Carbon Black Enterprise Response

Details
Content
Dependencies
Version History

Query and respond with Carbon Black endpoint detection and response.

This response and threat hunting pack provides you with endpoint data enabling you to investigate and analyze potential threats in real time.

What does this pack do?

Hunts for malicious indicators.
Investigates and analyzes potential malware and threats.
Remediates/removes unauthorized, malicious, or unwanted processes.
Gets alerts about suspected processes running on an endpoint.
Investigates processes and related files with potential malware or threats.

This pack includes several automations and playbooks to help with the malware investigations.

This response and threat hunting pack provides you with endpoint data enabling you to investigate and analyze potential threats in real time.

What does this pack do?

Hunts for malicious indicators.
Investigates and analyzes potential malware and threats.
Remediates/removes unauthorized, malicious, or unwanted processes.
Gets alerts about suspected processes running on an endpoint.
Investigates processes and related files with potential malware or threats.

This pack includes several automations and playbooks to help with the malware investigations.

Automations

Name	Description
CBLiveGetFile	Deprecated. Use CBLiveGetFile_V2 instead. Use Carbon black Response Live session to retrieve a file from an endpoint. Endpoint needs to have a CbResponse sensor deployed.
CBLiveGetFile_V2	This automation translates an endpoints hostname/IP to the Carbon Black sensor ID. It then opens a session to the endpoint to download the given file paths and closes the session.
CBFindIP	Search Carbon Black for connection to specified IP addresses.
CBLiveFetchFiles	Deprecated. Use CBLiveGetFile_V2 instead. Live.
CBAlerts	Get the list of Alerts from Carbon Black Enterprise Response. Supports the same arguments as the cb-alerts command.
CBSessions	List Carbon Black sessions
CBWatchlists	Display all watchlists and their details, queries, etc.
CBEvents	Returns all events associated with a process query
CBSensors	List Carbon Black sensors

Classifiers

Name	Description
Carbon Black EDR Classifier	Classifies Carbon Black EDR's alerts
Carbon Black EDR Mapper	Maps Carbon Black EDR's alert fields

Incident Fields

Name	Description
Carbon Black EDR Watchlist Id
Carbon Black EDR IOC Value
Carbon Black EDR Watchlist Name
Carbon Black EDR Segment ID

Incident Types

Name	Description
Carbon Black EDR

Integrations

Name	Description
VMware Carbon Black EDR (Deprecated)	Deprecated. Use VMware Carbon Black EDR v2 instead.
VMware Carbon Black EDR v2	VMware Carbon Black EDR (formerly known as Carbon Black Response).

Layouts

Name	Description
Carbon Black EDR Incidents

Playbooks

Name	Description
Block Endpoint - Carbon Black Response	Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolate an endpoint, given a hostname.
Search Endpoints By Hash - Carbon Black Response V2	Hunt for malicious indicators using Carbon Black
Block Endpoint - Carbon Black Response V2.1	Carbon Black Response - isolates an endpoint for a given hostname.
Block File - Carbon Black Response	This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the hash is already on the block list, no action is taken on the MD5. The playbook uses the integration ''VMware Carbon Black EDR v2".
Get the binary file from Carbon Black by its MD5 hash	This playbook retrieves a binary file by its MD5 hash from the Carbon Black telemetry data.
Get File Sample From Path - Carbon Black Enterprise Response	Returns a file sample to the war-room from a path on an endpoint using Carbon Black Enterprise Response
Block Endpoint - Carbon Black Response V2	Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolates an endpoint for a given hostname.
Carbon Black Response - Unisolate Endpoint	This playbook unisolates sensors according to the sensor ID that is provided in the playbook input.
Carbon Black EDR - Enrich Process	Test Playbook for Carbon Black EDR
Get File Sample By Hash - Carbon Black Enterprise Response	Returns to the war-room a file sample correlating to MD5 hashes in the input using Carbon Black Enterprise Response integration

