For Agents
Search, triage, and annotate Carbon Black Cloud security alerts and threats — query alerts, export CSVs, run facets and histograms, add notes, and tag threats.
Get started with Carbon Black Cloud Alerts API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"search carbon black security alerts"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with Carbon Black Cloud Alerts API API.
Search alerts by query and criteria with grouping by threat_id when needed
Retrieve a specific alert by ID with full detection context
Export filtered alerts as CSV through an asynchronous job
Calculate alert facets and histograms for trend and category analytics
GET STARTED
Use for: I need to triage today's high-severity Carbon Black alerts, Search alerts grouped by threat for the last 24 hours, Export all alerts matching a saved query as CSV, Get the action history for threat ID THR-42
Not supported: Does not handle endpoint policy management, sensor enrollment, or live response — use for alert search, triage, notes, and threat tagging only.
Carbon Black Cloud Alerts API is the security alert management surface of VMware's Carbon Black Cloud endpoint protection platform. It exposes 21 endpoints for searching, exporting, faceting, and triaging alerts, plus dedicated resources for grouped-alert workflows, threat investigation history, notes, and tags. Agents can drive incident-response playbooks — pulling individual alerts, running facet and histogram analytics for trending, attaching investigative notes, and tagging threats — all under per-org API token auth scoped by org_key.
Attach, list, and delete investigative notes on individual alerts and threats
Tag and untag threats to drive triage workflows and ownership
Validate alert search query syntax before running expensive searches
Patterns agents use Carbon Black Cloud Alerts API API for, with concrete tasks.
★ SOC Alert Triage Automation
Drive a SOC analyst's morning triage by querying Carbon Black Cloud for new high-severity alerts, grouping them by threat, and surfacing the top items needing review. POST /alerts/_search supports criteria operators, POST /grouped_alerts/_search collapses related alerts into single threats, and POST /alerts/_facet produces severity and reason breakdowns. Agents can attach notes via POST /alerts/{alertId}/notes to record triage decisions inline.
Search grouped alerts for severity >= 7 in the last 24 hours, return the top five threat_ids, and attach a 'queued for triage' note to each.
Threat Investigation Timeline
Reconstruct an investigation timeline for a given threat. GET /threats/{threatId}/history returns the action history, GET /threats/{threatId}/notes returns existing investigator notes, and POST /threats/{threatId}/tags/{tag} lets the agent attach state tags such as 'investigating' or 'remediated'. This gives analysts and runbooks a full audit trail per threat without leaving the Carbon Black ecosystem.
For threat THR-1234, fetch its history and notes, then add the tag 'investigating' before returning a chronological summary.
Bulk Alert Reporting and Metrics
Power weekly security reports with histogram and facet analytics. POST /alerts/_histogram returns alert volume over a time range, and POST /alerts/_facet returns counts grouped by fields like severity, reason, or device_id. Use POST /alerts/_export to push filtered alerts to CSV for compliance archives. The validate endpoint lets an agent confirm a complex query is syntactically correct before running it across the org.
Validate a search query, then call /alerts/_histogram to plot daily alert counts for the last 7 days and export the matching alerts to CSV.
AI Agent Incident Response via Jentic
Plug Carbon Black into an autonomous incident-response agent through Jentic. The agent searches Jentic for the relevant alert or threat operation, loads its schema, and executes with the org's X-AUTH-TOKEN injected from Jentic's vault, keeping the SOC's keys out of the agent's memory while still letting it query, annotate, and tag at the speed of an LLM.
Through Jentic, search for unresolved high-severity alerts on a specific device_id and add a triage note explaining the agent's classification.
21 endpoints — carbon black cloud alerts api is the security alert management surface of vmware's carbon black cloud endpoint protection platform.
METHOD
PATH
DESCRIPTION
/alerts/_search
Search alerts with criteria operators
/alerts/{alertId}
Retrieve a specific alert by ID
/alerts/_export
Export alerts as CSV asynchronously
/alerts/_facet
Calculate alert facets
/alerts/_histogram
Get alert statistics over time
/grouped_alerts/_search
Search alerts grouped by threat_id
/alerts/{alertId}/notes
Create a note on an alert
/threats/{threatId}/tags/{tag}
Add a tag to a threat
/alerts/_search
Search alerts with criteria operators
/alerts/{alertId}
Retrieve a specific alert by ID
/alerts/_export
Export alerts as CSV asynchronously
/alerts/_facet
Calculate alert facets
/alerts/_histogram
Get alert statistics over time
Three things that make agents converge on Jentic-routed access.
