September 13, 2023

Carbon Black Container APIs Just got better! Get container runtime alerts with CBC python SDK

In this blog, let's will start from a fresh Ubuntu Linux version 22.04, install CBC SDK, connect to a CBC instance with some CBC Container alerts, and print those alerts in the Linux terminal. 

VMware Carbon Black provides a rich set of APIs for all cloud and on-prem solutions.  Now, you can get container runtime alerts thanks to the latest version of CBC python SDK.  If you are a developer and want to use Carbon Black APIs, you can browse https://developer.carbonblack.com/ to see all documentation, and examples already available. 

In this blog, I will start from a fresh Ubuntu Linux version 22.04, install CBC SDK, connect to a CBC instance with some CBC Container alerts, and print those alerts in the Linux terminal. 

CBC python SDK 

Install CBC python SDK 

You can install the Carbon Black Cloud Python SDK using either PyPI or GitHub.  I will use pip, because it will automatically install all dependencies, and will ease the life cycle management of the SDK. 

# Install pip on Ubuntu 22.04 
sudo apt install python3-pip 

# Install Carbon Black Cloud SDK 
pip install carbon-black-cloud-SDK

Update CBC python SDK 

If you have already installed CBC SDK a long time ago, it’s probably time to update it to get the latest updates and fixes: 

# Update Carbon Black Cloud SDK 
pip install -–upgrade carbon-black-cloud-sdk --force

Uninstall CBC python SDK 

In case, you want to uninstall the SDK, you can use this command line, but do not do it now: 

# Uninstall Carbon Black Cloud SDK 
pip uninstall carbon-black-cloud-sdk

API Credentials 

To use the SDK and access data in Carbon Black Cloud, you must set up API keys with the correct permissions. Different APIs have different permission requirements for use, which are explained in the Developer Network Authentication Guide. In this guide, you will find the URL to use below. 

The SDK manages your API credentials for you. There are multiple ways to supply the SDK with your API credentials, which are explained in Authentication

You need to create a file ~/.carbonblack/credentials.cbc  and this file should look like this: 

[default] 
url=https://example.net 
token=ABCDEFGHGIJKLMNOPQRSTUVWX/ABCDEFGHIJ 
org_key=A1B2C3D4 
ssl_verify=True

On UNIX systems, you must make sure that the credentials.cbc file is properly secured. The simplest commands for doing so are: 

chmod 600 ~/.carbonblack/credentials.cbc 
chmod 700 ~/.carbonblack

Get alerts 

#!/usr/bin/env python3 
import sys 

# CBC SDK Base 
from cbc_sdk import CBCloudAPI 

# CBC ContainerRuntimeAlert 
from cbc_sdk.platform import ContainerRuntimeAlert 
 
# API keys 
cb = CBCloudAPI(profile='default') 

# Get Container Runtime alerts from the last 12 weeks 
alerts = cb.select(ContainerRuntimeAlert).set_time_range('last_update_time', range="-12w") 

for alert in alerts: 
    print(alert)

We can print only the reason for the alert, an IP address… 

Just replace: 

print(alert) 

with 

print(alert.reason) 

So here, we can get the alert’s reasons, and we can sort reasons, to see all reasons only once:  

slist@ubuntu22:~$ ./cbc-alerts.py | sort | uniq 
A workload ran a port scan internally 
A workload ran a port scan on egress destinations 
Detected a connection to a destination with a known malicious reputation 
Detected a connection to a private network that isn't allowed for this scope 
Detected a connection to a public destination that isn't allowed for this scope 
Detected an abnormal egress connection with medium or low risk 
Detected an abnormal internal connection with medium or low risk

And now if I want to check all remote IP on alerts with the reason “Detected a connection to a destination with a known malicious reputation” 

#!/usr/bin/env python3 
import sys 

# CBC SDK Base 
from cbc_sdk import CBCloudAPI 

# CBC ContainerRuntimeAlert 
from cbc_sdk.platform import ContainerRuntimeAlert 

# API keys 
cb = CBCloudAPI(profile='default') 

# Get Container Runtime alerts from the last 12 weeks 
alerts = cb.select(ContainerRuntimeAlert).set_time_range('last_update_time', range="-12w")  

for alert in alerts: 
    if "malicious" in alert.reason: 
        print(alert.remote_ip)

And once again, you can create a list of unique malicious IPs (malicious IPs have been hidden below). 

slist@ubuntu22:~$ ./cbc-alerts.py | sort | uniq 
xxx.xxx.xxx.xxx 
yyy.yyy.yyy.yyy

What to do next 

Now, you have all malicious IP reached by your K8s clusters, you can block them using a SOAR, or you could build a network policy for Antrea… 

Conclusion 

Congratulations! If you read through this article, let's call for a double celebration if you have reproduced it in your Lab!  And, remember, I like your feedback. Send me an email to let me know what you think about this article. 

Filter Tags

Container Blog

Stephane List

Read More from the Author

Staff Technical Marketing Architect, VMware Security Stéphane has over twenty years’ experience in opensource. He has worked in both development and sales role in France for large companies and startups. He has participated in the development of many different Linux project from mobile phone to firewalls. Now with 10 years’ experience in security, he is architect at VMware Carbon Black for Linux and containers security.