_ip_address = None
last_location = None
last_name = None
last_policy_updated_time = None
last_reported_time = None
last_reset_time = None
last_shutdown_time = None
linux_kernel_version = None
login_user_name = None
lr_session()

Retrieve a Live Response session object for this Device.

Returns:Live Response session object
Return type:cbapi.defense.cblr.LiveResponseSession
Raises:ApiError – if there is an error establishing a Live Response session for this Device
mac_address = None
middle_name = None
name = None
organization_id = None
organization_name = None
os = None
os_version = None
passive_mode = None
policy_id = None
policy_name = None
policy_override = None
primary_key = 'id'
quarantine(flag)

Set the quarantine option for this device.

Parameters:flag (boolean) – True to enable quarantine, False to disable it.
quarantined = None
registered_time = None
scan_last_action_time = None
scan_last_complete_time = None
scan_status = None
sensor_out_of_date = None
sensor_states = []
sensor_version = None
status = None
target_priority_type = None
uninstall_code = None
uninstall_sensor()

Uninstall this sensor device.

update_policy(policy_id)

Set the current policy for this device.

Parameters:policy_id (int) – ID of the policy to set for the devices.
update_sensor_version(sensor_version)

Update the sensor version for this device.

Parameters:sensor_version (dict) – New version properties for the sensor.
urlobject = '/appservices/v6/orgs/{0}/devices'
urlobject_single = '/appservices/v6/orgs/{0}/devices/{1}'
vdi_base_device = None
virtual_machine = None
virtualization_provider = None
windows_platform = None

Alerts API

Using the API, you can search for alerts within your organization, and dismiss or undismiss them, either individually or in bulk.

You can use the select() method on the CbPSCBaseAPI to create a query object for BaseAlert objects, which can be used to locate a list of alerts. You can also search for more specialized alert types:

  • CBAnalyticsAlert - Alerts from CB Analytics
  • VMwareAlert - Alerts from VMware
  • WatchlistAlert - Alerts from watch lists

Example:

>>> cbapi = CbPSCBaseAPI(...)
>>> alerts = cbapi.select(BaseAlert).set_device_os(["WINDOWS"]).set_process_name(["IEXPLORE.EXE"])

Selects all alerts on a Windows device running the Internet Explorer process.

Individual alerts may have their status changed using the dismiss() or update() methods on the BaseAlert object. To dismiss multiple alerts at once, you can use the dismiss() or update() methods on the standard query, after adding criteria to it. This method returns a request ID, which can be used to create a WorkflowStatus object; querying this object’s “finished” property will let you know when the operation is finished.

Example:

>>> cbapi = CbPSCBaseAPI(...)
>>> query = cbapi.select(BaseAlert).set_process_name(["IEXPLORE.EXE"])
>>> reqid = query.dismiss("Using Chrome")
>>> stat = cbapi.select(WorkflowStatus, reqid)
>>> while not stat.finished:
>>>     # wait for it to finish

This dismisses all alerts which reference the Internet Explorer process.

Query Objects:

class cbapi.psc.alerts_query.BaseAlertSearchQuery(doc_class, cb)

Represents a query that is used to locate BaseAlert objects.

dismiss(remediation=None, comment=None)

Dismiss all alerts matching the given query. The alerts will be left in a DISMISSED state after this request.

Parameters:
  • str (comment) – The remediation state to set for all alerts.
  • str – The comment to set for all alerts.
Returns:

The request ID, which may be used to select a WorkflowStatus object.

facets(fieldlist, max_rows=0)

Return information about the facets for this alert by search, using the defined criteria.

Parameters:
  • list (fieldlist) – List of facet field names. Valid names are “ALERT_TYPE”, “CATEGORY”, “REPUTATION”, “WORKFLOW”, “TAG”, “POLICY_ID”, “POLICY_NAME”, “DEVICE_ID”, “DEVICE_NAME”, “APPLICATION_HASH”, “APPLICATION_NAME”, “STATUS”, “RUN_STATE”, “POLICY_APPLIED_STATE”, “POLICY_APPLIED”, and “SENSOR_ACTION”.
  • int (max_rows) – The maximum number of rows to return. 0 means return all rows.
Returns:

A list of facet information specified as dicts.

set_alert_ids(alert_ids)

Restricts the alerts that this query is performed on to the specified alert IDs.

Parameters:list (alert_ids) – List of string alert IDs.
Returns:This instance
set_categories(categories)

Restricts the alerts that this query is performed on to the specified categories.

