Environment
- Carbon Black Cloud: All Supported Versions
- Postman Utility for Windows
Objective
Retrieve data available via Carbon Black's rest API
Resolution
- Prepare the following:
- Execute query in Postman
a. Click the "New" orange button on the upper left hand side
b. Name the request name to something related to the query to retrieve. As an example, for events, use: /devices/_search (see
REST API Reference)
c. Create a collection where to save the request, using a pertinent name, Carbon Black Cloud, for example
d. Save the request
e. Enter the API path next to the "GET" button (For example
https://defense-prod05.conferdeploy.net/appservices/v6/orgs/ORG-KEY/devices/_search? for the devices API in PROD05)
f. Under the "Params" tab, enter the query parameters, see
Carbon Black Cloud REST API Reference, one parameter per row
g. Under the "Headers" tab, enter a new row, name it X-Auth-Token (under the "key" column), do not enter your X-Auth-Token in the parameters section
h. Next to the X-Auth-Token, enter your Secret Key/API ID combination as: [API Secret Key]/[API ID], without brackets or spaces, as its value (See
Carbon Black Cloud API Access, under "Creating an API Key" section, step 6)
i. Click the blue button "Send" to retrieve the data
Additional Notes
- As observed above, parameters should be entered in the "Params" section, the authorization token (X-Auth-Token) should be entered in the "Headers" tab
- There is a hard limit of 5k rows on the /devices API per call, and a hard limit of 10k rows on the /events API at maximum. Use the "start" and "rows" parameters to retrieve a higher number of records than those allowed by default, but it still is not permitted to exceed the maximum. See API Pagination for more information
- VMWare Carbon Black is working on an enhancement that will allow console administrators to export filtered investigation and alert results as CSV. Feel free to upvote the idea/enhancement request
Related Content