Credential isolation
Carbon Black X-AUTH-TOKEN values are stored encrypted in Jentic's vault, scoped per org_key. Agents receive scoped execution rights only — the token is injected into the X-AUTH-TOKEN header at request time and never enters the agent's prompt or chat logs.
Intent-based discovery
Agents search Jentic by intent (e.g., 'search carbon black alerts' or 'add a note to a threat') and Jentic returns the matching Carbon Black operation with its input schema, so the agent picks the right endpoint without parsing migration docs.
Time to first call
Direct Carbon Black integration: 1-2 days to wire the org-scoped base URL, search criteria operators, async export polling, and notes/tags flows across 21 endpoints. Through Jentic: under 1 hour — search, load, execute.
Alternatives and complements available in the Jentic catalogue.
Carbon REST API
Unrelated 3D printing manufacturing API; included as a disambiguator only.
Do not select for security workflows — Carbon REST is a manufacturing API.
CarbonAPI
Unrelated emissions accounting API; included as a disambiguator only.
Do not select for endpoint security — CarbonAPI is for greenhouse-gas accounting.
CarAPI.dev
Vehicle data API for VIN decoding and history checks.
Choose CarAPI.dev for automotive data — it has no overlap with Carbon Black's security domain.
Specific to using Carbon Black Cloud Alerts API API through Jentic.
What authentication does the Carbon Black Cloud Alerts API use?
The API uses an API key passed in the `X-AUTH-TOKEN` header on every request. The base URL is scoped per organisation via the `{org_key}` path variable, so each token is bound to a specific Carbon Black Cloud org. Through Jentic the token is held encrypted in the credential vault and injected at execution time, so analysts and agents never see the raw token.
Can I search alerts grouped by threat with this API?
Yes. POST /grouped_alerts/_search collapses related alerts into a single record per threat_id and accepts the same criteria operators as POST /alerts/_search. Companion endpoints POST /grouped_alerts/_facet and POST /grouped_alerts/_histogram provide faceted counts and time-series statistics on the grouped view.
How do I export Carbon Black alerts to CSV?
Submit POST /alerts/_export with a search payload to start an asynchronous export job. Carbon Black processes the export in the background; the response returns a job identifier you can use to retrieve the CSV when the job completes.
What are the rate limits for the Carbon Black Cloud Alerts API?
The OpenAPI specification does not declare explicit numeric rate limits. Carbon Black Cloud applies per-API-key throttling at its gateway; if you receive 429 responses, back off and reduce concurrency on /alerts/_search and the histogram/facet endpoints. Refer to your Carbon Black Cloud console for the limits attached to your key.
How do I triage Carbon Black alerts with an AI agent through Jentic?
Run `pip install jentic`, then use Jentic to search for the alert search operation with the query "search carbon black alerts", load the schema, and execute with your criteria object. Jentic calls POST /alerts/_search with your X-AUTH-TOKEN, returning structured alerts the agent can annotate by chaining POST /alerts/{alertId}/notes.
Can I add notes and tags to threats programmatically?
Yes. POST /threats/{threatId}/notes adds an investigator note to a threat and DELETE /threats/{threatId}/notes/{noteId} removes one. POST /threats/{threatId}/tags/{tag} attaches a state tag (for example, 'investigating') and DELETE /threats/{threatId}/tags/{tag} removes it. The same notes pattern applies to alerts via /alerts/{alertId}/notes.
How do I check whether my alert search query is valid before running it?
POST /alerts/_validate accepts a search payload and returns whether the query syntax is valid without executing it. Combine with GET /alerts/search_suggestions to discover available field names and complete partial queries before submission.
/grouped_alerts/_search
Search alerts grouped by threat_id
/alerts/{alertId}/notes
Create a note on an alert
/threats/{threatId}/tags/{tag}
Add a tag to a threat