Automations

Name	Description
CBFindIP	Search Carbon Black for connection to specified IP addresses.
CBAlerts	Get the list of Alerts from Carbon Black Enterprise Response. Supports the same arguments as the cb-alerts command.
CBLiveGetFile_V2	This automation translates an endpoints hostname/IP to the Carbon Black sensor ID. It then opens a session to the endpoint to download the given file paths and closes the session.
CBLiveGetFile	Deprecated. Use CBLiveGetFile_V2 instead. Use Carbon black Response Live session to retrieve a file from an endpoint. Endpoint needs to have a CbResponse sensor deployed.
CBWatchlists	Display all watchlists and their details, queries, etc.
CBLiveFetchFiles	Deprecated. Use CBLiveGetFile_V2 instead. Live.
CBSessions	List Carbon Black sessions
CBSensors	List Carbon Black sensors
CBEvents	Returns all events associated with a process query

Classifiers

Name	Description
Carbon Black EDR Classifier	Classifies Carbon Black EDR's alerts
Carbon Black EDR Mapper	Maps Carbon Black EDR's alert fields

Incident Fields

Name	Description
Carbon Black EDR Watchlist Id
Carbon Black EDR Watchlist Name
Carbon Black EDR Segment ID
Carbon Black EDR IOC Value

Incident Types

Name	Description
Carbon Black EDR

Integrations

Name	Description
VMware Carbon Black EDR v2	VMware Carbon Black EDR (formerly known as Carbon Black Response).
VMware Carbon Black EDR (Deprecated)	Deprecated. Use VMware Carbon Black EDR v2 instead.

Playbooks

Name	Description
Carbon Black Response - Unisolate Endpoint	This playbook unisolates sensors according to the sensor ID that is provided in the playbook input.
Block File - Carbon Black Response	This playbook receives an MD5 hash and adds it to the block list in Carbon Black Enterprise Response. Files with that MD5 hash are blocked from execution on the managed endpoints. If the hash is already on the block list, no action is taken on the MD5. The playbook uses the integration ''VMware Carbon Black EDR v2".
Block Endpoint - Carbon Black Response V2.1	Carbon Black Response - isolates an endpoint for a given hostname.
Block Endpoint - Carbon Black Response V2	Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolates an endpoint for a given hostname.
Block Endpoint - Carbon Black Response	Deprecated. Use the `Block Endpoint - Carbon Black Response V2.1` playbook instead. Carbon Black Response - isolate an endpoint, given a hostname.
Carbon Black EDR - Enrich Process	Test Playbook for Carbon Black EDR
Search Endpoints By Hash - Carbon Black Response V2	Hunt for malicious indicators using Carbon Black
Get the binary file from Carbon Black by its MD5 hash	This playbook retrieves a binary file by its MD5 hash from the Carbon Black telemetry data.
Get File Sample From Path - Carbon Black Enterprise Response	Returns a file sample to the war-room from a path on an endpoint using Carbon Black Enterprise Response
Get File Sample By Hash - Carbon Black Enterprise Response	Returns to the war-room a file sample correlating to MD5 hashes in the input using Carbon Black Enterprise Response integration

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Carbon Black Common Fields	By: Cortex XSOAR
Carbon Black Enterprise Live Response	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Phishing	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Carbon Black Enterprise Live Response	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Carbon Black Common Fields	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

2.1.48 - 1316088 (August 27, 2024)

Integrations

VMware Carbon Black EDR v2

Fixed an issue where the cb-edr-watchlist-create command did not return an error message when the command failed to create a new watchlist.
Updated the Docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 36016

Download

2.1.47 - R995825 (May 5, 2024)

Integrations

VMware Carbon Black EDR v2

Improved implementation of the documentation.

Related pull requests:
- 33380

Download

2.1.46 - 889167 (March 13, 2024)

Integrations

VMware Carbon Black EDR v2

Fixed an issue where alerts were not retrieved by the created_time sort field.
Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33317

Download

2.1.45 - 836299 (February 18, 2024)

Scripts

CBFindIP

Updated the Docker image to: demisto/python3:3.10.13.86272.

