For a detailed breakdown of the specific rate limits, including the number of requests allowed within a given time frame and the response codes you might encounter when a limit is exceeded, please refer to VMware's official documentation.
Connection
To connect to VMware Carbon Black Cloud from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
The server URL of VMware Carbon Black Cloud EDR.
https://defense.conferdeploy.net
Organization Key
The organization key to authenticate the API connection.
***
Token
The token to authenticate the API connection.
***
App ID
The App ID to authenticate the API connection.
***
API Version
The version of the API to use for the connection.
v6
Permission Requirements
Each endpoint in the VMware Carbon Black Cloud API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command
Required Permission (Access Levels)
Category
Permission Name
.Notion Name
Detailed permissions
Aggregation Search Enriched Events
Search
Events
org.search.events
CREATE + READ
Start Background Scan
Device
Background scan
device.bg-scan
EXECUTE
Block Hashes
Applications
Reputation
org.reputations
CREATE + READ
Update Device Policy
Device
Policy assignment
device.policy
UPDATE
Disable Bypass
Device
Bypass
device.bypass
EXECUTE
Enable Bypass
Device
Bypass
device.bypass
EXECUTE
Fetch Event (fetching for events Is Alert parameter = False only need the first row. Fetching Alerts Is Alert = True need row 1+2)
Search
Events
org.search.events
CREATE + READ
Alerts
General information
org.alerts
READ
Fetch Related Events
Search
Events
org.search.events
CREATE + READ
Get Alert By ID
Alerts
General information
org.alerts
READ
Get Device Info
Device
General information
device
READ
Get Event Associated With Process
Search
Events
org.search.events
READ
Get Processes
Search
Events
org.search.events
CREATE + READ
Quarantine Host
Device
Quarantine
device.quarantine
EXECUTE
Search Alerts
Alerts
General information
org.alerts
READ
Search Devices
Device
General information
device
READ
Stop Background Scan
Device
Background scan
device.bg-scan
EXECUTE
Unblock hashes
Applications
Reputation
org.reputations
READ + DELETE
Unquarantine Host
Device
Quarantine
device.quarantine
EXECUTE
Test Connection
Alerts
General information
org.alerts
Read
Reader Note
The Test Connection command requires the "Alert Read Access Level" to run. However, for other commands, this level is not mandatory. A connector without the “Alert Read Access Level” will fail a test connection, but commands will still be able to run provided you have the required access levels enabled for your API key.
Configuring VMware Carbon Black Cloud to Work with D3 SOAR
Create Access Levels
To access the data in your Carbon Black Cloud integrations through APIs, you must determine the appropriate access level for your API. Refer to VMware's documentation step-by-step instructions.
Applying an Access Level to an API Key
Apply the custom access level to an API key. Refer to VMware's documentation step-by-step instructions. Copy and save the API key after configuration, it will be required to build the integration connection in D3 SOAR.
After completing your setup, you can find the Organization Key on the API Access page. The Token (API Secret Key) and App ID are available when you create the key. You will need this information when building a connector in D3 SOAR.
Configuring D3 SOAR to Work with VMware Carbon Black Cloud
Log in to D3 SOAR.
Find the VMware Carbon Black Cloud integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type VMware Carbon Black Cloud in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to VMware Carbon Black Cloud.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection. 1. Input the Server URL (domain level). The default value is https://defense.conferdeploy.net. 2. Copy the Organization Key from the VMware Carbon Black Cloud platform. The Organization Key can be found on the API Access page. Refer to Configuring VMware Carbon Black Cloud to Work with D3 SOAR for instructions. 3. Input the Token and App ID. Token (API Secret Key) and App ID can be obtained when creating the key. Refer to Configuring VMware Carbon Black Cloud to Work with D3 SOAR for instructions. 4. Input the API Version. The default value is v6.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
VMware Carbon Black Cloud includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Aggregation Search Enriched Events
Starts a search on enriched events that groups results by the specified aggregation field.
Input
Input Parameter
Required/Optional
Description
Example
Aggregration Field
Required
The field to aggregate the search results by. The available aggregation fields are Device ID and Process SHA256.
Device ID
Last Hours
Required
The time frame (in hours) prior to the current time to filter the search results.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
JSON
[
{
"backend_timestamp": "2021-05-31T10:07:42.465Z",
"device_group_id": *****,
"device_id": "*****",
"device_name": "*****",
"device_policy_id": *****,
"device_timestamp": "2021-05-31T10:06:55.123Z",
"enriched": true,
"enriched_event_type": "SYSTEM_API_CALL",
"event_description": "The application \"<share><link hash=\"***************************************\">C:\\windows\\***\\***\\v*.*\\*.exe</link></share>\" attempted to list all processes, by calling the function \"NtQuerySystemInformation\". The operation was successful.",
"event_id": "*****",
"event_type": "crossproc",
"ingress_time": 1622455639299,
"legacy": true,
"num_devices": 1,
"num_events": 64,
"org_id": "*****",
"parent_guid": "***************************************",
"parent_pid": *****,
"process_guid": "***************************************",
"process_hash": [
"***************************************",
"***************************************"
],
"process_name": "c:\\windows\\***\\***\\v*.*\\*.exe",
"process_pid": [
*****
],
"process_username": [
"***\\***"
]
},
{
"backend_timestamp": "2021-05-31T22:51:32.186Z",
"device_group_id": 0,
"device_id": "*****",
"device_name": "***\\***",
"device_policy_id": *****,
"device_timestamp": "2021-05-31T14:57:05.172Z",
"enriched": true,
"enriched_event_type": "SYSTEM_API_CALL",
"event_description": "The application \"<share><link hash=\"***************************************\">C:\\windows\\***\\***\\v*.*\\*.exe</link></share>\" attempted to list all processes, by calling the function \"NtQuerySystemInformation\". The operation failed.",
"event_id": "***************************************",
"event_type": "crossproc",
"ingress_time": 1622501470429,
"legacy": true,
"num_devices": 1,
"num_events": 4,
"org_id": "*****",
"parent_guid": "***************************************",
"parent_pid": *****,
"process_guid": "***************************************",
"process_hash": [
"***************************************",
"***************************************"
],
"process_name": "c:\\windows\\***\\***\\v*.*\\*.exe",
"process_pid": [
*****
],
"process_username": [
"***\\***"
]
}
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Aggregation Search Enriched Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 401.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Access is denied.
Error Sample Data
Aggregation Search Enriched Events failed.
Status Code: 401.
Message: Access is denied.
Start Background Scan
Initiates a background scan on the given device IDs.
Reader Note
The parameter Device IDs is required to run this command.
Run the Search Devices command to obtain Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
This command is not supported on devices with the Linux OS.
Input
Input Parameter
Required/Optional
Description
Example
Device IDs
Required
The array of device IDs to initiate the background scan. Device IDs can be obtained using the Search Devices command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
DEVICE_ID BACKGROUND_SCAN
********* True
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Start Background Scan failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: NOT_FOUND:device_id(s) : [12345].
Error Sample Data
Start Background Scan failed.
Status Code: 404.
Message: NOT_FOUND:device_id(s) : [**********].
Block Hashes
Blocks SHA256 file hashes in VMware Carbon Cloud EDR.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Block hashes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: error_code.
Error Sample Data
Block hashes failed.
Status Code: 400.
Message: error_code.
Update Device Policy
Updates device policies in VMware Carbon Black Cloud EDR.
Reader Note
Device IDs and Policy ID are required parametersto run this command.
Run the Search Devices command to obtain Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
Run the Fetch Event or Fetch Related Event commands to obtain policy IDs. Currently, there is no command to fetch a complete list of policy IDs. Only the mentioned two commands can return the associated policy IDs. Policy IDs can be found in the returned raw data of both commands at the path $.results[*].device_policy_id.
Input
Input Parameter
Required/Optional
Description
Example
Device IDs
Required
The IDs of the devices to update policies. Device IDs can be obtained using the Search Devices command.
[************************]
Policy ID
Required
The ID of the policy to update the devices to.
*****
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
{
"device_id": *****,
"policy_id": *****
}
]
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
JSON
[
{
"device_id": *****,
"policy_id": *****
}
]
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
$body
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
DEVICE_ID POLICY_ID
***** *****
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Update Device Policy failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Forbidden.
Error Sample Data
Update Device Policy failed.
Status Code: 403.
Message: Forbidden.
Disable Bypass
Disables bypass on the specified devices.
Reader Note
The parameter Device IDs is required to run this command.
Run the Search Devices command to obtain Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Device IDs
Required
The IDs of the devices to disable bypass. Device IDs can be obtained using the Search Devices command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
DEVICE_ID ENABLE_BYPASS
***** False
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Disable Bypass failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: NOT_FOUND:device_id(s) : [*****].
Error Sample Data
Disable Bypass failed.
Status Code: 404.
Message: NOT_FOUND:device_id(s) : [*****].
Enable Bypass
Enable bypass on the specified devices.
Reader Note
The parameter Device IDs is required to run this command.
Run the Search Devices command to obtain Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Device IDs
Required
The IDs of the devices to enable bypass. Device IDs can be obtained using the Search Devices command.
[*****]
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
{
"device_id": *****,
"enable_bypass": true
}
]
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
JSON
[
{
"device_id": *****,
"enable_bypass": true
}
]
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
DEVICE_ID ENABLE_BYPASS
***** True
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Enable Bypass failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: NOT_FOUND:device_id(s) : [*****].
Error Sample Data
Enable Bypass failed.
Status Code: 404.
Message: NOT_FOUND:device_id(s) : [*****].
Fetch Event
Retrieves all events or alerts based on the specified search condition.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to search alerts or events in UTC time.
2021-05-18 00:00
End Time
Required
The end time of the time range to search alerts or events in UTC time.
2021-05-22 00:00
Number of Event(s) Fetched
Required
The maximum number of the most recent events or alerts to return.
2
Search Condition
Required
The condition expression to search for related events or alerts.
event_type:regmod
Is Alert
Optional
The option to include alerts in the response data. The default option is False.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Fetch Event Field Mapping
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click +Add Field to add a custom field mapping. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
The VMware Carbon Black Cloud integration in D3 SOAR has some pre-configured field mappings for the event and alert, which correspond to the Default Event Source and VMware Carbon Black Cloud Alerts mappings:
Default Event Source Configures the field mapping which are specific to the event-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. The default event source has a “Main Event JSON Path” (i.e., $.results) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.
Main Event JSON Path: $.results The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays. For example, the root node of a JSON Path is result. The child node denoting the Unique Event Key field would be event_id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.result.event_id.
Event Source for VMware Carbon Black Cloud Alerts
Configures the field mapping which are specific to the alert-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. As the data of the alert-related events have a character that the value of the is_alert field is True, the alert-related events can be defined by the Search String: {$.is_alert}=True. Click Edit Event Source to view the Search String.
The pre-configured field mappings are detailed below:
VMware Carbon Black Cloud Alerts (Search String: {$.is_alert}=True)
The search string format is {jsonpath}=value. If the value of the is_alert key is True in the event object under raw data, then the alert-related events will use the field mapping below.
Event category
.category
Unique Event Key
.legacy_alert_id
Event Type
.type
Hostname
.device_name
Description
.reason
Process GUID
.threat_cause_process_guid
Process Hash SHA256
.threat_indicators[*].sha256
Process Name
.process_name
Severity
.severity
Threat category
.threat_cause_threat_category
Threat event ID
.threat_id
Username
.device_username
UTCEventTime
.create_time
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Expecting value: line 1 column 1 (char 0).
Error Sample Data
Fetch Event failed.
Status Code: 403.
Message: Expecting value: line 1 column 1 (char 0).
Fetch Related Events
Retrieves related events based on the specified search condition.
Input
Input Parameter
Required/Optional
Description
Example
Last Hours
Required
The timeframe, in hours, before the current time to filter search results.
24
Top Recent Event Number
Required
The maximum number of the most recent events to return.
2
Search Condition
Required
The condition expression to search for related events.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Related Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Top Recent Event Number) is invalid.
Error Sample Data
Fetch Related Events failed.
Status Code: 400.
Message: The value for parameter (Top Recent Event Number) is invalid.
Get Alert By ID
Retrieves alerts based on the given alert IDs.
Reader Note
The parameter Alert IDs is required to run this command.
Run the Search Alerts command to obtain Alert IDs. Alert IDs can be found in the returned raw data at the path $.results[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Alert IDs
Required
The IDs of the alerts to retrieve. Alert IDs can be obtained using the Search Alerts command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
{
"AlertIDs": "\"[\\\"***************************************\\\"]\"",
"Categories": "\"[\\\"THREAT\\\"]\"",
"DeviceNames": "\"[\\\"***\\\\\\\\***\\\"]\"",
"DeviceUsernames": "\"[\\\"***\\\\\\\\***\\\"]\"",
"Severities": "\"[1]\"",
"ProcessNames": "\"[\\\"***.exe\\\"]\"",
"Reasons": "\"[\\\"Process ***.exe was detected by the report \\\\\\\"Execution - Command-Line Interface (***.exe /c)\\\\\\\" in watchlist \\\\\\\"ATT&CK Framework\\\\\\\"\\\"]\""
}
Return Data
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Alert By ID failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Alert iD xxx BAD_REQUEST:Incorrect alert ID format. Must be in UUID format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. You must have a valid Support account to call this API.
Error Sample Data
Get Alert By ID failed.
Status Code: 400.
Message: Alert iD xxx BAD_REQUEST:Incorrect alert ID format. Must be in UUID format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. You must have a valid Support account to call this API.
Get Device Info
Retrieves device info based on the given device IDs.
Reader Note
The parameter Device IDs is required to run this command.
Run the Search Devices command to obtain Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Device IDs
Required
The ID of the devices to return device info. Device IDs can be obtained using the Search Devices command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Device Info failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: error_code.
Error Sample Data
Get Device Info failed.
Status Code: 400.
Message: error_code.
Get Event Associated With Process
Retrieves events associated with the given process GUID.
Reader Note
Process Guid is a required parameterto run this command.
Run the Get Processes command to obtain Process Guid. Process Guids can be found in the returned raw data at the path $.results[*].process_guid.
If an invalid process GUID is entered, the command will run successfully with no results.
Input
Input Parameter
Required/Optional
Description
Example
Process Guid
Required
The GUID of the process to retrieve associated events. Process Guid can be obtained using the Get Processes command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Event Associated With Process failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Access is denied.
Error Sample Data
Get Event Associated With Process failed.
Status Code: 403.
Message: Access is denied.
Get Processes
Retrieves processes from VMware Carbon Black Cloud EDR.
Input
Input Parameter
Required/Optional
Description
Example
Last Hours
Optional
The timeframe, in hours, before the current time to filter search results.
24
Query
Optional
The query string to filter returned processes. For more information about the query syntax, refer to VMware's documentation.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Get Processes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Last Hours) is invalid.
Error Sample Data
Get Processes failed.
Status Code: 400.
Message: The value for parameter (Last Hours) is invalid.
Quarantine Host
Quarantines hosts associated with the given device IDs.
Reader Note
The parameter Hosts is required to run this command.
Run the Search Devices command to obtain Hosts. Hosts are Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Hosts
Required
The IDs of the devices to quarantine. Host IDs can be obtained using the Search Devices command.
[************************]
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
"",
""
]
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
HOSTID RESULT
3410694 Successful
3425787 Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Quarantine Host failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: NOT_FOUND: org_id(s): 7DESJ9GN.
Error Sample Data
Quarantine Host failed.
Status Code: 404.
Message: NOT_FOUND: org_id(s): *****.
Search Alerts
Searches for alerts in VMware Carbon Black Cloud EDR.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Required
The start time of the time range to search alerts in UTC time.
2021-05-14 00:00
End Time
Required
The end time of the time range to search alerts in UTC time.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
JSON
No sample data
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Alerts failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: There is no alerts found.
Error Sample Data
Search Alerts failed.
Status Code: 404.
Message: There is no alerts found.
Search Devices
Searches for devices in VMware Carbon Black Cloud EDR.
Input
Input Parameter
Required/Optional
Description
Example
Last Hours
Optional
The timeframe, in hours, before the current time to filter search results.
30
Status
Optional
The status of the device to filter search results.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
D3 customizes the Context Data by extracting the data from path $.results in API returned JSON.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No sample data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Devices failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: The value for parameter (Limit) is invalid.
Error Sample Data
Search Devices failed.
Status Code: 400.
Message: The value for parameter (Limit) is invalid.
Stop Background Scan
Stops a background scan on the given device IDs.
Reader Note
The parameter Device IDs is a required parameter to run this command.
Run the Search Devices command to obtain Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
This command is not supported on devices with the Linux OS.
Input
Input Parameter
Required/Optional
Description
Example
Device IDs
Optional
The array of device IDs to stop the background scan. Device IDs can be obtained using the Search Devices command.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
DEVICE_ID BACKGROUND_SCAN
***** False
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Stop Background Scan failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: NOT_FOUND:device_id(s) : [*****].
Error Sample Data
Stop Background Scan failed.
Status Code: 404.
Message: NOT_FOUND:device_id(s) : [*****].
Unblock hashes
Unblocks SHA256 file hashes in VMware Carbon Black Cloud EDR.
Reader Note
Only previously blocked file hashes can be unblocked.
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Unblock hashes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: could not find the relate id.
Error Sample Data
Unblock hashes failed.
Status Code: 400.
Message: could not find the relate id.
Unquarantine Host
Unquarantines hosts in VMware Carbon Black Cloud EDR.
Reader Note
The parameter Host IDs is required to run this command.
Run the Search Devices command to obtain Hosts. Hosts are Device IDs. Device IDs can be found in the returned raw data at the path $.results[*].id.
Input
Input Parameter
Required/Optional
Description
Example
Host IDs
Required
The IDs of the devices to unquarantine. Host IDs can be obtained using the Search Devices command.
[************************]
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
[
{
"device_id": *****,
"quarantined": false
}
]
Context Data
The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.
It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.
SAMPLE DATA
JSON
[
{
"device_id": *****,
"quarantined": false
}
]
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
DEVICE_ID QUARANTINED
***** False
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Unquarantine Host failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the VMware Carbon Black Cloud portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: NOT_FOUND: org_id(s): *****.
Error Sample Data
Unquarantine Host failed.
Status Code: 404.
Message: NOT_FOUND: org_id(s): *****.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
