{"info":{"_postman_id":"198ade9c-4ba5-4b4f-bcc0-107c0f4806a9","name":"Carbon Black","description":"

Folders with a 🗝 icon indicate an authentication is provided on that for all of its children to inherit.

Folders and endpoints with a ⚠️ icon indicate that endpoint has been deprecated. It may still function, but there are newer endpoints we recommend using.

Postman Environments

These JSON objects are Environments that contain all of the variables used in this Postman Collection. Save the JSON locally and import into Postman.

Carbon Black Cloud

{\n    \"id\": \"fb0486be-3019-4e77-9c71-33d5e588af98\",\n    \"name\": \"Carbon Black Cloud\",\n    \"values\": [\n        {\n            \"key\": \"cb_url\",\n            \"value\": \"https://defense.conferdeploy.net\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_org_key\",\n            \"value\": \"Org Key\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_custom_id\",\n            \"value\": \"Custom API ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_custom_key\",\n            \"value\": \"Custom API Key\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_api_id\",\n            \"value\": \"API ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_api_key\",\n            \"value\": \"API Secret Key\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_lr_id\",\n            \"value\": \"Live Response API ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_lr_key\",\n            \"value\": \"Live Response API Secret Key\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_siem_id\",\n            \"value\": \"SIEM ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_siem_key\",\n            \"value\": \"SIEM Secret Key\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_aggregation_field\",\n            \"value\": \"`device_id` or `process_sha256`\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_alert_id\",\n            \"value\": \"Alert ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_config_id\",\n            \"value\": \"Event Forwarder Config ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_cve_id\",\n            \"value\": \"CVE ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_device_id\",\n            \"value\": \"Device ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_device_control_id\",\n            \"value\": \"Device Control ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_event_id\",\n            \"value\": \"Event ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_feed_id\",\n            \"value\": \"Feed ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_forwarder_id\",\n            \"value\": \"Forwarder ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_ioc_id\",\n            \"value\": \"IOC ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_job_id\",\n            \"value\": \"Job ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_job_type\",\n            \"value\": \"\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_lr_command_id\",\n            \"value\": \"LR Command ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_lr_file_id\",\n            \"value\": \"Live Response File ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_lr_session_id\",\n            \"value\": \"LR Session ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_org_id\",\n            \"value\": \"Org ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_policy_id\",\n            \"value\": \"Policy ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_process_guid\",\n            \"value\": \"Process GUID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_query_id\",\n            \"value\": \"LiveQuery Query ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_report_id\",\n            \"value\": \"Report ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_reputation_id\",\n            \"value\": \"Reputation ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_request_id\",\n            \"value\": \"Request ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_rule_id\",\n            \"value\": \"Rule ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_template_id\",\n            \"value\": \"LiveQuery Template ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_vcenter_uuid\",\n            \"value\": \"vCenter UUID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_vm_id\",\n            \"value\": \"VM ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_watchlist_id\",\n            \"value\": \"Watchlist ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_wl_appliance_id\",\n            \"value\": \"Workload Appliance ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_wl_resource_id\",\n            \"value\": \"Workload Resource ID\",\n            \"enabled\": true\n        }\n    ],\n    \"_postman_variable_scope\": \"environment\",\n    \"_postman_exported_at\": \"2021-02-01T23:02:10.992Z\",\n    \"_postman_exported_using\": \"Postman/7.36.1\"\n}\n\n

Carbon Black EDR (previously CB Response)

{\n    \"id\": \"8d378ea8-9040-4eef-8b27-8238f24cd280\",\n    \"name\": \"Carbon Black Response\",\n    \"values\": [\n        {\n            \"key\": \"cb_url\",\n            \"value\": \"CB Response URL\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_api_token\",\n            \"value\": \"API Token\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_feed_id\",\n            \"value\": \"Feed ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_feed_action\",\n            \"value\": \"Feed Action\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_process_id\",\n            \"value\": \"Process ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_segment_id\",\n            \"value\": \"Segment ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_md5\",\n            \"value\": \"MD5\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_alert_id\",\n            \"value\": \"Alert ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_watchlist_id\",\n            \"value\": \"Watchlist ID\",\n            \"enabled\": true\n        },\n        {\n            \"key\": \"cb_feed_id\",\n            \"value\": \"Feed ID\",\n            \"enabled\": true\n        }\n    ],\n    \"_postman_variable_scope\": \"environment\",\n    \"_postman_exported_at\": \"2020-04-16T21:17:32.349Z\",\n    \"_postman_exported_using\": \"Postman/7.21.1\"\n}\n\n

