Carbon Black Cloud: Unexpected Results for Device Search API due to Asset Registry Changes in November 2023
Article ID: 287144
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Scenario 1:
- The "id" field in criteria will no longer identify numbers. It has to be enclosed in square brackets as an array format as per the device API, search devices specifications.
- Case of failure: "id":1111111
- Case of success: "id":[1111111]
- v6 Device _search API mandates the values to be enclosed in square brackets for all fields which are part of the "criteria".
- Scenario 2:
- User can no longer use "null" for "last_contact_time" field in criteria.
- Case of failure: "last_contact_time": {"start": null, "end": null}
- Case of success: "last_contact_time": {"start": 2023-10-01T00:00:00.000Z, "end": 2023-11-22T00:00:00.000Z}
Environment
Carbon Black Cloud: All Supported Versions
Cause
Assest registry change in November 2023
Resolution
This is working as expected
Additional Information
- The specifications did not change, the specifications are still the same as documented in Device API.
- The implementation of the specification changed. Previously we had legacy CBD (_search) and in November 2023 the implementation was changed to Asset Registry.
Feedback
Yes
No
Powered by