CBLiveGetFile_V2

Updated the Docker image to: demisto/python3:3.10.13.86272.

Related pull requests:
- 32446

Download

2.1.44 - 767481 (January 17, 2024)

Scripts

CBWatchlists

Updated the Docker image to: demisto/python3:3.10.13.84405.

CBAlerts

Updated the Docker image to: demisto/python3:3.10.13.84405.

Related pull requests:
- 32259

Download

2.1.43 - 7149458 (December 13, 2023)

Scripts

CBWatchlists

Updated the Docker image to: demisto/python3:3.10.13.83255.

CBAlerts

Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31427

Download

2.1.42 - R6592021 (October 13, 2023)

Playbooks

Block File - Carbon Black Response

The playbook is now using the integration 'VMware Carbon Black EDR v2' that replaced the EOL integration 'VMware Carbon Black EDR'.
Added the input 'Text' that allows the analyst to add a description of the block list.

Related pull requests:
- 29524

Download

2.1.41 - R6303396 (September 12, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.13.72123.

Related pull requests:
- 29430

Download

2.1.40 - 6122748 (August 22, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.12.68714.

Related pull requests:
- 29133

Download

2.1.39 - 5940472 (August 2, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.12.66339.

Related pull requests:
- 28699

Download

2.1.38 - R5866730 (July 25, 2023)

Scripts

CBLiveGetFile_V2

Updated the Docker image to: demisto/python3:3.10.12.63474.

CBFindIP

Updated the Docker image to: demisto/python3:3.10.12.63474.

CBWatchlists

Updated the Docker image to: demisto/python3:3.10.12.63474.

CBAlerts

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27997

Download

2.1.37 - 5692327 (July 5, 2023)

Integrations

VMware Carbon Black EDR v2

Fixed an issue where PREPREPRE and POSTPOSTPOST used to appear in data which is used only to highlight the data in Carbon Black UI.

Related pull requests:
- 27490
- 27883

Download

2.1.36 - 5649943 (June 29, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.12.63474.

Related pull requests:
- 27802

Download

2.1.35 - 5570976 (June 20, 2023)

Playbooks

Block Endpoint - Carbon Black Response

Deprecated. Use the Block Endpoint - Carbon Black Response V2.1 playbook instead.

Block Endpoint - Carbon Black Response V2

Deprecated. Use the Block Endpoint - Carbon Black Response V2.1 playbook instead.

New: Block Endpoint - Carbon Black Response V2.1

New: Carbon Black Response - isolates an endpoint for a given hostname or sensor id. (Available from Cortex XSOAR 6.8.0).

Related pull requests:
- 27100

Download

2.1.34 - 5470583 (June 7, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.11.61265.

Related pull requests:
- 27272

Download

2.1.33 - R5450895 (June 5, 2023)

Scripts

CBWatchlists

Updated the script to use the cb-edr-watchlists-list command instead of the deprecated cb-watchlist-get command.
Updated the Docker image to: demisto/python3:3.10.11.58677.

Related pull requests:
- 26468

Download

2.1.32 - R5170573 (May 2, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.11.54132.

Related pull requests:
- 25970

Download

2.1.31 - 4970096 (April 4, 2023)

Integrations

VMware Carbon Black EDR v2

Fixed an issue in the endpoint command where the sensor status could be misreported as Online.
Updated the docker image to: demisto/python3:3.10.10.51930.

Related pull requests:
- 25724

Download

2.1.30 - R4954430 (April 2, 2023)

Integrations

VMware Carbon Black EDR v2

The description of the endpoint command was updated.
Updated the Docker image to: demisto/python3:3.10.10.49934.

Related pull requests:
- 25399

Download

2.1.29 - 4760018 (March 7, 2023)

Playbooks

Get the binary file from Carbon Black by its MD5 hash

Updated the playbook to use VMware Carbon Black EDR v2.

Related pull requests:
- 25054

Download

2.1.28 - 4727595 (March 2, 2023)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.10.10.48392.

