Develop Responder for CB Response / Carbon Black Endpoint Detection and Response

[yugoslavskiy]

Feature description

Responder for CB Response (previous name) / Carbon Black Endpoint Detection and Response (current name) or just "Carbon Black EDR" that would be able to execute the following Response Actions:

• RA3401: Block process by executable path
• RA3402: Block process by executable metadata
• RA3403: Block process by executable hash
• RA5401: Unblock blocked process

Describe the solution you'd like

Here is the official API documentation that includes all information required for the development.

Additional context

You can refer to the existing Cisco AMP (EDR) Responder during the development.

[nadouani]

Hey @yugoslavskiy, happy to collaborate on this one. Any idea how we can have access to a testing environment / account ?

[yugoslavskiy]

Hey @nadouani! Sounds great! How about this weekend? I have access to CB PSC (:

[nadouani]

I'll try to cook something before the weekend so we can test it ;)

[nadouani]

Hello @yugoslavskiy I have no experience with CB PSC but this is my finding when taking a look into the documentation:

• the authentication mechanism using the cbapi rely on locally stored credentials.The old-fashioned way of providing urland api token seems to be discouraged, but is still possible.
• blocking a process seems to be a feature from the CB Response API, available on CB Entreprise Response Server: API Docs

[nadouani]

This is an initial commit, we need a discussion about how does CB OSC works to complete the responder:
a4d28b7

[yugoslavskiy]

Hello @nadouani!

Sorry for the late participation.
It seems that CB Entreprise Response is a bit different thing, I will do some extra research and get back to you shortly.

[yugoslavskiy]

Here are the results of my research:

1. The functionality to block processes is part of CB Response, which is now called Carbon Black Endpoint Detection and Response, or Carbon Black EDR. And it is not cloud solution. I don't have access to it.

2. I do have access to CB Defense, which is now called Endpoint Standard, it is the initial license for Carbon Black Predictive Security Cloud, which is not called Carbon Black Cloud™.

Regardless of the tools/licenses/products, they have released new API and most probably stopped supporting the old library that you were referring to, @nadouani. People are saying that they cannot authenticate.

I wasn't able to find any information about blocking functionality in their new API for cloud products.

It seems that such API calls are available only for on-premise solutions.

So, it seems that there is nothing I can help with, unfortunately ):

How about asking people in TheHive mail user group/twitter if any of them have this on-premise "CB Response" that is now called "Carbon Black Endpoint Detection and Response" or "Carbon Black EDR"?

I would love to collab with them anyway.

PS
I will change the name of the issue and description to not confuse people.

[xg5-simon]

I've got this one for both cloud an on-prem with both an analyzer and responder. Will release cloud first.

[yugoslavskiy]

Hello @xg5-simon! Do you need any help with it? (:

[yugoslavskiy]

Hello @xg5-simon! Would you like to proceed with the PR?