Intel & Detection - ace-ecosystem/cbinterface2 GitHub Wiki
Intel & Detection
For PSC, you can interface with several intel based APIs. Take note of the --json
argument here, which can be used when exporting Watchlist, Feed, and Alert data in the sub-commands seen here:
$ cbinterface intel -h
usage: cbinterface intel [-h] [--json] {watchlists,feeds,alerts,migrate} ...
positional arguments:
{watchlists,feeds,alerts,migrate}
watchlists Interface with PSC Watchlists.
feeds Interface with PSC Feeds.
alerts Interface with PSC Alerts.
migrate Utilities for migrating response watchlists to PSC EDR
intel.
optional arguments:
-h, --help show this help message and exit
--json Return results as JSON.
Watchlists
You can list all watchlists, get a specific watchlist, get a specific watchlist report, delete a watchlist report, and update a watchlist report QueryIOC. Watchlist and Report data can be exported via JSON.
usage: cbinterface intel watchlists [-h] [-lw] [-w GET_WATCHLIST]
[-wr GET_WATCHLIST_REPORT]
[-dr DELETE_WATCHLIST_REPORT]
[--update-ioc-query UPDATE_IOC_QUERY]
optional arguments:
-h, --help show this help message and exit
-lw, --list-watchlists
List all watchlists.
-w GET_WATCHLIST, --get-watchlist GET_WATCHLIST
Get watchlist by ID.
-wr GET_WATCHLIST_REPORT, --get-watchlist-report GET_WATCHLIST_REPORT
Get a watchlist report by report ID.
-wn WATCHLIST_NAME_SEARCH, --watchlist-name-search WATCHLIST_NAME_SEARCH
Search for watchlists by name.
-dr DELETE_WATCHLIST_REPORT, --delete-watchlist-report DELETE_WATCHLIST_REPORT
Delete watchlist report by ID.
--update-ioc-query UPDATE_IOC_QUERY
Update a query IOC for the given report ID/IOC id.
format: report_id/ioc_id
Example: Update an Watchlist Report IOC Query
Here is an example of updating an IOC Queries in a Watchlist Reports with report ID '0KspU7cfSQ4S4WgsNl7Wg'.
If I do not know the IOC ID of the QueryIOC in the report, I can list the report:
cbinterface intel watchlists -wr 0KspU7cfSQ4S4WgsNl7Wg
------------------------- INTEL REPORT -------------------------
id: 0KspU7cfSQ4S4WgsNl7Wg
timestamp: 1617406997
title: ACE_explorer_cmd_schtasks
description: Legacy Cb Response Watchlist Description: utilized in CVE-2017-0199
severity: 5
link: None
tags: ['response_migrated_watchlist']
iocs: None
iocs_total_count: 1
visibility: None
ignored: False
iocs_v2:
id: 1
match_type: query
field: None
link: None
ignored: False
ioc_value: (parent_name:explorer.exe process_name:cmd.exe childproc_name:schtasks.exe) -enriched:true
So there is just one IOC in this report. We can edit the query like so:
$ cbinterface intel watchlists --update-ioc-query 0KspU7cfSQ4S4WgsNl7Wg/1
Enter new query: (parent_name:explorer.exe process_name:cmd.exe childproc_name:schtasks.exe -childproc_name:admin-tool1.exe) -enriched:true
2021-04-05 20:35:19 analysis cbinterface.psc.cli[6386] INFO Query IOC ID=1 of report ID=7cfS4WgsQ0KspU4SNl7Wg successfully updated.
The Carbon Black Cloud server will return an error if the new query does not validate and the Report IOC will not be updated.
Feeds
Get information on the Intel Feeds configured for your Carbon Black PSC environments.
$ cbinterface intel feeds -h
usage: cbinterface intel feeds [-h] [-lf] [-f GET_FEED] [-fr GET_FEED_REPORT]
optional arguments:
-h, --help show this help message and exit
-lf, --list-feeds List all Feeds, public included.
-f GET_FEED, --get-feed GET_FEED
Get Feed by ID. WARNING: Can return a lot of data
-s SEARCH_FOR_FEED, --search-for-feed SEARCH_FOR_FEED
Search the Feeds for feed names containing this value.