Parameters:list (categories) – List of categories to be restricted to. Valid categories are “THREAT”, “MONITORED”, “INFO”, “MINOR”, “SERIOUS”, and “CRITICAL.”
Returns:This instance
set_create_time(*args, **kwargs)

Restricts the alerts that this query is performed on to the specified creation time (either specified as a start and end point or as a range).

Returns:This instance
set_device_ids(device_ids)

Restricts the alerts that this query is performed on to the specified device IDs.

Parameters:list (device_ids) – list of integer device IDs
Returns:This instance
set_device_names(device_names)

Restricts the alerts that this query is performed on to the specified device names.

Parameters:list (device_names) – list of string device names
Returns:This instance
set_device_os(device_os)

Restricts the alerts that this query is performed on to the specified device operating systems.

Parameters:list (device_os) – List of string operating systems. Valid values are “WINDOWS”, “ANDROID”, “MAC”, “IOS”, “LINUX”, and “OTHER.”
Returns:This instance
set_device_os_versions(device_os_versions)

Restricts the alerts that this query is performed on to the specified device operating system versions.

Parameters:list (device_os_versions) – List of string operating system versions.
Returns:This instance
set_device_username(users)

Restricts the alerts that this query is performed on to the specified user names.

Parameters:list (users) – List of string user names.
Returns:This instance
set_group_results(do_group)

Specifies whether or not to group the results of the query.

Parameters:boolean (do_group) – True to group the results, False to not do so.
Returns:This instance
set_legacy_alert_ids(alert_ids)

Restricts the alerts that this query is performed on to the specified legacy alert IDs.

Parameters:list (alert_ids) – List of string legacy alert IDs.
Returns:This instance
set_minimum_severity(severity)

Restricts the alerts that this query is performed on to the specified minimum severity level.

Parameters:int (severity) – The minimum severity level for alerts.
Returns:This instance
set_policy_ids(policy_ids)

Restricts the alerts that this query is performed on to the specified policy IDs.

Parameters:list (policy_ids) – list of integer policy IDs
Returns:This instance
set_policy_names(policy_names)

Restricts the alerts that this query is performed on to the specified policy names.

Parameters:list (policy_names) – list of string policy names
Returns:This instance
set_process_names(process_names)

Restricts the alerts that this query is performed on to the specified process names.

Parameters:list (process_names) – list of string process names
Returns:This instance
set_process_sha256(shas)

Restricts the alerts that this query is performed on to the specified process SHA-256 hash values.

Parameters:list (shas) – list of string process SHA-256 hash values
Returns:This instance
set_reputations(reps)

Restricts the alerts that this query is performed on to the specified reputation values.

Parameters:list (reps) – List of string reputation values. Valid values are “KNOWN_MALWARE”, “SUSPECT_MALWARE”, “PUP”, “NOT_LISTED”, “ADAPTIVE_WHITE_LIST”, “COMMON_WHITE_LIST”, “TRUSTED_WHITE_LIST”, and “COMPANY_BLACK_LIST”.
Returns:This instance
set_tags(tags)

Restricts the alerts that this query is performed on to the specified tag values.

Parameters:list (tags) – list of string tag values
Returns:This instance
set_target_priorities(priorities)

Restricts the alerts that this query is performed on to the specified target priority values.

Parameters:list (priorities) – List of string target priority values. Valid values are “LOW”, “MEDIUM”, “HIGH”, and “MISSION_CRITICAL”.
Returns:This instance
set_threat_ids(threats)

Restricts the alerts that this query is performed on to the specified threat ID values.

Parameters:list (threats) – list of string threat ID values
Returns:This instance
set_types(alerttypes)

Restricts the alerts that this query is performed on to the specified alert type values.

Parameters:list (alerttypes) – List of string alert type values. Valid values are “CB_ANALYTICS”, “VMWARE”, and “WATCHLIST”.
Returns:This instance
set_workflows(workflow_vals)

Restricts the alerts that this query is performed on to the specified workflow status values.

Parameters:list (workflow_vals) – List of string alert type values. Valid values are “OPEN” and “DISMISSED”.
Returns:This instance
sort_by(key, direction='ASC')

Sets the sorting behavior on a query’s results.

Example:

>>> cb.select(BaseAlert).sort_by("name")
Parameters:
  • key – the key in the schema to sort by
  • direction – the sort order, either “ASC” or “DESC”
Return type:

BaseAlertSearchQuery

update(remediation=None, comment=None)

Update all alerts matching the given query. The alerts will be left in an OPEN state after this request.

