Response Only Functionality - ace-ecosystem/cbinterface2 GitHub Wiki

Query Sensors (Response only)

Query for Carbon Black Response Sensors.

$ cbinterface sq -h
usage: cbinterface sensor-query [-h] [-nw] [-ad] sensor_query

positional arguments:
  sensor_query        the sensor query you'd like to execute

optional arguments:
  -h, --help          show this help message and exit
  -nw, --no-warnings  Don't warn before printing large query results
  -ad, --all-details  Print all available process info (all fields).

Example

$ cbinterface sensor-query hostname:computer012550
2021-02-10 04:12:43 analysis cbinterface.cli[9812] INFO searching acmecomp environment for sensor query: hostname:computer012550...
2021-02-10 04:12:43 analysis cbinterface.sensor[9812] INFO got 1 sensor results.

------------------------- SENSOR RESULTS -------------------------

Sensor object - https://carbonblack.acmecomp/#/host/30182
-------------------------------------------------------------------------------
	cb_build_version_string: 006.001.009.81012
	computer_sid: S-1-5-21-3617190964-3928019601-2880162275
	computer_dns_name: computer012550.zone.acmecomp
	computer_name: computer012550
	os_environment_display_string: Windows 10 Enterprise, 64-bit
	physical_memory_size: 8317603840
	systemvolume_free_size: 178565648384
	systemvolume_total_size: 254356221952

	status: Online
	is_isolating: False
	sensor_id: 30182
	last_checkin_time: 2021-02-10 04:11:39.846926-05:00
	next_checkin_time: 2021-02-10 04:12:40.846005-05:00
	sensor_health_message: Very high event loss
	sensor_health_status: 80
	network_interfaces:
		NetworkAdapter(macaddr='4c:1d:96:78:fc:21', ipaddr='172.19.8.185')

Response Watchlists

You can use the following to query, list, and export Carbon Black Response Watchlists.

$ cbinterface response_watchlist -h
usage: cbinterface response_watchlist [-h] [-l] [-q QUERY_WATCHLISTS] [-json]
                                      [--watchlist-names-from-stdin]

optional arguments:
  -h, --help            show this help message and exit
  -l, --list-watchlists
                        Print all watchlists.
  -q QUERY_WATCHLISTS, --query-watchlists QUERY_WATCHLISTS
                        filter watchlists by watchlist query
  -json, --watchlists-to-json
                        Convert watchlists to json and print to stdout.
  --watchlist-names-from-stdin
                        read a list of watchlist names from stdin to load.