cbapi Python Bindings - 1.3.1

This is a bugfix release with minor changes:

• Cb Response

  • Add partition_operations.py script to demonstrate the use of the StoragePartition model object.
  • Fix errors when accessing the .start attribute of child processes.
  • Fix errors generated by the walk_children.py example script. The output has been changed as well to indicate the process lifetime, console UI link, and command lines.
  • Add an .end attribute to the Process model object. This attribute reports back either None if the process is still executing, or the last event time associated with the process if it has exited. See the walk_children.py script for an example of how to calculate process lifetime.
  • Fix errors when using the .parents attribute of a Process.
  • Add wait_for_completion flag to create_process Live Response method, and default to True. The create_process method will now wait for the target process to complete before
    returning.

• Cb Defense

  • Add wait_for_completion flag to create_process Live Response method, and default to True. The create_process method will now wait for the target process to complete before returning.

cbapi Python Bindings - 1.3.0

This release introduces the Live Response API for Cb Defense. A sample cblr_cli.py script is now included in the examples directory for both Cb Response and Cb Defense.

Other changes:

• Cb Protection

  • You can now create new FileRule and Policy model objects in cbapi.

• Cb Response

  • Added watchlist_exporter.py and watchlist_importer.py scripts to the Cb Response examples directory. These scripts allow you to export Watchlist data in a human- and machine-readable JSON format and then re-import them into another Cb Response server.
  • The Sensor Model Object now uses the non-paginated (v1) API by default. This fixes any issues encountered when
    iterating over all the sensors and receiving duplicate and/or missing sensors.
  • Fix off-by-one error in CbCrossProcess object.
  • Fix issue iterating through Process Model Objects when accessing processes generated from a 5.2 server after upgrading to 6.1.
  • Reduce number of API requests required when accessing sibling information (parents, children, and siblings) from the Process Model Object.
  • Retrieve all events for a process when using segment ID of zero on a Cb Response 6.1 server.
  • Behavior of Process.children attribute has changed:
    • Only one entry is present per child (before there were up to two; one for the spawn event, one for the terminate event)
    • The timestamp is derived from the start time of the process, not the timestamp from the spawn event. The two timestamps will be off by a few microseconds.
    • The old behavior is still available by using the Process.childprocs attribute instead. This incurs a performance penalty as another API call will have to be made to collect the childproc information.
  • Binary Model Object now returns False for .is_signed attribute if it is set to (Unknown).

• Moved the six Python module into cbapi and removed the external dependency.

cbapi Python Bindings - 1.2.0

New in this release: support for Cb Defense and Cb Protection 8.0!

cbapi Python Bindings - 1.1.1

This release fixes a critical bug in 1.1.0 that prevented the module from loading.

cbapi Python Bindings - 1.1.0

This release includes compatibility fixes for Cb Response 6.1. Changes from 1.0.1 include:

• Substantial changes to the Process Model Object for Cb Response 6.1. See details below.
• New StoragePartition Model Object to control Solr core loading/unloading in Cb Response 6.1.
• New IngressFilter Model Object to control ingress filter settings in Cb Response 6.1.
• Fix issues with event_export.py example script.
• Add .all_events property to the Process Model Object to expose a list of all events across all segments.
• Add example script to perform auto-banning based on watchlist hits from Cb Event Forwarder S3 output files.
• Add bulk operations to the ThreatReport and Alert Query objects:
  • You can now call .set_ignored(), .assign(), and .change_status() on an Alert Query object to change the respective fields for every Alert that matches the query.
  • You can now call .set_ignored() on a ThreatReport Query object to set or clear the ignored flag for every ThreatReport that matches the query.

Changes to Process model object

Cb Response 6.1 uses a new way of recording process events that greatly increases the speed and scale of collection, allowing you to store and search data for more endpoints on the same hardware. Details on the new database format can be found on the Developer Network website at the Process API Changes for Cb Response 6.0 page.

The Process Model Object traditionally referred to a single "segment" of events in the Cb Response database. In Cb Response versions prior to 6.0, a single segment will include up to 10,000 individual endpoint events, enough to handle over 95% of the typical event activity for a given process. Therefore, even though a Process Model Object technically refers to a single segment in a process, since most processes had less than 10,000 events and therefore were only comprised of a single segment, this distinction wasn't necessary.

