CB ThreatHunter: cbapi scripts generating 400 errors

search cancel

CB ThreatHunter: cbapi scripts generating 400 errors

book

Article ID: 288263

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

This error occurs in some python scripts:

File "C:\Users\vnc876\AppData\Local\Programs\Python\Python38-32\lib\site-packages\cbapi\connection.py", line 192, in http_request
raise ServerError(error_code=r.status_code, message=r.text)
cbapi.errors.ServerError: Received error code 400 from API:

{"message":"Error parsing \"q\" from query string","translation_key":"threathunter_search_parsing_error","translation_format_values":["q"]}

Environment

CB ThreatHunter: All versions between May 5th to May 18th, 2020
CB cbapi: All versions

Cause

CBTH added more stringent validation around May 5th. Cbapi was not using the api correctly so the 400s started occurring at that time.

Resolution

ThreatHunter change on May 18th occurred to make it so the API automatically adds in a process_guid query so the user doesn't have to in the v1 events route.

Feedback

thumb_up Yes

thumb_down No