DeviceQueries - ace-ecosystem/cbinterface2 GitHub Wiki

Devices (PSC only)

An interface to query PSC devices. Notice there is functionality to quarantine resulting devices. To prevent analysts from accidentally quarantining hundreds or thousands of devices at once, mass quarantine is limited to ten devices. Let me know if you want this changed into a warning or made configurable.

The search implementation is well done by Carbon Black, much better than with their Response product. If you do not know what field to use, you can probably do a wide open search and find what you're looking for. For example, you can search for a user's email address.

$ cbinterface device -h
usage: cbinterface device [-h] [-nw] [-ad] [-q] [-uq] device_query

positional arguments:
  device_query          the device query you'd like to execute. 'FIELDS' for
                        help.

optional arguments:
  -h, --help            show this help message and exit
  -nw, --no-warnings    Don't warn before printing large query results
  -ad, --all-details    Print all available process info (all fields).
  -q, --quarantine      Quarantine the devices returned by the query.
  -uq, --un_quarantine  UN-Quarantine the devices returned by the query.

Example

Query for a specific device name:

$ cbinterface device name:yhp2bg
2021-03-12 15:08:45 analysis cbinterface.psc.cli[9766] INFO searching psc:default environment for device query: name:yhp2bg...
2021-03-12 15:08:45 analysis cbinterface.psc.device[9766] INFO got 1 device results.

------------------------- PSC DEVICE RESULTS -------------------------

-------------------------------------------------------------------------------
	AD Group ID: 27098
	Current Policy Name: Default General Policy
	Deployment Type: ENDPOINT
	Device ID: 37100999
	Device Name: YHP2BG
	Device MAC address: 080027aca351
	Device OS: WINDOWS
	Device OS Version: Windows 10 x64
	Device Owner ID: 5599374
	Device Owner Email: NeoLite6
	Device Owner Name: None, None
	Device Quarantined: False
	Device Registration Time: 2021-02-17 14:41:50.580000-0500
	Last Checkin Time: 2021-03-12 09:41:00.693000-0500
	 ↳ Elapsed Time: 5:27:48.312221 - likely offline 💤
	Last Reported Event Time: 2021-03-12 09:37:18.099000-0500
	Last External IP: 174.87.68.13
	Last Internal IP: 10.0.2.15
	Last Location: OFFSITE
	Last Logged In User: YHP2BG\NeoLite6
	Sensor status: REGISTERED
	Sensor Version: 3.6.0.1979

Wide open query for a device associated to this IP address.

$ cbinterface device 174.87.68.13
2021-03-12 15:09:46 analysis cbinterface.psc.cli[9950] INFO searching psc:default environment for device query: 174.87.68.13...
2021-03-12 15:09:46 analysis cbinterface.psc.device[9950] INFO No field specification passed. Use 'FIELDS' for help.
2021-03-12 15:09:50 analysis cbinterface.psc.device[9950] INFO got 3 device results.

------------------------- PSC DEVICE RESULTS -------------------------

-------------------------------------------------------------------------------
	AD Group ID: 27098
	Current Policy Name: Default General Policy
	Deployment Type: ENDPOINT
	Device ID: 37100999
	Device Name: YHP2BG
	Device MAC address: 080027aca351
	Device OS: WINDOWS
	Device OS Version: Windows 10 x64
	Device Owner ID: 5599374
	Device Owner Email: NeoLite6
	Device Owner Name: None, None
	Device Quarantined: False
	Device Registration Time: 2021-02-17 14:41:50.580000-0500
	Last Checkin Time: 2021-03-12 09:41:00.693000-0500
	 ↳ Elapsed Time: 5:28:49.527549 - likely offline 💤
	Last Reported Event Time: 2021-03-12 09:37:18.099000-0500
	Last External IP: 174.87.68.13
	Last Internal IP: 10.0.2.15
	Last Location: OFFSITE
	Last Logged In User: YHP2BG\NeoLite6
	Sensor status: REGISTERED
	Sensor Version: 3.6.0.1979

<ommited more results>

Fields?

I didn't find device search field documentation. Please point me to it if you know where it's at. It appears the device search fields map to the PSC Device model, although, this is not perfect. Some fields do not work. For convenience, you can get a list of these fields like this:

$ cbinterface device FIELDS
2021-03-12 15:11:09 analysis cbinterface.psc.cli[10229] INFO searching psc:default environment for device query: FIELDS...
Device model fields:
	osVersion
	activationCode
	organizationId
	deviceId
	deviceSessionId
	deviceOwnerId
	deviceGuid
	email
	assignedToId
	assignedToName
	deviceType
	firstName
	lastName
	middleName
	createTime
	policyId
	policyName
	quarantined
	targetPriorityType
	lastVirusActivityTime
	firstVirusActivityTime
	activationCodeExpiryTime
	organizationName
	sensorVersion
	registeredTime
	lastContact
	lastReportedTime
	windowsPlatform
	vdiBaseDevice
	avStatus
	deregisteredTime
	sensorStates
	messages
	rootedBySensor
	rootedBySensorTime
	lastInternalIpAddress
	lastExternalIpAddress
	lastLocation
	avUpdateServers
	passiveMode
	lastResetTime
	lastShutdownTime
	scanStatus
	scanLastActionTime
	scanLastCompleteTime
	linuxKernelVersion
	avEngine
	avLastScanTime
	rootedByAnalytics
	rootedByAnalyticsTime
	testId
	avMaster
	uninstalledTime
	name
	status