","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[],"owner":"19038029","collectionId":"198ade9c-4ba5-4b4f-bcc0-107c0f4806a9","publishedId":"2s8YK4to5o","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"EF5B25"},"publishDate":"2022-10-27T17:33:34.000Z"},"item":[{"name":"Carbon Black Cloud (CBC)","item":[{"name":"Platform APIs 🗝","item":[{"name":"Access Profiles and Grants API","item":[{"name":"Create Grant for a Principal","id":"95f8e9b7-3ab0-49ec-ab15-9ab47321000f","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[],"body":{"mode":"raw","raw":"{\n \"principal\": \"string\",\n \"roles\": [\n \"string\"\n ],\n \"profiles\": [\n {\n \"orgs\": {\n \"allow\": [\n \"string\"\n ],\n },\n \"roles\": [\n \"string\"\n ],\n \"conditions\": {\n \"expiration\": \"string\",\n \"disabled\": boolean\n }\n }\n ],\n \"org_ref\": \"string\",\n \"principal_name\": \"string\"\n}","options":{"raw":{"language":"json"}}},"url":"{{cb_url}}/access/v2/orgs/{{cb_org_key}}/grants/","description":"

Create grant for a Principal in given Org.

Note: When using a role grant, you can only select one role. The profiles however do support multiple roles.

RBAC Permissions Required

See the Authentication section of these APIs for more information on what is required to authenticate these requests.

Field	Description	Default	Required
`state`	Workflow state to filter on. Allowed values: `dismissed`, `open`	N/A	No
`comment`	Comment to include with operation	N/A	No
`remediation state`	Description or justification for the change. Accepts any string.	N/A	No

Field	Description	Default	Required
`criteria`	Map of criteria to filter results on. Allowed values: `threat_id`, `target_value`, `device_id`, `device_os_versions`, `policy_id`, `device_os`, `minimum_severity` ,`create_time`, `legacy_alert_id`, `group_results`, `process_sha256`, `policy_name`, `reputation`, `type`, `id`, `category`, `device_username`, `device_name` , `tag`, `workflow`, `process_name`	N/A	No
`query`	query to perform	N/A	No
`state`	Workflow state to filter on. Allowed values: `dismissed`, `open`	N/A	No
`comment`	Comment to include with operation	N/A	No
`remediation state`	Description or justification for the change. Accepts any string.	N/A	No

Field	Definition	Data Type	Values	Required
`name`	Defined name for the specific event or alert forwarder	String	N/A	Yes
`s3_bucket_name`	Configured unique name for s3 bucket	String	N/A	Yes
`s3_prefix`	Defined folder structure the forwarder will write events or alerts to	String	N/A	Yes
`type`	The datastream type that is to be forwarded.	String	`endpoint.event`, `alert`	Yes
`filters`	A list of filters to apply to the data being forwarded. Use only one of `equals`, `not_equals`, or `match_any_bits` per filter in the list. Only supported when type equals `endpoint.event`	Array	`[{ \"attribute\": \"<string>\", \"equals\": \"<string>\", \"not_equals\": \"<string>\", \"match_any_bits\": [\"<string>\", \"<string>\"]}]`	No

Field	Description	Default	Required
`status`	Device statuses to match. Allowed values: `PENDING`, `REGISTERED`, `UNINSTALLED`, `DEREGISTERED`, `ACTIVE`, `INACTIVE`, `ERROR`, `ALL`, `BYPASS_ON`, `BYPASS`, `QUARANTINE`, `SENSOR_OUTOFDATE`, `DELETED`, `LIVE`	N/A	Yes
`ad_group_id`	Active Directory group IDs to match	N/A	No
`policy_id`	Carbon Black Cloud Policy IDs to match		No
`query_string`	Device query string	N/A	No
`target_priority`	Device target priorities to match. Allowed values: `LOW`, `MEDIUM`, `HIGH`, `MISSION_CRITICAL`	N/A	No
`sort_field`	Field to sort results by	N/A	No
`sort_order`	Sort order. Allowed values: `ASC`, `DESC`	N/A	No

