-
Notifications
You must be signed in to change notification settings - Fork 1
Response Only Functionality
Sean McFeely edited this page Apr 5, 2021
·
1 revision
Query for Carbon Black Response Sensors.
$ cbinterface sq -h
usage: cbinterface sensor-query [-h] [-nw] [-ad] sensor_query
positional arguments:
sensor_query the sensor query you'd like to execute
optional arguments:
-h, --help show this help message and exit
-nw, --no-warnings Don't warn before printing large query results
-ad, --all-details Print all available process info (all fields).
$ cbinterface sensor-query hostname:computer012550
2021-02-10 04:12:43 analysis cbinterface.cli[9812] INFO searching acmecomp environment for sensor query: hostname:computer012550...
2021-02-10 04:12:43 analysis cbinterface.sensor[9812] INFO got 1 sensor results.
------------------------- SENSOR RESULTS -------------------------
Sensor object - https://carbonblack.acmecomp/#/host/30182
-------------------------------------------------------------------------------
cb_build_version_string: 006.001.009.81012
computer_sid: S-1-5-21-3617190964-3928019601-2880162275
computer_dns_name: computer012550.zone.acmecomp
computer_name: computer012550
os_environment_display_string: Windows 10 Enterprise, 64-bit
physical_memory_size: 8317603840
systemvolume_free_size: 178565648384
systemvolume_total_size: 254356221952
status: Online
is_isolating: False
sensor_id: 30182
last_checkin_time: 2021-02-10 04:11:39.846926-05:00
next_checkin_time: 2021-02-10 04:12:40.846005-05:00
sensor_health_message: Very high event loss
sensor_health_status: 80
network_interfaces:
NetworkAdapter(macaddr='4c:1d:96:78:fc:21', ipaddr='172.19.8.185')
You can use the following to query, list, and export Carbon Black Response Watchlists.
$ cbinterface response_watchlist -h
usage: cbinterface response_watchlist [-h] [-l] [-q QUERY_WATCHLISTS] [-json]
[--watchlist-names-from-stdin]
optional arguments:
-h, --help show this help message and exit
-l, --list-watchlists
Print all watchlists.
-q QUERY_WATCHLISTS, --query-watchlists QUERY_WATCHLISTS
filter watchlists by watchlist query
-json, --watchlists-to-json
Convert watchlists to json and print to stdout.
--watchlist-names-from-stdin
read a list of watchlist names from stdin to load.
- Home
- Configuration & Setup
-
Functionality
- CB Product Independent
- CBC/CB PSC Only
- CB Response Only
-
How-To & Examples
- Remediating Malware Infection
- Live Response
- Collect a File
- Kill a Process
- Collecting Browsing History
- Remediation Script
- Delete a File
- Containing Device
- Close LR Session
- Download Binary from CBC UBS
- Creating Playbooks
- Response to PSC Migration
- Search for Alerts on host
- Tune a Query based PSC Watchlist