VMware Carbon Black provides a rich set of APIs for all cloud and on-prem solutions. Now, you can get container runtime alerts thanks to the latest version of CBC python SDK. If you are a developer and want to use Carbon Black APIs, you can browse https://developer.carbonblack.com/ to see all documentation, and examples already available.
In this blog, I will start from a fresh Ubuntu Linux version 22.04, install CBC SDK, connect to a CBC instance with some CBC Container alerts, and print those alerts in the Linux terminal.
CBC python SDK
Install CBC python SDK
You can install the Carbon Black Cloud Python SDK using either PyPI or GitHub. I will use pip, because it will automatically install all dependencies, and will ease the life cycle management of the SDK.
# Install pip on Ubuntu 22.04 sudo apt install python3-pip # Install Carbon Black Cloud SDK pip install carbon-black-cloud-SDK
Update CBC python SDK
If you have already installed CBC SDK a long time ago, it’s probably time to update it to get the latest updates and fixes:
# Update Carbon Black Cloud SDK pip install -–upgrade carbon-black-cloud-sdk --force
Uninstall CBC python SDK
In case, you want to uninstall the SDK, you can use this command line, but do not do it now:
# Uninstall Carbon Black Cloud SDK pip uninstall carbon-black-cloud-sdk
To use the SDK and access data in Carbon Black Cloud, you must set up API keys with the correct permissions. Different APIs have different permission requirements for use, which are explained in the Developer Network Authentication Guide. In this guide, you will find the URL to use below.
The SDK manages your API credentials for you. There are multiple ways to supply the SDK with your API credentials, which are explained in Authentication.
You need to create a file ~/.carbonblack/credentials.cbc and this file should look like this:
[default] url=https://example.net token=ABCDEFGHGIJKLMNOPQRSTUVWX/ABCDEFGHIJ org_key=A1B2C3D4 ssl_verify=True
On UNIX systems, you must make sure that the credentials.cbc file is properly secured. The simplest commands for doing so are:
chmod 600 ~/.carbonblack/credentials.cbc chmod 700 ~/.carbonblack
#!/usr/bin/env python3 import sys # CBC SDK Base from cbc_sdk import CBCloudAPI # CBC ContainerRuntimeAlert from cbc_sdk.platform import ContainerRuntimeAlert # API keys cb = CBCloudAPI(profile='default') # Get Container Runtime alerts from the last 12 weeks alerts = cb.select(ContainerRuntimeAlert).set_time_range('last_update_time', range="-12w") for alert in alerts: print(alert)
We can print only the reason for the alert, an IP address…
So here, we can get the alert’s reasons, and we can sort reasons, to see all reasons only once:
slist@ubuntu22:~$ ./cbc-alerts.py | sort | uniq A workload ran a port scan internally A workload ran a port scan on egress destinations Detected a connection to a destination with a known malicious reputation Detected a connection to a private network that isn't allowed for this scope Detected a connection to a public destination that isn't allowed for this scope Detected an abnormal egress connection with medium or low risk Detected an abnormal internal connection with medium or low risk
And now if I want to check all remote IP on alerts with the reason “Detected a connection to a destination with a known malicious reputation”
#!/usr/bin/env python3 import sys # CBC SDK Base from cbc_sdk import CBCloudAPI # CBC ContainerRuntimeAlert from cbc_sdk.platform import ContainerRuntimeAlert # API keys cb = CBCloudAPI(profile='default') # Get Container Runtime alerts from the last 12 weeks alerts = cb.select(ContainerRuntimeAlert).set_time_range('last_update_time', range="-12w") for alert in alerts: if "malicious" in alert.reason: print(alert.remote_ip)
And once again, you can create a list of unique malicious IPs (malicious IPs have been hidden below).
slist@ubuntu22:~$ ./cbc-alerts.py | sort | uniq xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
What to do next
Now, you have all malicious IP reached by your K8s clusters, you can block them using a SOAR, or you could build a network policy for Antrea…
Congratulations! If you read through this article, let's call for a double celebration if you have reproduced it in your Lab! And, remember, I like your feedback. Send me an email to let me know what you think about this article.