Intel & Detection - ace-ecosystem/cbinterface2 GitHub Wiki

Intel & Detection

For PSC, you can interface with several intel based APIs. Take note of the --json argument here, which can be used when exporting Watchlist, Feed, and Alert data in the sub-commands seen here:

$ cbinterface intel -h
usage: cbinterface intel [-h] [--json] {watchlists,feeds,alerts,migrate} ...

positional arguments:
  {watchlists,feeds,alerts,migrate}
    watchlists          Interface with PSC Watchlists.
    feeds               Interface with PSC Feeds.
    alerts              Interface with PSC Alerts.
    migrate             Utilities for migrating response watchlists to PSC EDR
                        intel.

optional arguments:
  -h, --help            show this help message and exit
  --json                Return results as JSON.

Watchlists

You can list all watchlists, get a specific watchlist, get a specific watchlist report, delete a watchlist report, and update a watchlist report QueryIOC. Watchlist and Report data can be exported via JSON.

usage: cbinterface intel watchlists [-h] [-lw] [-w GET_WATCHLIST]
                                    [-wr GET_WATCHLIST_REPORT]
                                    [-dr DELETE_WATCHLIST_REPORT]
                                    [--update-ioc-query UPDATE_IOC_QUERY]

optional arguments:
  -h, --help            show this help message and exit
  -lw, --list-watchlists
                        List all watchlists.
  -w GET_WATCHLIST, --get-watchlist GET_WATCHLIST
                        Get watchlist by ID.
  -wr GET_WATCHLIST_REPORT, --get-watchlist-report GET_WATCHLIST_REPORT
                        Get a watchlist report by report ID.
  -wn WATCHLIST_NAME_SEARCH, --watchlist-name-search WATCHLIST_NAME_SEARCH
                        Search for watchlists by name.
  -dr DELETE_WATCHLIST_REPORT, --delete-watchlist-report DELETE_WATCHLIST_REPORT
                        Delete watchlist report by ID.
  --update-ioc-query UPDATE_IOC_QUERY
                        Update a query IOC for the given report ID/IOC id.
                        format: report_id/ioc_id
Example: Update an Watchlist Report IOC Query

Here is an example of updating an IOC Queries in a Watchlist Reports with report ID '0KspU7cfSQ4S4WgsNl7Wg'.

If I do not know the IOC ID of the QueryIOC in the report, I can list the report:

cbinterface intel watchlists -wr 0KspU7cfSQ4S4WgsNl7Wg

------------------------- INTEL REPORT -------------------------
	id: 0KspU7cfSQ4S4WgsNl7Wg
	timestamp: 1617406997
	title: ACE_explorer_cmd_schtasks
	description: Legacy Cb Response Watchlist Description: utilized in CVE-2017-0199
	severity: 5
	link: None
	tags: ['response_migrated_watchlist']
	iocs: None
	iocs_total_count: 1
	visibility: None
	ignored: False
	iocs_v2: 
		id: 1
		match_type: query
		field: None
		link: None
		ignored: False
		ioc_value: (parent_name:explorer.exe process_name:cmd.exe childproc_name:schtasks.exe) -enriched:true

So there is just one IOC in this report. We can edit the query like so:

$ cbinterface intel watchlists --update-ioc-query 0KspU7cfSQ4S4WgsNl7Wg/1
Enter new query: (parent_name:explorer.exe process_name:cmd.exe childproc_name:schtasks.exe -childproc_name:admin-tool1.exe) -enriched:true 
2021-04-05 20:35:19 analysis cbinterface.psc.cli[6386] INFO Query IOC ID=1 of report ID=7cfS4WgsQ0KspU4SNl7Wg successfully updated.

The Carbon Black Cloud server will return an error if the new query does not validate and the Report IOC will not be updated.

Feeds

Get information on the Intel Feeds configured for your Carbon Black PSC environments.

$ cbinterface intel feeds -h
usage: cbinterface intel feeds [-h] [-lf] [-f GET_FEED] [-fr GET_FEED_REPORT]

optional arguments:
  -h, --help            show this help message and exit
  -lf, --list-feeds     List all Feeds, public included.
  -f GET_FEED, --get-feed GET_FEED
                        Get Feed by ID. WARNING: Can return a lot of data
  -s SEARCH_FOR_FEED, --search-for-feed SEARCH_FOR_FEED
                        Search the Feeds for feed names containing this value.
  -fr GET_FEED_REPORT, --get-feed-report GET_FEED_REPORT
                        Get specific Report from specific Feed. format:
                        feed_id/report_id

