The following table lists details and requirements for SOAR actions.

Note:
  • The SOAR actions listed here in italics are available as context actions.
  • [*] Required parameter
  • [**] One of the ** parameters is required for this action
  • Carbon Black Cloud modules that support SOAR actions are:
    • Carbon Black Cloud Endpoint Standard
    • Carbon Black Cloud Enterprise EDR
    • Carbon Black Cloud Audit and Remediation
Tip:

To see what Carbon Black Cloud modules are currently enabled in your environment, log in to the Carbon Black Cloud console. Click your username in the upper-right corner of the page. An Enabled tag displays next to any product feature that is available in your organization.

Table 1. SOAR Actions
Action Name Description Input Parameters Action Output Required Access Level Modules Supported Minimum Version
add ioc Add IOC to feed/watchlist in Carbon Black Cloud

feed_id**

watchlist_id**

report_id*

ioc_id

cbc_field*

oc_value*

 ioc_id

Custom Detections: org.feeds - CREATE, READ, UPDATE

Custom Detections: org.watchlists - CREATE, READ, UPDATE

 Carbon Black Cloud Enterprise EDR 1.0.0
ban hash Ban process by Carbon Black Cloud process_hash* process_hash

Applications: org.reputations - CREATE, DELETE

Unified Binary Store: ubs.org.sha256 - READ

 Carbon Black Cloud Enterprise EDR 1.0.0
create feed Create a feed in Carbon Black Cloud

feed_name*

feed_provider_url*

feed_summary*

feed_category*

 feed_id Custom Detections: org.feeds - CREATE Carbon Black Cloud Enterprise EDR 1.0.0
create report Create a report in Carbon Black Cloud

feed_id**

report_save_as_watchlist**

report_name*

report_severity*

report_summary*

report_tags

 report_id Custom Detections: org.watchlists - CREATE Carbon Black Cloud Enterprise EDR 1.0.0
create watchlist Create a watchlist in Carbon Black Cloud

watchlist_name*

watchlist_description

watchlist_tags_enabled

watchlist_alerts_enabled

watchlist_report_ids

 watchlist_id Custom Detections: org.watchlists - CREATE Carbon Black Cloud Enterprise EDR 1.0.0
delete feed Delete a feed in Carbon Black Cloud feed_id* N/A Custom Detections: org.feeds - DELETE Carbon Black Cloud Enterprise EDR 1.0.0
delete file Delete file

device_id*

file_name*

device_id

file_name

Device: device - READ

Live Response Session: org.liveresponse.session - CREATE, READ, DELETE

Live Response File: org.liveresponse.file - DELETE

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
delete report Delete a report in Carbon Black Cloud or watchlist report_id* N/A Custom Detections: org.watchlists - DELETE

Carbon Black Cloud Enterprise EDR

 1.0.0
delete watchlist Delete a watchlist in Carbon Black Cloud watchlist_id* N/A Custom Detections: org.watchlists - DELETE Carbon Black Cloud Enterprise EDR 1.0.0
dismiss alert Dismiss (close) Carbon Black Cloud alert alert_id* alert_id

Alerts: org.alerts - READ

Alerts: org.alerts.close - EXECUTE

Background tasks: jobs.status - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
dismiss future alerts Dismiss (close) all Carbon Black Cloud alerts that are associated with the same threat

alert_id*

remediation_status**

comment**

 N/A

Alerts: org.alerts - READ

Alerts: org.alerts.close - EXECUTE

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.1.0
execute command Execute command on a device in Carbon Black Cloud

device_id*

command_line*

timeout

work_dir

device_id

command_line

stdout

Device: device - READ

Live Response Session: org.liveresponse.session - CREATE, READ, DELETE

Live Response Process: org.liveresponse.process - EXECUTE

Live Response File: org.liveresponse.file - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
get asset info Get detailed information about the asset (device) from Carbon Black Cloud device_id*

device_id

device_name

os

internal_ip_address

external_ip_address

status

statuslast_contact_time

sensor_version

sensor_states

 Device: device - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.1.0
get binary file Get binary file file_hash*

vault_id

file_hash

file_name

Unified Binary Store: ubs.org.sha256 - READ

Unified Binary Store: ubs.org.file - READ

 Carbon Black Cloud Enterprise EDR 1.0.0
get binary metadata Get binary metadata from Carbon Black Cloud file_hash*

sha256

architecture

available_file_size

charset_id

comments

company_name

copyright

file_available

file_description

file_size

file_version

internal_name

lang_id

md5

original_filename

os_type

private_build

product_description

product_name

product_version

special_build

trademark

 Unified Binary Store: ubs.org.sha256 - READ Carbon Black Cloud Enterprise EDR 1.0.0
get cleared eventlogs From the specified Windows device, get the event logs that have been cleared device_id*

datetime

domain

user

sid

 Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE Carbon Black Cloud Audit and Remediation 1.1.0
get cron jobs From the specified device, get a list of scheduled cron jobs device_id*

name

minute

hour

day_of_month

month

day_of_week

command

path

 Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE Carbon Black Cloud Audit and Remediation 2.0.0
get enriched event Get enriched event from Carbon Black Cloud alert_id*

event_id

event_type

event_description

alert_id

alert_category

backend_timestamp

device_id

device_name

device_os

device_policy

process_name

process_hash

parent_pid

process_pid

Alerts: org.alerts - READ

Search: org.search.events - CREATE, READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
Note: Deprecated in 2.0.0
get file Get file

device_id*

file_name*

vault_id

file_name

device_id

Device: device - READ

Live Response Session: org.liveresponse.session - CREATE, READ, DELETE

Live Response File: org.liveresponse.file - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
get observations Get Observations from Carbon Black Cloud alert_id*

observation_id

observation_type

alert_id

alert_category

backend_timestamp

device_id

device_name

device_os

device_policy

process_name

process_hash

parent_pid

process_pid

Alerts: org.alerts - READ

Search: org.search.events - CREATE, READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 2.0.0
get process metadata Get process metadata process_guid*

process_name

process_sha256

process_pid

process_cmdline

parent_pid

alert_id

alert_category

backend_timestamp

device_id

device_name

device_os

device_policy

 Search: org.search.events - CREATE, READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
get rdp info Get RDP connection information device_id*

process_pid

process_name

process_cmdline

local_address

remote_address

local_port

remote_port

 Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE Carbon Black Cloud Audit and Remediation 1.1.0
get scheduled task From the specified device, get a list of scheduled tasks device_id*

name

action

path

enabled

state

hidden

last_run_time

next_run_time

last_run_message

last_run_code

 Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE Carbon Black Cloud Audit and Remediation 1.1.0
kill process Kill process on Carbon Black Cloud endpoint

device_id*

process_pid**

process_name**

process_hash**

process_guid**

process_pid

process_name

process_killed

Device: device - READ

Live Response Session: org.liveresponse.session - CREATE, READ, DELETE

Live Response Process: org.liveresponse.process - READ, DELETE

Search: org.search.events - CREATE, READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
list logged users List users that are logged in to the specified device device_id*

login_type

user

device_name

host

time

process_pid

sid

registry_hive

process_name

cmdline

 Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE Carbon Black Cloud Audit and Remediation 1.1.0
list persistence locations List Windows persistence locations device_id*

path

name

source

 Live Query: livequery.manage - CREATE,READ,UPDATE,DELETE Carbon Black Cloud Audit and Remediation 1.1.0
list policies List device policies in Carbon Black Cloud N/A

id

name

description

num_devices

priority_level

 Policies: org.policies - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
list processes List processes on a device in Carbon Black Cloud device_id*

process_pid

process_path

sid

parent_pid

process_cmdline

process_username

process_create_time

parent_create_time

Device: device - READ

Live Response Session: org.liveresponse.session - CREATE, READ, DELETE

Live Response Process: org.liveresponse.process - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
normalize artifact Normalize artifact ingested by Splunk App for Splunk Phantom

raw*

artifact_id*

 artifact_id N/A

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
on poll Callback action for the on_poll ingest functionality

container_id

start_time

end_time

container_count**

artifact_count**

 N/A Alerts: org.alerts - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
quarantine device Quarantine device in Carbon Black Cloud device_id* device_id

Device: device - READ

Device: device.quarantine - EXECUTE

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
remove ioc feed Remove IOC from feed in Carbon Black Cloud

feed_id*

report_id*

ioc_id**

ioc_value**

 N/A Custom Detections: org.feeds - CREATE, READ, UPDATE Carbon Black Cloud Enterprise EDR 1.0.0
remove ioc watchlist Remove IOC from watchlist in Carbon Black Cloud

watchlist_id*

report_id*

ioc_id**

ioc_value**

 N/A Custom Detections: org.watchlists - CREATE, READ, UPDATE Carbon Black Cloud Enterprise EDR 1.0.0
retrieve feed Retrieve a feed in Carbon Black Cloud feed_id*

feed_id

feed_name

access

summary

category

provider_url

reports_count

 Custom Detections: org.feeds - READ Carbon Black Cloud Enterprise EDR 1.0.0
retrieve iocs Retrieve IOCs for a given report in Carbon Black Cloud

watchlist_id**

feed_id**

report_id*

ioc_id

match_type

field

values

 Custom Detections: org.watchlists - READ Carbon Black Cloud Enterprise EDR 1.0.0
retrieve watchlist Retrieve a watchlist in Carbon Black Cloud watchlist_id*

watchlist_id

watchlist_name

description

tags_enabled

alerts_enabled

create_timestamp

last_update_timestamp

report_ids

 Custom Detections: org.watchlists - READ Carbon Black Cloud Enterprise EDR 1.0.0
set device policy Set device policy of a Carbon Black Cloud endpoint

device_id*

policy_id**

policy_name**

policy_id

policy_name

device_id

Policies: org.policies - READ

Device: device.policy - UPDATE

Device: device - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
test connectivity Validate the asset configuration for connectivity with the supplied configuration N/A N/A Alerts: org.alerts - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
unban hash Unban process by hash in Carbon Black Cloud process_hash* process_hash

Applications: org.reputations - READ, CREATE, DELETE

Unified Binary Store: ubs.org.sha256 - READ

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
unquarantine device Unquarantine device in Carbon Black Cloud device_id* device_id

Device: device - READ

Device: device.quarantine - EXECUTE

Carbon Black Cloud Endpoint Standard

Carbon Black Cloud Enterprise EDR

 1.0.0
update feed Update a feed in Carbon Black Cloud

feed_id*

feed_name*

feed_provider_url*

feed_summary*

feed_category*

 feed_id Custom Detections: org.feeds - UPDATE Carbon Black Cloud Enterprise EDR 1.0.0
update watchlist Update a watchlist in Carbon Black Cloud

watchlist_id*

watchlist_name*

watchlist_description

watchlist_tags_enabled

watchlist_alerts_enabled

add_report_ids

remove_report_ids

 watchlist_id Custom Detections: org.watchlists - UPDATE Carbon Black Cloud Enterprise EDR 1.0.0