Live Response API Migration
The Live Response v3 API (integrationServices/v3/cblr) will be deactivated on September 5, 2024.
Overview
This guide is to assist Carbon Black Cloud customers in migrating from the v3 Live Response API to the v6 Live Response API.
In this document, you will find
- A mapping of deprecated v3 API endpoints to new v6 API endpoints
- A mapping of deprecated v3 API schema to new v6 API schema
- New endpoints and fields specific to the v6 API
New Features
- List all sessions and get the status of a session - useful to determine if a device has an active session to inform a decision on using the existing session, closing that sessions if work is complete, or creating a new session
- Get all files metadata
- Disable Live Response - this disables Live Response permanently and will require the sensor to be reinstalled to re-enable Live Response - useful for a script to lock down / restrict access
- Get all commands executed during a session - useful to keep a detailed record of actions taken on a device
Guides and Resources
- v6 Live Response API Documentation
- v6 Live Response API Schema
- API Migration Guide
- Carbon Black Cloud Python SDK Migration Guide
- After migrating, learn how to increase security by removing unused API keys
Authorization Changes
The new v6 Live Response APIs use role based access control (RBAC) to enable enforcement of least privilege, enabling API keys to be only granted the permissions necessary.
Grant the API key some of the following permissions based on the API operations to be performed.
- org.liveresponse
- org.liveresponse.files
- org.liveresponse.memdump
- org.liveresponse.process
- org.liveresponse.registry
- org.liveresponse.session
API Endpoints
v3 API Endpoint Equivalencies and new v6 API Endpoints
| Operation | Legacy v3 Integration Services CBLR | New v6 Live Response |
|---|---|---|
| Start Session | POST {cbc-hostname}/integrationServices/v3/cblr/session/{device_id} | POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions |
| Get Session By ID | GET {cbc-hostname}/integrationServices/v3/cblr/session/{session_id} | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id} |
| Get All Sessions | New in v6 | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions |
| Close Session | POST {cbc-hostname}/integrationServices/v3/cblr/session | DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id} |
| Disable Live Response | New in v6 | POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/kill |
| Get All Files Metadata | New in v6 | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files |
| Get File Metadata | POST {cbc-hostname}/integrationServices/v3/cblr/session/{id}/file/{file_id} | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id} |
| Get File Content | POST {cbc-hostname}/integrationServices/v3/cblr/session/{id}/file/{file_id}/content | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id}/content |
| Upload File to Carbon Black Cloud | POST {cbc-hostname}/integrationServices/v3/cblr/session/{id}/file | POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files |
| Delete File | Previously in the Command object | DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/files/{file_id} |
| Get Commands List | New in v6 | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands |
| Issue Command | POST {cbc-hostname}/integrationServices/v3/cblr/session/{id}/command | POST {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands |
| Retrieve Command Status | POST {cbc-hostname}/integrationServices/v3/cblr/session/{id}/command/{cmdid} | GET {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id} |
| Cancel Command | Previously in the Command object | DELETE {cbc-hostname}/appservices/v6/orgs/{org_key}/liveresponse/sessions/{session_id}/commands/{command_id} |
Schema Changes
The following table contains the new fields available when migrating to the v6 Live Response API. The fields or sub-fields not captured here remain the same for their respective API endpoints.
| Affected Endpoints | Legacy v3 API | New v6 API |
|---|---|---|
| All API Endpoints | sensor_id |
device_id |
| Process Command | username |
process_username |
| Process Command | path |
process_path |
| Process Command | pid |
process_pid |
| Process Command | command_line |
process_cmdline |
| Process Command | parent |
parent_pid |
| Registry Command | valueType |
value_type |
| Registry Command | valueData |
value_data |
| Registry Command | valueName |
value_name |
For the full v6 Schema Definition, see the v6 Live Response Schema Documentation
Carbon Black Cloud Python SDK Migration
Version 1.3.0 of the Carbon Black Cloud Python SDK supports the new v6 Live Response API.
Live Response documentation in the SDK can be found in the SDK Read The Docs.
The Migration Guide to update to SDK 1.3.0 or later from earlier versions is on Read The Docs.
Last modified on August 25, 2023