Feed Examples

List feeds and grep to only see their names
$ cbinterface intel feeds -l | grep name
                    name: Tor Exit Nodes
                    name: Titan Pusher
                    name: US Cybercom Malware Alert
                    name: Carbon Black SANS
                    name: ATT&CK Framework
                    name: Carbon Black Known IOCs
                    name: RedBeard Richard & The Cats
                    name: AMSI Threat Intelligence
                    name: Carbon Black Endpoint Suspicious Indicators
                    name: Carbon Black Early Access Indicators
                    name: Carbon Black Advanced Threats
                    name: Carbon Black Endpoint Visibility
                    name: Carbon Black Community
                    name: Carbon Black TOR
                    name: Carbon Black AlienVault
                    name: Carbon Black Facebook ThreatExchange
Search for a feed by name:
$ cbinterface intel feeds -s 'Advanced'
Feed object, bound to https://defense-prod05.conferdeploy.net.
-------------------------------------------------------------------------------

                  access: public
                category: Carbon Black First Party
                      id: PcpQGKFh5MLRtOE4BT3tQ
                    name: Carbon Black Advanced Threats
                   owner: Carbon Black
            provider_url: https://www.carbonblack.com
            source_label: Carbon Black
                 summary: This watchlist is a list of high-confidence thr...

Export a Feed to JSON

When using the --json argument, JSON formatted results are sent to standard out.

Below is an example of exporting a feed to JSON, and using the jq tool to filter for the title of the third report:

$ cbinterface intel --json feeds -f PcpQGKFh5MLRtOE4BT3tQ | jq '.reports[3].title'
"Defense Evasion - Signed Binary Proxy Execution - GPScript"

Alerts

An argument could be made that alerts belong outside of the intel command section, as alerts are detections, however, they're also signals. I treat them as intel, so here they are:

$ cbinterface intel alerts -h
usage: cbinterface intel alerts [-h] [-g GET_ALERT] [-d DISMISS_ALERT]
                                [-o OPEN_ALERT]
                                [-u INTERACTIVELY_UPDATE_ALERT]
                                [-r REMEDIATION_STATE] [-c COMMENT]
                                {search} ...

positional arguments:
  {search}
    search              Search Alerts with lucene syntax queries and/or value
                        searches.

optional arguments:
  -h, --help            show this help message and exit
  -g GET_ALERT, --get-alert GET_ALERT
                        Get a specific Alert by ID.
  -d DISMISS_ALERT, --dismiss-alert DISMISS_ALERT
                        Dismiss an Alert by ID.
  -o OPEN_ALERT, --open-alert OPEN_ALERT
                        Open an Alert by ID.
  -u INTERACTIVELY_UPDATE_ALERT, --interactively-update-alert INTERACTIVELY_UPDATE_ALERT
                        Update Alert by ID.
  -r REMEDIATION_STATE, --remediation-state REMEDIATION_STATE
                        An Alert remediation state to use with any state
                        change actions.
  -c COMMENT, --comment COMMENT
                        An Alert comment to use with any state change actions.

Example: Search for Alerts

The search queries support lucene syntax and/or value searches.

In this example, I will search to see if there are any alerts for a particular hostname I'm interested in. I am only interested in the last seven days and only in "OPEN" alerts. I also don't care for alerts designated with a severity of 1 (just an example). Finally, I'm particularly interested in persistence so I broadly search for that word. The output is JSON by default, so I pipe it to jq and filter the results for the alert reason field.

$ cbinterface intel alerts search 'device_name:computer7 severity:[2 TO *] Persistence' -cr 7d -as OPEN  | jq '.results[].reason'
"Process lsass.exe was detected by the report \"Persistence - Create Accounts Using GUI\" in watchlist \"ATT&CK Framework\""
"Process lsass.exe was detected by the report \"Persistence - Create Accounts Using GUI\" in watchlist \"ATT&CK Framework\""

If I'm performing an investigation on a host, this could be a lead and I may want to investigate these processes.

Example: Disable Alerts in Mass

In this example I query for alerts, filter the results for the alert IDs, and feed those results back into a new cbinterface session with instructions to read alert IDs from standard input and dismiss those alerts as false positives with a comment.

$ cbinterface intel alerts search 'device_name:computer7 severity:2 process_name:stagentsvc.exe' -cr 7d -as OPEN   | jq '.results[].id' | cbinterface intel alerts --from-stdin -d -r 'FALSE_POSITVE' -c 'This is Netskope'
[
  {
    "state": "DISMISSED",
    "remediation": "FALSE_POSITVE",
    "last_update_time": "2021-04-06T02:31:09.229Z",
    "comment": "This is Netskope",
    "changed_by": "93GFYY2CSB"
  },
  {
    "state": "DISMISSED",
    "remediation": "FALSE_POSITVE",
    "last_update_time": "2021-04-06T02:31:11.018Z",
    "comment": "This is Netskope",
    "changed_by": "93GFYY2CSB"
  },
...
REMOVED MORE RESULTS