Related pull requests:
- 24986

Download

2.1.27 - R4718798 (March 1, 2023)

Layouts

Carbon Black EDR Incidents
This item is no longer supported in XSIAM.

Related pull requests:
- 24223

Download

2.1.26 - 4462378 (January 24, 2023)

Integrations

VMware Carbon Black EDR v2

Note: Organized the the integrations' parameters by sections. Relevant for XSIAM and XSOAR 8.1 and above.
Updated the Docker image to: demisto/python3:3.10.9.44472.

Related pull requests:
- 23837

Download

2.1.25 - 4045950 (November 16, 2022)

Integrations

VMware Carbon Black EDR v2

Fixed an issue where the integration couldn't pull alerts with status "False Positive" or "In Progress".

Related pull requests:
- 22260
- 22277

Download

2.1.24 - 3684182 (September 19, 2022)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 21309
- 20897

Download

2.1.23 - 3649843 (September 13, 2022)

Scripts

CBLiveFetchFiles

Deprecated. Use CBLiveGetFile_V2 instead.

Related pull requests:
- 21101

Download

2.1.22 - 3637072 (September 11, 2022)

Scripts

CBAlerts

- Updated the Docker image to: demisto/python3:3.10.6.33415.

CBWatchlists

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 21097

Download

2.1.21 - 3635034 (September 10, 2022)

Scripts

CBFindIP

Updated the Docker image to: demisto/python3:3.10.6.33415.

Related pull requests:
- 21005

Download

2.1.20 - 3427401 (August 9, 2022)

Integrations

VMware Carbon Black EDR v2

Added the command cb-edr-watchlist-update-action provides the ability to enable or disable watchlists.

Related pull requests:
- 20430
- 20180

Download

2.1.19 - 3305407 (July 21, 2022)

Integrations

VMware Carbon Black EDR v2

Removed excessive error traceback printing.

Related pull requests:
- 19484

Download

2.1.18 - 3281367 (July 17, 2022)

Integrations

VMware Carbon Black EDR v2

Fixed an issue where IP addresses fetched with cb-edr-process-event-list command were not shown in human-readable format. The integration now converts ip addresses to human-readable format. (e.g from 167772448 to 10.0.1.32).
Updated the Docker image to: demisto/python3:3.10.5.31928.

Related pull requests:
- 20065
- 19927

Download

2.1.17 - 3200623 (July 4, 2022)

Scripts

CBLiveGetFile

Replaced unwanted usage of demisto.log() with demisto.debug().

Related pull requests:
- 19840

Download

2.1.16 - 2941201 (May 18, 2022)

Scripts

CBLiveFetchFiles

Updated the Docker image to: demisto/python:2.7.18.27799.

CBAlerts

Updated the Docker image to: demisto/python:2.7.18.27799.

CBWatchlists

Updated the Docker image to: demisto/python:2.7.18.27799.

Download

2.1.15 - 2848830 (May 1, 2022)

Scripts

CBFindIP

Updated the Docker image to: demisto/python:2.7.18.27799.

Download

2.1.14 - 2674843 (March 30, 2022)

WARNING: This version is invalid. Please install a different version.

Integrations

VMware Carbon Black EDR v2

Added type validations and other internal code improvements.

Related pull requests:
- 18028
- 20109

Download

2.1.13 - 2551688 (March 10, 2022)

Integrations

VMware Carbon Black EDR v2

Breaking changes: Improved implementation of !endpoint command to use OR filtering instead of AND.
Updated the Docker image to: demisto/python3:3.10.1.26972.

Download

2.1.12 - 2179441 (December 29, 2021)

Scripts

CBLiveGetFile_V2

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

2.1.11 - R2150739 (December 22, 2021)

Scripts

CBFindIP

Updated the Docker image to: demisto/python:2.7.18.24398.

CBLiveFetchFiles

Updated the Docker image to: demisto/python:2.7.18.24398.

CBAlerts

Updated the Docker image to: demisto/python:2.7.18.24398.

