cbapi Python Bindings - 1.5.0

Please use v1.5.1

CBAPI now support CB LiveOps.
CB LiveOps API Reference.

Change Log

• CB LiveOps
  • Start new LiveQuery (LQ) runs
  • Fetch LQ results
  • View LQ run status
  • Filter on LQ results
• PSC Org Key Management
  • Added support for org key management within CBAPI
  • Credentials utility for org keys
  • PR #166, #169, #170

Examples

• LiveQuery - manage_run.py
• LiveQuery - run_search.py

cbapi Python Bindings - 1.4.5

CBAPI v1.4.5

Change Log

• CB ThreatHunter
  • Route Updates for Process Search, Feed Management, Watchlist Management
  • Enforce org_key Presence
  • Org-based Process Search
  • Org-based Event Search
  • Org-based Tree Queries
• Minor updates to improve Python3 Compatibility

Updated Examples

• Updated CB TH Process Search Example
• Added process_guid to process_tree example for ThreatHunter

cbapi Python Bindings - 1.4.4

CBAPI v1.4.4

Change Log

• PR #142: Carbon Black UBS Support
• CB Response
  • Fixing bulk update for Alerts to use v1 route
• PR #157: Updates to use yaml safe_load

Updated Examples

• Refactored Carbon Black ThreatHunter examples
• Added process_guid to process_tree example for ThreatHunter

cbapi Python Bindings - 1.4.3

CBAPI v1.4.3

Change Log

• CB ThreatHunter - Feed fixes #156
• CB Response - Change Alert model object to use v2 route #155
• CB Response - Only view active LR sessions #154
• Removing refs to VT alliance feeds #144

Updated Examples

• CB Defense - Create list_events_with_cmdline_csv.py #152
• CB Defense - Updated import link to proper module #148

Pull Requests & Issues

• #153

cbapi Python Bindings - 1.4.2

CBAPI v1.4.2

Change Log

• CB ThreatHunter Feed fixes
• Improved log messages
• Updates to Readthedocs website

cbapi Python Bindings - 1.4.0

CBAPI v1.4.0

We are proud to announce that CbAPI 1.4.0 is now available for installation via Python's PyPI.
This release includes compatibility with Carbon Black PSC ThreatHunter and the new APIs available in PSC's ThreatHunter.

Change Log

Currently, the Process Search API is exposed. As of version 1.4.0, there are three available model objects:

• Process
• Event
• Tree

cbapi Python Bindings - 1.3.6

This release has one critical fix:

• Fix a fatal exception when connecting to Cb Response 6.1.x servers

cbapi Python Bindings - 1.3.5

This release includes bugfixes and contributions from the Carbon Black community.

All products:

• More Python 3 compatibility fixes.
• Fix the wait_for_completion and wait_for_output options in the Live Response .create_process() method.
  If wait_for_completion is True, the call to .create_process() will block until the remote process
  has exited. If wait_for_output is True, then .create_process() will additionally wait until the output
  of the remote process is ready and return that output to the caller. Setting wait_for_output to True automatically sets wait_for_completion to True as well.
• The BaseAPI constructor now takes three new optional keyword arguments to control the underlying connection pool: pool_connections, pool_maxsize, and pool_block. These arguments are sent to the underlying HTTPAdapter used when connecting to the Carbon Black server. For more information on these parameters, see the Python requests module API documentation for HTTPAdapter.

Cb Defense:

• Date/time stamps in the Device model object are now represented as proper Python datetime objects, rather than integers.
• The policy_operations.py example script's "Replace Rule" command is fixed.
• Add the Cb Live Response job-based API.
• Add a new example script list_devices.py

Cb Response:

• The Process and Binary model objects now return None by default when a non-existent attribute is referenced, rather than throwing an exception.
• Fixes to walk_children.py example script.
• Fix exceptions in enumerating child processes, retrieving path and MD5sums from processes.
• Multiple .where() clauses can now be used in the Sensor model object.
• Workaround implemented for retrieving/managing more than 500 banned hashes.
• Alert bulk operations now work on batches of 500 alerts.
• .flush_events() method on Sensor model object no longer throws an exception on Cb Response 6.x servers.
• .restart_sensor() method now available for Sensor model object.
• Fix user_operations.py example script to eliminate exception when adding a new user to an existing team.
• Add .remove_team() method on User model object.
• Automatically set cb.legacy_5x_mode query parameter for all Process queries whenever a legacy Solr core (from Cb Response 5.x) is loaded.
• Added .use_comprehensive_search() method to enable the "comprehensive search" option on a Process query. See the Cb Developer Network documentation on Comprehensive Search for more information on "comprehensive search".
• Add .all_childprocs(), .all_modloads(), .all_filemods(), .all_regmods(), .all_crossprocs(), and .all_netconns() methods to retrieve process events from all segments, rather than the current process segment. You can also use the special segment "0" to retrieve process events across all segments.
• Fix cmdline_filters in the IngressFilter model object.

Cb Protection:

• Tamper Protection can now be set and cleared in the Computer model object.

cbapi Python Bindings - 1.3.3

This release includes security improvements and bugfixes.

Security changes:

• CbAPI enforces the use of HTTPS when connecting to on-premise Cb Response servers.

• CbAPI can optionally require TLSv1.2 when connecting to Carbon Black servers.

  • Note that some versions of Python and OpenSSL, notably the version of OpenSSL packaged with Mac OS X, do not support TLSv1.2. This will cause CbAPI to fail to connect to Cb Response 6.1+ servers which require TLSv1.2 cipher suites.
  • A new command, cbapi check-tls, will report the TLS version supported by your platform.
  • To enforce the use of TLSv1.2 when connecting to a server, add ssl_force_tls_1_2=True to that server's credential profile.

• Add the ability to "pin" a specific server certificate to a credential profile.

  • You can now force TLS certificate verification on self-signed, on-premise installations of Cb Response or Protection through the ssl_cert_file option in the credential profile.
  • To "pin" a server certificate, save the PEM-formatted server certificate to a file, and put the full path to that PEM file in the ssl_cert_file option of that server's credential profile.
  • When using this option with on-premise Cb Response servers, you may also have to set ssl_verify_hostname=False as the hostname in the certificate generated at install time is localhost and will not match the server's hostname or IP address. This option will still validate that the server's certificate is valid and matches the copy in the ssl_cert_file option.

Changes for Cb Protection:

• The API now sets the appropriate "GET" query fields when changing fields such as the debugFlags on the Computer object.
• The .template attribute on the Computer model object has been renamed .templateComputer.
• Remove AppCatalog and AppTemplate model objects.

Changes for Cb Response:

• Added .webui_link property to Cb Response Query objects.
• Added ban_hash.py example.

Bug Fixes:

• Error handling is improved on Python 3. Live Response auto-reconnect functionality is now fixed on Python 3 as a result.
• Workaround implemented for Cb Response 6.1 where segment_ids are truncated on Alerts. The .process attribute on an Alert now ignores the segment_id and links to the first Process segment.
• Fixed issue with Binary.signed and CbModLoadEvent.is_signed.

cbapi Python Bindings - 1.3.2

This release introduces the Policy API for Cb Defense. A sample policy_operations.py script is now included in the examples directory for Cb Defense.

Other changes:

• Cb Response

  • Bugfixes to the User Model Object.
  • New user_operations.py example script to manage users & teams.
  • Additional Team Model Object to add/remove/modify user teams.
  • New check_datasharing.py example script to check if third party data sharing is enabled for binaries on any sensor groups.
  • Documentation fix for the User Model Object.
  • Fix to the watchlist_operations.py example script.