Parameters:
  • str (comment) – The remediation state to set for all alerts.
  • str – The comment to set for all alerts.
Returns:

The request ID, which may be used to select a WorkflowStatus object.

class cbapi.psc.alerts_query.CBAnalyticsAlertSearchQuery(doc_class, cb)

Represents a query that is used to locate CBAnalyticsAlert objects.

set_blocked_threat_categories(categories)

Restricts the alerts that this query is performed on to the specified threat categories that were blocked.

Parameters:list (categories) – List of threat categories to look for. Valid values are “UNKNOWN”, “NON_MALWARE”, “NEW_MALWARE”, “KNOWN_MALWARE”, and “RISKY_PROGRAM”.
Returns:This instance.
set_device_locations(locations)

Restricts the alerts that this query is performed on to the specified device locations.

Parameters:list (locations) – List of device locations to look for. Valid values are “ONSITE”, “OFFSITE”, and “UNKNOWN”.
Returns:This instance.
set_kill_chain_statuses(statuses)

Restricts the alerts that this query is performed on to the specified kill chain statuses.

Parameters:list (statuses) – List of kill chain statuses to look for. Valid values are “RECONNAISSANCE”, “WEAPONIZE”, “DELIVER_EXPLOIT”, “INSTALL_RUN”,”COMMAND_AND_CONTROL”, “EXECUTE_GOAL”, and “BREACH”.
Returns:This instance.
set_not_blocked_threat_categories(categories)

Restricts the alerts that this query is performed on to the specified threat categories that were NOT blocked.

Parameters:list (categories) – List of threat categories to look for. Valid values are “UNKNOWN”, “NON_MALWARE”, “NEW_MALWARE”, “KNOWN_MALWARE”, and “RISKY_PROGRAM”.
Returns:This instance.
set_policy_applied(applied_statuses)

Restricts the alerts that this query is performed on to the specified status values showing whether policies were applied.

Parameters:list (applied_statuses) – List of status values to look for. Valid values are “APPLIED” and “NOT_APPLIED”.
Returns:This instance.
set_reason_code(reason)

Restricts the alerts that this query is performed on to the specified reason codes (enum values).

Parameters:list (reason) – List of string reason codes to look for.
Returns:This instance.
set_run_states(states)

Restricts the alerts that this query is performed on to the specified run states.

Parameters:list (states) – List of run states to look for. Valid values are “DID_NOT_RUN”, “RAN”, and “UNKNOWN”.
Returns:This instance.
set_sensor_actions(actions)

Restricts the alerts that this query is performed on to the specified sensor actions.

Parameters:list (actions) – List of sensor actions to look for. Valid values are “POLICY_NOT_APPLIED”, “ALLOW”, “ALLOW_AND_LOG”, “TERMINATE”, and “DENY”.
Returns:This instance.
set_threat_cause_vectors(vectors)

Restricts the alerts that this query is performed on to the specified threat cause vectors.

Parameters:list (vectors) – List of threat cause vectors to look for. Valid values are “EMAIL”, “WEB”, “GENERIC_SERVER”, “GENERIC_CLIENT”, “REMOTE_DRIVE”, “REMOVABLE_MEDIA”, “UNKNOWN”, “APP_STORE”, and “THIRD_PARTY”.
Returns:This instance.
class cbapi.psc.alerts_query.VMwareAlertSearchQuery(doc_class, cb)

Represents a query that is used to locate VMwareAlert objects.

set_group_ids(groupids)

Restricts the alerts that this query is performed on to the specified AppDefense-assigned alarm group IDs.

Parameters:list (groupids) – List of (integer) AppDefense-assigned alarm group IDs.
Returns:This instance.
class cbapi.psc.alerts_query.WatchlistAlertSearchQuery(doc_class, cb)

Represents a query that is used to locate WatchlistAlert objects.

set_watchlist_ids(ids)

Restricts the alerts that this query is performed on to the specified watchlist ID values.

Parameters:list (ids) – list of string watchlist ID values
Returns:This instance
set_watchlist_names(names)

Restricts the alerts that this query is performed on to the specified watchlist name values.

Parameters:list (names) – list of string watchlist name values
Returns:This instance

Model Objects:

class cbapi.psc.models.Workflow(cb, initial_data=None)

Represents a Workflow object in the Carbon Black server.