-fr GET_FEED_REPORT, --get-feed-report GET_FEED_REPORT
Get specific Report from specific Feed. format:
feed_id/report_id
Feed Examples
List feeds and grep to only see their names
$ cbinterface intel feeds -l | grep name
name: Tor Exit Nodes
name: Titan Pusher
name: US Cybercom Malware Alert
name: Carbon Black SANS
name: ATT&CK Framework
name: Carbon Black Known IOCs
name: RedBeard Richard & The Cats
name: AMSI Threat Intelligence
name: Carbon Black Endpoint Suspicious Indicators
name: Carbon Black Early Access Indicators
name: Carbon Black Advanced Threats
name: Carbon Black Endpoint Visibility
name: Carbon Black Community
name: Carbon Black TOR
name: Carbon Black AlienVault
name: Carbon Black Facebook ThreatExchange
Search for a feed by name:
$ cbinterface intel feeds -s 'Advanced'
Feed object, bound to https://defense-prod05.conferdeploy.net.
-------------------------------------------------------------------------------
access: public
category: Carbon Black First Party
id: PcpQGKFh5MLRtOE4BT3tQ
name: Carbon Black Advanced Threats
owner: Carbon Black
provider_url: https://www.carbonblack.com
source_label: Carbon Black
summary: This watchlist is a list of high-confidence thr...
Export a Feed to JSON
When using the --json
argument, JSON formatted results are sent to standard out.
Below is an example of exporting a feed to JSON, and using the jq
tool to filter for the title of the third report:
$ cbinterface intel --json feeds -f PcpQGKFh5MLRtOE4BT3tQ | jq '.reports[3].title'
"Defense Evasion - Signed Binary Proxy Execution - GPScript"
Alerts
An argument could be made that alerts belong outside of the intel
command section, as alerts are detections, however, they're also signals. I treat them as intel, so here they are:
$ cbinterface intel alerts -h
usage: cbinterface intel alerts [-h] [-g GET_ALERT] [-d DISMISS_ALERT]
[-o OPEN_ALERT]
[-u INTERACTIVELY_UPDATE_ALERT]
[-r REMEDIATION_STATE] [-c COMMENT]
{search} ...
positional arguments:
{search}
search Search Alerts with lucene syntax queries and/or value
searches.
optional arguments:
-h, --help show this help message and exit
-g GET_ALERT, --get-alert GET_ALERT
Get a specific Alert by ID.
-d DISMISS_ALERT, --dismiss-alert DISMISS_ALERT
Dismiss an Alert by ID.
-o OPEN_ALERT, --open-alert OPEN_ALERT
Open an Alert by ID.
-u INTERACTIVELY_UPDATE_ALERT, --interactively-update-alert INTERACTIVELY_UPDATE_ALERT
Update Alert by ID.
-r REMEDIATION_STATE, --remediation-state REMEDIATION_STATE
An Alert remediation state to use with any state
change actions.
-c COMMENT, --comment COMMENT
An Alert comment to use with any state change actions.
Example: Search for Alerts
The search queries support lucene syntax and/or value searches.
In this example, I will search to see if there are any alerts for a particular hostname I'm interested in. I am only interested in the last seven days and only in "OPEN" alerts. I also don't care for alerts designated with a severity of 1
(just an example). Finally, I'm particularly interested in persistence so I broadly search for that word. The output is JSON by default, so I pipe it to jq
and filter the results for the alert reason field.
$ cbinterface intel alerts search 'device_name:computer7 severity:[2 TO *] Persistence' -cr 7d -as OPEN | jq '.results[].reason'
"Process lsass.exe was detected by the report \"Persistence - Create Accounts Using GUI\" in watchlist \"ATT&CK Framework\""
"Process lsass.exe was detected by the report \"Persistence - Create Accounts Using GUI\" in watchlist \"ATT&CK Framework\""
If I'm performing an investigation on a host, this could be a lead and I may want to investigate these processes.
Example: Disable Alerts in Mass
In this example I query for alerts, filter the results for the alert IDs, and feed those results back into a new cbinterface
session with instructions to read alert IDs from standard input and dismiss those alerts as false positives with a comment.
$ cbinterface intel alerts search 'device_name:computer7 severity:2 process_name:stagentsvc.exe' -cr 7d -as OPEN | jq '.results[].id' | cbinterface intel alerts --from-stdin -d -r 'FALSE_POSITVE' -c 'This is Netskope'
[
{
"state": "DISMISSED",
"remediation": "FALSE_POSITVE",
"last_update_time": "2021-04-06T02:31:09.229Z",
"comment": "This is Netskope",
"changed_by": "93GFYY2CSB"
},
{
"state": "DISMISSED",
"remediation": "FALSE_POSITVE",
"last_update_time": "2021-04-06T02:31:11.018Z",
"comment": "This is Netskope",
"changed_by": "93GFYY2CSB"
},
...
REMOVED MORE RESULTS