Permission (.notation name)	Operation(s)	Action Type
device.quarantine	EXECUTE	QUARANTINE
device.bypass	EXECUTE	BYPASS
device.bg-scan	EXECUTE	BACKGROUND_SCAN
device.policy	UPDATE	UPDATE_POLICY
org.kits	EXECUTE	UPDATE_SENSOR_VERSION
device.deregistered	DELETE	DEREGISTER_SENSOR
device.uninstall	EXECUTE	DELETE_SENSOR

Field	Description	Default	Required
`action_type`	Action to perform on selected devices. Allowed values: `BACKGROUND_SCAN`, `BYPASS`, `UNINSTALL_SENSOR`, `DELETE_SENSOR`, `QUARANTINE`, `UPDATE_POLICY`, `UPDATE_SENSOR_VERSION`	N/A	Yes
`device_id`	List of devices to perform action on	N/A	Yes - either `device_id` or `search`
`search`	A device search. Device actions will be performed on the result set of this search	N/A	Yes - either `device_id` or `search`
`options.policy_id`	Devices will be updated to this policy ID	N/A	Required if action_type is set to `UPDATE_POLICY`
`options.sensor_version`	Devices will be updated to this sensor version	N/A	Required if action_type is set to `UPDATE_SENSOR_VERSION`
`options.toggle`	Determines whether to toggle action `ON` or `OFF`. Allowed values: `ON`, `OFF`	N/A	Required if action_type is set to `QUARANTINE`, `BYPASS`, or `BACKGROUND_SCAN`.

Permission (.notation name)	Operation(s)
org.liveresponse.session	READ
org.liveresponse.process	READ, EXECUTE, DELETE
org.liveresponse.registry	CREATE, READ, UPDATE, DELETE
org.liveresponse.file	CREATE, READ, DELETE
org.liveresponse.memdump	READ

Sensor Mode	Intended Action	Actual Action	Summary
Quarantine	Allow or Block	Block except to Carbon Black Cloud	Quarantine block rules override Host-based Firewall rules.
Bypass	Allow or Block	Allow	Because the sensor is in bypass mode, the Host-based Firewall rule is ineffective.
Prevention policy - block	Allow or Block	Block	Blocked connections to and from the application take precedence over Host-based Firewall rules.

Field	Definition	Data Type	Values	Required
`criteria`	Criteria is an object that represents values that must be in the results. Either `query` or `criteria`/`exclusion` must be included.	Object	`{ \"process_name\": [ \"chrome.exe\" ] }`	No
`exclusions`	Exclusions is a map that represents values that must not be in the results. Either `query` or `criteria`/`exclusion` must be included.	Object	`{ \"process_name\": [ \"chrome.exe\" ] }`	No
`fields`	A list of fields to include in the results, specify `*` to return all the default fields and add additional fields that are not returned by default	Array	`[ \"\", \"process_start_time\" ]` Default:* `[\"*\"]`	No
`query`	Query in lucene syntax and/or including value searches. Either `query` or `criteria`/`exclusion` must be included.	String	N/A	No
`rows`	Number of rows to request, can be paginated	Long	Default: `500` Max: `10k`	No
`sort`	Sort is a collection of sort parameters that specify a `field` and `order` to sort the results.	Array	`[{ \"field\": \"device_timestamp\", \"order\": \"asc\" }]`	No
`start`	First row to use for pagination	Long	Default: `0`	No
`time_range`	Describes a time window to restrict the search to match using `device_timestamp` as the reference. Window will take priority over start and end if provided.	Object	`{ \"end\": \"2020-01-21T18:34:04Z\", \"start\": \"2020-01-18T18:34:04Z\", \"window\": \"-2w\" }`	No

Postman Environments

Carbon Black Cloud

Carbon Black EDR (previously CB Response)

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Response Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Body Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

RBAC Permissions Required

Response Schema

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

Response Schema

RBAC Permissions Required

RBAC Permissions Required

Request Schema

RBAC Permissions Required

RBAC Permissions Required

Request Schema

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

Body Schema

BAC Permissions Required

Body Schema

RBAC Permissions Required

BAC Permissions Required

BAC Permissions Required

BAC Permissions Required

BAC Permissions Required

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

RBAC Permissions Required

RBAC Permissions Required

Request Schema

RBAC Permissions Required

Request Schema

RBAC Permissions Required

RBAC Permissions Required

Request Schema