The CarbonCLI is a Powershell based module that is used to manage Carbon Black Cloud constructs. Cmdlets are provided for the most common actions to manage sensors, policies, alerts, watchlists, and so forth.
Requirements
- You must have at least one Carbon Black Cloud product to use CarbonCLI:
- Carbon Black Cloud Endpoint Standard
- Carbon Black Cloud Enterprise EDR
- Custom API key
- Powershell version 7.x+
Custom API Key
The CLI requires a Custom API key that has the relevant permissions for the cmdlet being used.
To generate the specific permissions, open the Carbon Black Cloud console and go to Settings > API Access > Access Level > Add Access Level. Next, create the API key at Settings > API Access > API Keys. For details, see Setting up API Access.
Cmdlet Permissions
The following table describes the permissions for each cmdlet.
| Cmdlet | Action | Permissions |
|---|---|---|
Get-CbcAlerts |
Retrieve alerts | READ Alerts > General information > org.alerts |
Get-CbcDevice |
Retrieve devices | READ Device > General information > device |
Get-CbcFeed |
Retrieve feeds | READ Custom Detections > Feeds > org.feeds |
Get-CbcFeedDetails |
Retrieve feed details | READ Custom Detections > Feeds > org.feeds |
Get-CbcIoc |
Retrieve IOCs in report | READ Custom Detections > Feeds > org.feeds |
Get-CbcJob |
Retrieve the status of an async job | READ, CREATE Search > Events > org.search.events |
Get-CbcObservation |
Retrieve observations | READ, CREATE Search > Events > org.search.events |
Get-CbcObservationDetails |
Retrieve observation details | READ, CREATE Search > Events > org.search.events |
Get-CbcPolicy |
Retrieve policies | READ Device > Policy assignment > org.policies |
Get-CbcPolicyDetails |
Retrieve policy details | READ Device > Policy assignment > org.policies |
Get-CbcProcess |
Retrieve processes | READ, CREATE Search > Events > org.search.events |
Get-CbcProcessDetails |
Retrieve process details | READ, CREATE Search > Events > org.search.events |
Get-CbcReport |
Retrieve a report in feed | READ Custom Detections > Feeds > org.feeds |
Get-CbcWatchlist |
Retrieve watchlists | READ Custom Detections > Watchlists > org.watchlists |
New-CbcFeed |
Create feeds | CREATE Custom Detections > Feeds > org.feeds |
New-CbcFeed |
Update feeds metadata | UPDATE Custom Detections > Feeds > org.feeds |
New-CbcIoc |
Create IOCs | CREATE Custom Detections > Feeds > org.feeds |
New-CbcIoc |
Update IOC metadata | UPDATE Custom Detections > Feeds > org.feeds |
New-CbcReport |
Create reports | CREATE Custom Detections > Feeds > org.feeds |
New-CbcReport |
Update reports metadata | UPDATE Custom Detections > Feeds > org.feeds |
New-CbcWatchlist |
Create watchlists | CREATE Custom Detections > Watchlists > org.watchlists |
New-CbcWatchlist |
Update watchlists metadata | UPDATE Custom Detections > Watchlists > org.watchlists |
Receive-CbcJob |
Retrieve results of an async job | READ, CREATE Search > Events > org.search.events |
Remove-CbcFeed |
Remove feeds | DELETE Custom Detections > Feeds > org.feeds |
Remove-CbcIoc |
Remove IOCs | DELETE Custom Detections > Feeds > org.feeds |
Remove-CbcReport |
Remove reports | DELETE Custom Detections > Feeds > org.feeds |
Remove-CbcWatchlist |
Remove watchlists | DELETE Custom Detections > Watchlists > org.watchlists |
Set-CbcAlerts |
Dismiss alerts | EXECUTE Alerts > Close org.alerts.close |
Set-CbcDevice |
Update policies | UPDATE Device > Policy assignment > device.policy |
Set-CbcDevice |
Start background scan | EXECUTE Device > Background scan > device.bg-scan |
Set-CbcDevice |
Enable/Disable Bypass | EXECUTE Device > Bypass > device.bypass |
Set-CbcDevice |
Enable/Disable Quarantine | EXECUTE Device > Quarantine > device.quarantine |
Set-CbcDevice |
Update sensor version | EXECUTE Device > Sensor kits > org.kits |
Set-CbcDevice |
Uninstall sensor | EXECUTE Device > Uninstall > device.uninstall |
Set-CbcDevice |
Deregister sensor | DELETE Device > Deregistered > device.deregistered |