Variables:
  • changed_by – Username of the user who changed the workflow
  • comment – Comment when updating the workflow
  • last_update_time – When the workflow was last updated
  • remediation – Alert remediation code. Indicates the result of the investigation into the alert
  • state – State of the workflow
changed_by = None
comment = None
last_update_time = None
remediation = None
state = None
class cbapi.psc.models.BaseAlert(cb, model_unique_id, initial_data=None)

Represents a BaseAlert object in the Carbon Black server.

Variables:
  • category – Alert category - Monitored vs Threat
  • create_time – Time the alert was created
  • device_id – ID of the device
  • device_name – Device name
  • device_os – Device OS
  • device_os_version – Device OS Version
  • device_username – Logged on user during the alert. This is filled on a best-effort approach. If the user is not available it may be populated with the device owner
  • first_event_time – Time of the first event in an alert
  • group_details – Group details for when alert grouping is on
  • id – Unique ID for this alert
  • last_event_time – Time of the last event in an alert
  • last_update_time – Time the alert was last updated
  • legacy_alert_id – Unique short ID for this alert. This is deprecated and only available on alerts stored in the old schema.
  • notes_present – Are notes present for this threatId
  • org_key – Unique identifier for the organization to which the alert belongs
  • policy_id – ID of the policy the device was in at the time of the alert
  • policy_name – Name of the policy the device was in at the time of the alert
  • severity – Threat ranking
  • tags – Tags for the alert
  • target_value – Device priority as assigned via the policy
  • threat_id – ID of the threat to which this alert belongs. Threats are comprised of a combination of factors that can be repeated across devices.
  • type – Type of the alert
  • workflow – User-updatable status of the alert
category = None
create_time = None
device_id = None
device_name = None
device_os = None
device_os_version = None
device_username = None
dismiss(remediation=None, comment=None)

Dismiss this alert.

Parameters:
  • str (comment) – The remediation status to set for the alert.
  • str – The comment to set for the alert.
dismiss_threat(remediation=None, comment=None)

Dismiss alerts for this threat.

Parameters:
  • str (comment) – The remediation status to set for the alert.
  • str – The comment to set for the alert.
first_event_time = None
group_details = {}
id = None
last_event_time = None
last_update_time = None
legacy_alert_id = None
notes_present = None
org_key = None
policy_id = None
policy_name = None
primary_key = 'id'
severity = None
tags = []
target_value = None
threat_id = None
type = None
update(remediation=None, comment=None)

Update this alert.

Parameters:
  • str (comment) – The remediation status to set for the alert.
  • str – The comment to set for the alert.
update_threat(remediation=None, comment=None)

Update alerts for this threat.

Parameters:
  • str (comment) – The remediation status to set for the alert.
  • str – The comment to set for the alert.
urlobject = '/appservices/v6/orgs/{0}/alerts'
urlobject_single = '/appservices/v6/orgs/{0}/alerts/{1}'
workflow = {}
workflow_
class cbapi.psc.models.CBAnalyticsAlert(cb, model_unique_id, initial_data=None)

Represents a CBAnalyticsAlert object in the Carbon Black server.

urlobject = '/appservices/v6/orgs/{0}/alerts/cbanalytics'
class cbapi.psc.models.VMwareAlert(cb, model_unique_id, initial_data=None)

Represents a VMwareAlert object in the Carbon Black server.

urlobject = '/appservices/v6/orgs/{0}/alerts/vmware'
class cbapi.psc.models.WatchlistAlert(cb, model_unique_id, initial_data=None)

Represents a WatchlistAlert object in the Carbon Black server.

urlobject = '/appservices/v6/orgs/{0}/alerts/watchlist'
class cbapi.psc.models.WorkflowStatus(cb, model_unique_id, initial_data=None)

Represents a WorkflowStatus object in the Carbon Black server.

Variables:
  • errors – Errors for dismiss alerts or threats, if no errors it won’t be included in response
  • failed_ids – Failed ids
  • id – Time based id for async job, it’s not unique across the orgs
  • num_hits – Total number of alerts to be operated on
  • num_success – Successfully operated number of alerts
  • status – Status for the async progress
  • workflow – Requested workflow change
errors = []
failed_ids = []
finished
id = None
id_
in_progress
num_hits = None
num_success = None
primary_key = 'id'
queued
status = None
urlobject_single = '/appservices/v6/orgs/{0}/workflow/status/{1}'
workflow = {}
workflow_