Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: How To Use Postman to Retrieve Data Via API

Carbon Black Cloud: How To Use Postman to Retrieve Data Via API


  • Carbon Black Cloud: All Supported Versions
  • Postman Utility for Windows


Retrieve data available via Carbon Black's rest API


  1. Prepare the following:
a. Determine API URL (e.g. Carbon Black Cloud) see What URLs are used to access the APIs?
b. Determine the API type (Alerts, Devices, etc, see Carbon Black Cloud REST API Reference 
c. Obtain API credentials from console (Settings → API Access), note down both your API ID and secret key
  1. Execute query in Postman
a. Click the "New" orange button on the upper left hand side
b. Name the request name to something related to the query to retrieve.  As an example, for events, use: /devices/_search (see REST API Reference)
c. Create a collection where to save the request, using a pertinent name, Carbon Black Cloud, for example
d. Save the request
e. Enter the API path next to the "GET" button (For example for the devices API in PROD05)
f. Under the "Params" tab, enter the query parameters, see Carbon Black Cloud REST API Reference, one parameter per row
g. Under the "Headers" tab, enter a new row, name it X-Auth-Token (under the "key" column), do not enter your X-Auth-Token in the parameters section
h. Next to the X-Auth-Token, enter your Secret Key/API ID combination as: [API Secret Key]/[API ID], without brackets or spaces, as its value (See Carbon Black Cloud API Access, under "Creating an API Key" section, step 6)
i. Click the blue button "Send" to retrieve the data 

Additional Notes

  • As observed above, parameters should be entered in the "Params" section, the authorization token (X-Auth-Token) should be entered in the "Headers" tab
  • There is a hard limit of 5k rows on the /devices API per call, and a hard limit of 10k rows on the /events API at maximum.  Use the "start" and "rows" parameters to retrieve a higher number of records than those allowed by default, but it still is not permitted to exceed the maximum.  See API Pagination for more information
  • VMWare Carbon Black is working on an enhancement that will allow console administrators to export filtered investigation and alert results as CSV.  Feel free to upvote the idea/enhancement request 


Related Content

Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Creation Date: