Glossary - carbonblack/cbc-binary-toolkit GitHub Wiki

Add Report Item

Function of the persistor. Adds a Report (IOC record) to the report_item table of the persistor.

Analysis Engine

The code that accepts a binary download URL as input, performs some analysis on the binary, and outputs an EngineResponse, conforming to the EngineResponseSchema.

AssertionError

Error raised when an assertion statement evaluates to False

BasePersistor

Abstract base class, that should be inherited by persistor objects. Contains the methods needed for the toolkit to function.

BasePersistorFactory

Abstract base class that should be inherited by persistory factory objects. Contains a method to create a new persistor object.

Binary

A file.

Binary Hash

Unique SHA256 identifier for a binary.

BinaryMetadataSchema

Schema defining the response expected from the /metadata route of the Unified Binary Store API. Defined in src/cbc_binary_toolkit/schemas.py.

Carbon Black Cloud

Cloud-native endpoint protections platform (EPP) that provides what you need to secure your endpoints using a single, lightweight agent and an easy-to-use console. Formerly called the Predictive Security Cloud.

Carbon Black Cloud Python SDK (CBC SDK)

Python library for Carbon Black Cloud.

CBAPI

The original Python SDK for Carbon Black Cloud. Now deprecated for Carbon Black Cloud and replaced by CBC SDK. CBAPI is supported for EDR (previously CB Response) and App Control (previously CB Protection).

Checkpoint

Identifier of where a hash is in the binary analysis workflow.

Config

File containing configuration values for the toolkit.

ConfigError

Error raised when invalid values are found in the configuration file.

Clear Report Items

Function of the persistor. Removes all report items (IOC records) for a specified analysis engine from the persistor.

Deduplication Component

Removes hashes from the command line input that have already been processed, as determined by the contents of the persistor.

Default Expiration

How many seconds the binary download links retrieved from the Unified Binary Store should remain valid for. Defined in src/cbc_binary_toolkit/ingestion_component.py.

Engine

Synonym for Analysis Engine

Engine Response

JSON formatted output from an analysis engine. An engine response must conform to the EngineResponseSchema.

EngineResponseSchema

Schema defining the output from an analysis engine. Defined in src/cbc_binary_toolkit/schemas.py.

Engine Name

Configuration value for the name of an analysis engine. An engine name can be arbitrary, but must be used consistently throughout the toolkit.

Enterprise Endpoint Detection and Response (EDR)

A threat hunting and incident response solution delivery unfiltered visibility for top security operations centers (SOCs) and incident response (IR) teams. Part of the Carbon Black Cloud. Formerly called ThreatHunter.

Feed

A collection of Indicators of Compromise (IOCs). Feeds can be created and modified with the Feed API.

Get Current Report Items

Function of the persistor. Returns all report items (IOC records) for a specified analysis engine from the persistor.

Get Previous Hashes

Function of the persistor. Returns a sorted list of all previously completed hashes for a specified analysis engine from the persistor.

Get Unfinished Hashes

Function of the persistor. Returns a sorted list of all hashes that have not been completed.

Ingestion Component

Contains methods for the fetching of binary metadata from the Unified Binary Store. Defined in /src/cbc_binary_toolkit/ingestion_component.py.

Input

The hashes to be analyzed provided to the toolkit via the command line. The hashes can be in a CSV file or a JSON string.

IOC

Indicator of Compromise. Also referred to as IOCv2.

IOCSv2

Indicator of Compromise. Defined in the Developer Network Feed API documentation.

IOCv2Schema

Schema defining an Indicator of Compromise. Defined in src/cbc_binary_toolkit/schemas.py.

IOCv2SEVSchema

Schema defining the expected format of IOCs returned from an analysis engine. Similar to IOCv2Schema, with the addition of the "severity" property, which is used when storing IOCs in the persistor before adding them to a Feed. Defined in src/cbc_binary_toolkit/schemas.py.

InitializationError

Error raised when a component is created without valid parameters.

Local Engine Factory

Abstract base class that should be inherited by engine factory objects. Contains a method to create a new engine object.

Local Engine Manager

High level manager for analysis engines. Initializes and manages the threaded analysis engines.

Metadata

Information about a binary, including the a download URL, hash, size, and other attributes.

Persistence Manager

The code that manages the persistor.

Persistor

The code that is called to store and retrieve data from the database or other data storage environment.

Prune

Function of the persistor. Removes all entries older than a specified ISO 8601 timestamp from the persistor.

Report

JSON formatted object that is stored in a Feed. Defined in the Developer Network Feed API documentation.

ReportSchema

Schema defining a Report. Defined in src/cbc_binary_toolkit/schemas.py.

Severity

An integer score between 1-10, inclusive. Represents the severity of an IOC.

State Manager

Synonym for persistence manager.

SQLiteBasedPersistor

The default persistor included with the toolkit.

ThreatHunter

The previous name for Enterprise Endpoint Detection and Response.

Threat Intelligence

Information about a security threat. Most commonly in the form of an IOC.

Unified Binary Store (UBS)

Centralized service that is part of the Carbon Black Cloud, used for storage of binary metadata.

YARA

A string pattern matching tool used to analyze and classify malware.