However, now that processes are split across many segments, a better way of handling this is necessary. Therefore, Cb Response 6.0 introduces the new .group_by() method. This method is new in cbapi 1.1.0 and is part of five new query filters available when communicating with a Cb Response 6.1 server. These filters are accessible via methods on the Process Query object. These new methods are:

• .group_by() - Group the result set by a field in the response. Typically you will want to group by id, which
  will ensure that the result set only has one result per process rather than one result per event segment. For more information on processes, process segments, and how segments are stored in Cb Response 6.0, see the Process API Changes for Cb Response 6.0 page on the Developer Network website.
• .min_last_update() - Only return processes that have events after a given date/time stamp (relative to the
  individual sensor's clock)
• .max_last_update() - Only return processes that have events before a given date/time stamp (relative to the individual sensor's clock)
• .min_last_server_update() - Only return processes that have events after a given date/time stamp (relative to the Cb Response server's clock)
• .max_last_server_update() - Only return processes that have events before a given date/time stamp (relative to the Cb Response server's clock)

cbapi Python Bindings - 1.0.1

This release fixes a few bugs from the 1.0.0 release, notably:

• #53 and #54 - Exceptions thrown when iterating over Model Objects from multiple worker threads
• The code is now much more resilient when invalid Processes are returned from the Cb Response server. If cbapi receives an invalid process ID from the Cb Response server, it will not attempt to retrieve further details about that process and also set the attribute .valid_process to False. Normal, valid processes will have .valid_process set to True.

Also in this release, one new feature:

• #55 - Thanks to a contribution from @mjm461, the CbResponseAPI and CbProtectionAPI constructors now take an optional timeout and max_retries keyword arguments. The default timeout is set to 120 seconds and the default number of retries is set to 5. You can override these through the timeout and max_retries keyword arguments: for example, CbResponseAPI(timeout=10) will instruct cbapi to connect to your default Cb Response server and throw a TimeoutError if the Cb Response server does not respond within 10 seconds to API requests.

cbapi Python Bindings - 1.0.0

This is our first major release of the new cbapi! This release signifies that the API is now stable and will only include additional functionality or bug fixes. Changes to the API interface will be indicated with a major version number increase to 2.0.

Changes in this release:

• New documentation! See the docs at https://cbapi.readthedocs.io. The docs now include detailed Installation instructions, Concepts, and a walkthrough of how to use the API with Cb Response.
• New feature: #46 - Event driven API for Cb Response. See the examples fore more details. This API allows you to easily create IFTTT style pipelines based on streaming data from Cb Response. Incoming events can trigger any action, including performing Live Response actions on endpoints using the Live Response API.
• The CbEnterpriseResponseAPI and CbEnterpriseProtectionAPI classes are now aliased to CbResponseAPI and CbProtectionAPI respectively, to meet our new branding guidelines and to save you some typing.
• Fixes to the Live Response API to improve reliability.
• Fixes to the Sensor Model Object to improve compatibility with Cb Response 5.2.
• Added .isolate() and .unisolate() helper functions to the Sensor Model Object.
• Bug fixes to the Binary Model Object .virustotal, .signing_data, .version_info, and .frequency properties.
• Added validation to the User and BannedHash Model Objects.

cbapi Python Bindings - 0.9.8

This release includes the following new functionality:

• An example script to dump the events associated with a given process in a CSV file (see examples/response/event_export.py)
• Add support for memdump Live Response command
• Add models for Feed Actions and Watchlist Actions - you can now add/remove/modify Feed and Watchlist Actions from cbapi
• Improve support for crossprocess events in the Process model

This release contains fixes for the following issues:

• #48 TypeError when comparing timestamps across events
• Exception when issuing Query against Sensors with a .where() argument on Python 3
• Exception in the walk_children.py example script

cbapi Python Bindings - 0.9.7

This release includes the following new functionality:

• #18 Add recursive directory listing support in the Live Response API. You can now call the .walk() function on an open Live Response session object to walk the filesystem of the remote endpoint. The .walk() method takes the same parameters as the Python os.walk() function - refer to the Python library documentation on os.walk for more information.
• Related to above, a .path_join() method was added to the Live Response session object to mimic the os.path.join() function based on the OS type of the remote sensor (backslashes for Windows endpoints, forward slashes for Mac/Linux)
• #12 Query objects are now a proper Fluent interface. Calling methods that change the query such as .where() or .sort() now return a new cloned Query object instead of changing the original Query object.

This release contains fixes for the following issues:

• #41 Fix URL encoding in Watchlist model
• #36 Fix printing models with Unicode characters
• #43 Binary object does not have a digsig_publisher attribute
• #37 Crash when querying for objects with a colon in the name
• #40 Crash in Python 3.5 when iterating over Binary objects

cbapi Python Bindings - 0.9.6

This is a bugfix release which addresses the following issues:

• #17 (credential file location configurable)
• #34 (make default behavior of CbNetConnEvent to pass through the string not assume 0.0.0.0)
• #21 (provide a default "username" field for Processes)
• #30 (accessing Binary.frequency more than once causes Exception)
• #27 (webui_link not defined for some models; now returns None if the model doesn't support a deep link)
• #32 (CbNetConnEvent now provides the proxy_ip field)
• #33 (CbNetConnEvent IP address parsing doesn't work on Windows)
• #20 (Exception when parsing some date/time values)

In addition, the following Cb Protection examples were added:

• Deleting duplicate computer objects from the Cb Protection database
• Reverting computers in a selected policy back to the previous policy (for example, if they were manually set into local approval mode)
• Toggle tamper protection on endpoints