Carbon Black Protection Automated Reporting

Scheduled Reporting, when done as a manual process, can be a tedious and repetitive task. There is also the need to keep tight SLAs around certain reports and the dissemination of those reports to specific stakeholders. One of the customers at Swimlane needed the ability to automate scheduled reporting coming from Carbon Black Protection and email the reports to their CISO every 90 days. Swimlane was able to solve that problem using the Carbon Black Protection API, and some really simple python code.

Carbon Black Protection is an Application Control Solution that allows full control over the endpoints as well as continuous compliance. One of the features of this tool, that the Swimlane customer wanted to take advantage of, is the ability to tag approved software installed on configured servers or host machines. Carbon Black Protection can alert on installed software does not meet the approved software publisher list.

Step 1: Configure the Approved Software List

In Carbon Black Protection, go to Rules -> Software Rules to view the current list of software running on the hosts configured in the tool.
You are able to select the software publishers you would like to approve or unapprove in your environment.

Step 2: Configure Swimlane to run the 90 day schedule reports

Upload the Carbon Black - Approved Software 90 Day Report Task
Configure the necessary inputs for the script including the Carbon Black Protection host and api key, as well as the username and password of the Swimlane API user.

Set the day and month that you want to run the scheduled report. The screenshot below shows the lines of code that define the day of the week and the month that the script will run.

The first conditional statement checks to see if it is the first day of the month. The second conditional statement checks to see if it is 90 days from the last report. You can change the day or the months that the report runs by change the values.

The next lines of code initialize the Carbon Black API connection and query the system for the Publishers with the ‘Approved State’. If you would like to query another set of filters, set them here.

Set the SMTP details. This will allow the script to email out the report to the defined recipients.

Configure the Scripts Trigger to run Automatically scheduled everyday at 12:00am. If the script is run on a day not defined in the script nothing will happen. If it is a day you defined, the report will run, create the CSV, create a record, then email the report out to the recipients that you designated.

If everything is configured properly, you will see records created with the time the scheduled report was created, a copy of the CSV, a list of the approved software, as well as a notification that the email was sent.