Cortex-Analyzers icon indicating copy to clipboard operation
Cortex-Analyzers copied to clipboard

Published 20 hours ago verified publisher icon TheHive-Project

Develop Responder for CB Response / Carbon Black Endpoint Detection and Response

Open yugoslavskiy opened this issue 4 years ago • 10 comments

Feature description

Responder for CB Response (previous name) / Carbon Black Endpoint Detection and Response (current name) or just "Carbon Black EDR" that would be able to execute the following Response Actions:

  • RA3401: Block process by executable path
  • RA3402: Block process by executable metadata
  • RA3403: Block process by executable hash
  • RA5401: Unblock blocked process

Describe the solution you'd like

Here is the official API documentation that includes all information required for the development.

Additional context

You can refer to the existing Cisco AMP (EDR) Responder during the development.

yugoslavskiy avatar Sep 14 '20 18:09 yugoslavskiy

Hey @yugoslavskiy, happy to collaborate on this one. Any idea how we can have access to a testing environment / account ?

nadouani avatar Oct 07 '20 05:10 nadouani

Hey @nadouani! Sounds great! How about this weekend? I have access to CB PSC (:

yugoslavskiy avatar Oct 07 '20 21:10 yugoslavskiy

I'll try to cook something before the weekend so we can test it ;)

nadouani avatar Oct 07 '20 21:10 nadouani

Hello @yugoslavskiy I have no experience with CB PSC but this is my finding when taking a look into the documentation:

  • the authentication mechanism using the cbapi rely on locally stored credentials.The old-fashioned way of providing urland api token seems to be discouraged, but is still possible.
  • blocking a process seems to be a feature from the CB Response API, available on CB Entreprise Response Server: API Docs

nadouani avatar Oct 11 '20 07:10 nadouani

This is an initial commit, we need a discussion about how does CB OSC works to complete the responder: https://github.com/TheHive-Project/Cortex-Analyzers/commit/a4d28b7a6b9438a26c70bdcb8bdd1758870683e4

nadouani avatar Oct 11 '20 09:10 nadouani

Hello @nadouani!

Sorry for the late participation. It seems that CB Entreprise Response is a bit different thing, I will do some extra research and get back to you shortly.

yugoslavskiy avatar Oct 11 '20 20:10 yugoslavskiy

Here are the results of my research:

  1. The functionality to block processes is part of CB Response, which is now called Carbon Black Endpoint Detection and Response, or Carbon Black EDR. And it is not cloud solution. I don't have access to it.

  2. I do have access to CB Defense, which is now called Endpoint Standard, it is the initial license for Carbon Black Predictive Security Cloud, which is not called Carbon Black Cloud™.

Regardless of the tools/licenses/products, they have released new API and most probably stopped supporting the old library that you were referring to, @nadouani. People are saying that they cannot authenticate.

I wasn't able to find any information about blocking functionality in their new API for cloud products.

It seems that such API calls are available only for on-premise solutions.

So, it seems that there is nothing I can help with, unfortunately ):

How about asking people in TheHive mail user group/twitter if any of them have this on-premise "CB Response" that is now called "Carbon Black Endpoint Detection and Response" or "Carbon Black EDR"?

I would love to collab with them anyway.

PS I will change the name of the issue and description to not confuse people.

yugoslavskiy avatar Oct 12 '20 01:10 yugoslavskiy

I've got this one for both cloud an on-prem with both an analyzer and responder. Will release cloud first.

xg5-simon avatar Oct 28 '20 20:10 xg5-simon

Hello @xg5-simon! Do you need any help with it? (:

yugoslavskiy avatar Nov 08 '20 23:11 yugoslavskiy

Hello @xg5-simon! Would you like to proceed with the PR?

yugoslavskiy avatar Mar 27 '21 20:03 yugoslavskiy