CBWatchlists

Updated the Docker image to: demisto/python:2.7.18.24398.

Download

2.1.10 - 2044864 (December 2, 2021)

Integrations

VMware Carbon Black EDR v2

Fixed an issue where the cb-edr-quarantine-device and cb-edr-unquarantine-device commands failed to run on VMware Carbon Black EDR Server 7.5.0.

Download

2.1.9 - 2042391 (December 2, 2021)

Integrations

VMware Carbon Black EDR v2

Documentation fixes

VMware Carbon Black EDR (Deprecated)

Documentation fixes

Playbooks

Block File - Carbon Black Response

Documentation fixes

Download

2.1.8 - 2009340 (November 25, 2021)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.9.8.24399.

Download

2.1.7 - 7789574 (September 26, 2021)

Scripts

CBFindIP

Updated the Docker image to: demisto/python:2.7.18.24066.

CBLiveFetchFiles

Updated the Docker image to: demisto/python:2.7.18.24066.

CBAlerts

Updated the Docker image to: demisto/python:2.7.18.24066.

CBWatchlists

Updated the Docker image to: demisto/python:2.7.18.24066.

Download

2.1.6 - 7740378 (September 23, 2021)

Scripts

CBLiveGetFile_V2

Updated the Docker image to: demisto/python3:3.9.7.24076.

Download

2.1.5 - 7640590 (September 16, 2021)

Integrations

VMware Carbon Black EDR v2

Updated the Docker image to: demisto/python3:3.9.7.24076.

Download

2.1.4 - 7371081 (August 31, 2021)

Integrations

VMware Carbon Black EDR v2

Fixed an issue with parameters not sent correctly in fetch-incidents

Download

2.1.3 - 411022 (August 12, 2021)

Integrations

VMware Carbon Black EDR v2

Fixed an issue with parameters not received correctly in a few commands.

Download

2.1.2 - 410734 (August 12, 2021)

Integrations

VMware Carbon Black EDR v2

The endpoint command can now receive a list of ip as an input.
Updated the Docker image to: demisto/python3:3.9.6.22912.

Download

2.1.1 - 398245 (July 15, 2021)

Scripts

CBFindIP

Updated the Docker image to: demisto/python:2.7.18.20958.

CBLiveFetchFiles

Updated the Docker image to: demisto/python:2.7.18.20958.

CBLiveGetFile

Updated the Docker image to: demisto/python:2.7.18.20958.

CBWatchlists

Updated the Docker image to: demisto/python:2.7.18.20958.

CBAlerts

Updated the Docker image to: demisto/python:2.7.18.20958.

Download

2.1.0 - 397182 (July 13, 2021)

Integrations

VMware Carbon Black EDR (Deprecated)

Deprecated. Use VMware Carbon Black EDR v2 instead.

Download

2.0.0 - 390600 (June 28, 2021)

Classifiers

New: Carbon Black EDR Classifier

Classifies Carbon Black EDR's alerts (Available from Cortex XSOAR 6.0.0).

Incident Fields

Carbon Black EDR Watchlist Id
Carbon Black EDR Watchlist Name
Carbon Black EDR IOC Value
Carbon Black EDR Segment ID

Incident Types

Carbon Black EDR

Integrations

New: VMware Carbon Black EDR v2

VMware Carbon Black EDR (formerly known as Carbon Black Response) (Available from Cortex XSOAR 6.0.0).

Layouts

New: Carbon Black EDR Incidents

Carbon Black EDR Incident's standard layout (Available from Cortex XSOAR 6.0.0).

Mappers

New: Carbon Black EDR Mapper

Maps Carbon Black EDR's alert fields (Available from Cortex XSOAR 6.0.0).

Playbooks

New: Carbon Black EDR - Enrich Process

Default playbook for Carbon Black EDR Incidents (Available from Cortex XSOAR 6.0.0).

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 23, 2020
Last Release	August 27, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

VMware Carbon Black EDR (Live Response API)

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.