Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Developer Relations Month: Respond with Automation

carbon black watchlists
Hex_Thirds
November 5, 2015 / Jason McFarland

I know I’m not the only one who has created the perfect watchlist in Carbon Black with almost zero false positives. Every hash on my “perfect” Carbon Black watchlist is an instant hash ban, but I get tired of having to click through all the hashes and ban them all. So I created a script to do this. I can finally sit back and let my script do my bidding, and now you can, too. Although simple and definitely not tailored for everyone, it is a great start. Check out the links below and tell us what you think.

https://github.com/carbonblack/cbapi/blob/master/client_apis/python/example/auto_blacklist_from_watchlist.py

https://github.com/carbonblack/cbapi/blob/master/client_apis/python/example/auto_blacklist_from_watchlist.conf.example

The Carbon Black watchlist feature is amazing and lets you turn a seemingly daunting task into something that can be checked over email. We can do even better. For any event, we can respond instantaneously, prevent the spread of malicious activity and, most importantly, work on other things while the script does the work for me! I no longer have to see this screenshot ever again for my watchlist:

auto2

Using the auto-banning script shows how to automate the process of banning process hashes from specific watchlist hits. The hard work is done with this example. Tailor the config file to your needs and run the script.

Let’s take a step back and look at what we were able to do in a half-day’s worth of python:

  1. Get notified of watchlist hits via RabbitMQ.
  2. Perform an action/respond to specific events.
  3. Save mouse clicks per hash.
  4. Respond even when I’m busy at home.

This python script is a specific use case of tying watchlist hits to process banning/blacklisting. In the more generic case, we were able to tie an event with a response. An event could be anything from threat intelligence via binary detonation or a process spawn from notepad.exe. The action could be anything as well. In this case it was blacklisting, but in others it could be isolating an endpoint or syncing a Carbon Black sensor to perform an investigation. With the Carbon Black APIs, there are vast possibilities.

Our goal is to inspire and enable users to create new methods for automating a response to an event. Some questions I thought of while writing this post:

  • Which events would benefit from immediate response?
  • What other actions would be beneficial for my team/organization?
  • What actions do I perform most when I respond?
  • What other automation can I do to save myself time?

I hope this will help jump start discussions and ideas for automating responses to events. Look through the Carbon Black API and its example code for help. Who knows, maybe something a reader creates will eventually become a new feature!

TAGS: bit9 / Carbon Black / developer relations month / false positive rate / watchlist / zero

Related Posts