Carbon Black Cloud SDK v1.4.1

New Features:

• AWS workloads now supported in VM Workloads Search.
• Live Query Differential Analysis functionality.

Updates:

• VM Workloads Search updated to use new v2 APIs
• Added the alertable field to feeds.
• Devices API now supports faceting on three additional (public cloud related) fields.
• Added a user acceptance test script for the policy function updates.

Documentation:

• Added information on OAuth authentication to docs.

Carbon Black Cloud SDK v1.4.0

Breaking Changes:

• Policy object has been moved from cbc_sdk.endpoint_standard to cbc_sdk.platform, as it now uses the new Policy Services API rather than the old APIs through Integration Services.
  • N.B.: This change means that you must use a custom API key with permissions under org.policies to manage policies, rather than an older "API key."
  • To enable time to update integration logic, the cbc_sdk.endpoint_standard Policy object may still be imported from the old package, and supports operations that are backwards-compatible with the old one.
  • When developing a new integration, or updating an existing one cbc_sdk.platform should be used. There is a utility class PolicyBuilder, and as features are added to the Carbon Black Cloud, they will be added to this module.
• Official support for Python 3.6 has been dropped, since that version is now end-of-life. Added explicit testing support for Python versions 3.9 and 3.10. N.B.: End users should update their Python version to 3.7.x or greater.

New Features:

• Credentials handler now supports OAuth tokens.
• Added support for querying a single Report from a Feed.
• Added support for alert notes (create, delete, get, refresh).

Updates:

• Removed the (unused) revoked property from Grant objects.
• Increased the asynchronous query thread pool to 3 threads by default.
• Required version of lxml is now 4.9.1.
• Added a user acceptance test script for Alerts.

Bug Fixes:

• Added max_rows to USB device query, fixing pagination.
• Fixed an off-by-one error in Alerts Search resulting un duplicate alerts showing up in results.
• Fixed an error in alert faceting operations due to sending excess input to the server.

Documentation:

• Watchlists, Feeds, and Reports guide has been updated with additional clarification and examples.
• Updated description for some Device fields that are never populated.
• Additional sensor states added to Device documentation.
• Fixed the description of BaseAlertSearchQuery.set_types so that it mentions all valid alert types.
• Threat intelligence example has been deprecated.

Carbon Black Cloud SDK v1.3.6

New Features:

• Support for Device Facet API.
• Dynamic reference of query classes--now you can do api.select("Device") in addition to api.select(Device).
• Support for Container Runtime Alerts.
• NSX Remediation functionality - set the NSX remediation state for workloads which support it.

Updates:

• Endpoint Standard specific Events have been decommissioned and removed.
• SDK now uses Watchlist Manager apis v3 instead of v2. v2 APIs are being decommissioned.

Documentation:

• Added a CONTRIBUTING link to the README.md file.
• Change to Watchlist/Report documentation to properly reflect how to update a Report in a Watchlist.
• Cleaned up formatting.

Carbon Black Cloud SDK v1.3.5

New Features:

• Added asynchronous query support to Live Query.
• Added the ability to export query results from Live Query, either synchronously or asynchronously (via the Job
  object and the Jobs API). Synchronous exports include full-file export, line-by-line export, and ZIP file export.
  Asynchronous exports include full-file export and line-by-line export.
• Added a CredentialProvider that uses AWS Secrets Manager to store credential information.

Updates:

• Added WatchlistAlert.get_process() method to return the Process of a WatchlistAlert.
• Added several helpers to Live Query support to make it easier to get runs from a template, or results, device
  summaries, or facets from a run.
• Optimized API requests when performing query slicing.
• Updated pretty-printing of objects containing dict members.
• lxml dependency updated to version 4.6.5.

Bug Fixes:

• User.delete() now checks for an outstanding access grant on the user, and deletes it first if it exists.
• Fixed handling of URL when attaching a new IOC to a Feed.
• Getting and setting of Report ignore status is now supported even if that Report is part of a Feed.

Documentation:

• Information added about the target audience for the SDK.
• Improper reference to a credential property replaced in the Authentication guide.
• Broken example updated in Authentication guide.
• Added SDK guides for Vulnerabilities and Live Query APIs.
• Updated documentation for ProcessFacet model to better indicate support for full query string.

Carbon Black Cloud SDK v1.3.4

New Features:

• New CredentialProvider supporting Keychain storage of credentials (Mac OS only).
• Recommendations API - suggested reputation overrides for policy configuration.

Updates:

• Improved string representation of objects through __str__() mechanism.

Bug Fixes:

• Ensure proper TimeoutError is raised in several places where the wrong exception was being raised.
• Fix to allowed categories when performing alert queries.

Documentation Changes:

• Added guide page for alerts.
• Live Response documentation updated to note use of custom API keys.
• Clarified query examples in Concepts.
• Note that vulnerability assessment has been moved from workload to platform.
• Small typo fixes in watchlists, feeds, UBS, and reports guide.

Carbon Black Cloud SDK v1.3.3

Bug Fixes:

• Dependency fix on schema library.

Carbon Black Cloud SDK v1.3.2

New Features:

• Added asynchronous query options to Live Response APIs.
• Added functionality for Watchlists, Reports, and Feeds to simplify developer interaction.

Updates:

• Added documentation on the mapping between permissions and Live Response commands.

Bug Fixes:

• Fixed an error using the STIX/TAXII example with Cabby.
• Fixed a potential infinite loop in getting detailed search results for enriched events and processes.
• Comparison now case-insensitive on UBS download.

Carbon Black Cloud SDK v1.3.1

New Features:

• Allow the SDK to accept a pre-configured Session object to be used for access, to get around unusual configuration requirements.

Bug Fixes:

• Fix functions in Grant object for adding a new access profile to a user access grant.

Carbon Black Cloud SDK v1.3.0

Carbon Black Cloud SDK v1.3.0 Release

The new features in this release include:

• Add User Management, Grants, Access Profiles, Permitted Roles

• Move Vulnerability models to Platform package in preparation for supporting Endpoints and Workloads

• Refactor Vulnerability models

  • VulnerabilitySummary.get_org_vulnerability_summary static function changed to Vulnerability.OrgSummary model with query class
  • VulnerabilitySummary model moved inside Vulnerability to Vulnerability.AssetView sub model
  • OrganizationalVulnerability and Vulnerability consolidated into a single model to include Carbon Black Cloud context and CVE information together
  • Vulnerability(cb, CVE_ID) returns Carbon Black Cloud context and CVE information
  • DeviceVulnerability.get_vulnerability_summary_per_device static function moved to get_vulnerability_summary function on Device model
  • affected_assets(os_product_id) function changed to get_affected_assets() function and no longer requires os_product_id

• Add dashboard export examples

• Live Response migrated from v3 to v6 (:doc:migration guide<live-response-v6-migration>)

  • Live Response uses API Keys of type Custom

• Add function to get Enriched Events for Alert

Bug Fixes

• Fix validate query from dropping sort_by for Query class
• Fix the ability to set expiration for binary download URL
• Fix bug in helpers read_iocs functionality
• Fix install_sensor and bulk_install on ComputeResource to use id instead of uuid
• Fix DeviceSearchQuery from duplicating Device due to base index of 1

Hotfix for Alert Query

Changelog

Bug Fixes

• Prevent alert query from retrieving past 10k limit